In part one of this two-part blog series, we discussed the six steps enterprises and Software-as-a-Service (SaaS) providers must take to enable the use of specified algorithms or alternative solutions. In this blog, we'll focus on the steps organizations can take to integrate quantum computing.

Application Integration, Enables Organizations to Transition

Once integrated into applications, the ability to use these quantum safe algorithms is possible for an organization. In SaaS applications, the provider will integrate and test prior to rolling out support across their customer base. Assuming browser-based access, this transition should be seamless for the end user who would have updated browsers that support the new cryptographic algorithms well in advance of the SaaS provider rollout. The application end has the opportunity to select among the supported algorithms from the recommended lists in the respective protocol parameter IANA registry.

The threat of Shor’s algorithm in store-now-decrypt-later attacks for asymmetric cryptography remains, so is the priority for this work. Since my prior blog was released, research reduced the threat of Grover’s algorithm to symmetric cryptography, so those updates are a lower priority than solutions and protocols using asymmetric cryptography. However, since existing algorithms such as AES-256 are available and integrated into libraries, this transition can occur easily while waiting for specifications and implementation support of asymmetric algorithms. 

SaaS and other application providers will have more preparation than the enterprise as they will integrate updated versions of libraries that incorporate quantum safe cryptography into their solutions. Protocol standards and libraries implementing those standards will likely support pure quantum and hybrid cryptographic algorithms to provide quantum safe cryptography. Application providers will make decisions on whether to support a hybrid approach or move directly to quantum safe algorithms, determining if they would benefit from additional agility in the event that an approved quantum safe algorithm was deemed vulnerable. With support existing in standards and libraries, agility will be inherent at the protocol layer. The complexity in these decisions for application owners will require understanding concerns for interoperability with other products where necessary. For example, browser decisions on cryptographic support and inclusion impact the decisions of application developers for which their application is accessed using a browser. For less widely used clients, application developers will need to consider agility and how that will be supported in their applications.

Steps for Organizations

Organizations have a few actions they can take to prepare their networks for quantum computing, with a transition that should feel fairly seamless. With some basic preparation, the transition will not require substantial skill sets beyond asset management that includes maintaining inventories of applications and their applications’ use of encryption in transit, at rest, and in execution, and identifying priority changes to make. The transition will take time as the steps listed in the introduction follow an important process to achieve consensus on algorithms and approaches, followed by testing implementations.

The steps for organizations are far simpler and while some preparation is possible, organizations will have to wait on the standards process and then application integration. Here are 3 steps an organization can take to prepare and begin their transition to quantum safe cryptography:

1. Asset Management is the first step here and in every control framework. This includes inventory of data and the current cryptographic solutions, and cryptographic keys in use. If opportunities exist to upgrade to protocol versions that will support quantum safe cryptographic algorithms, those upgrades should be planned appropriately.

2. Controls Assessment on data protection, understanding if your controls are appropriate for both the sensitivity and business criticality levels.

3. Supplier Management should extend to include timelines for libraries and protocol versions in products used by your organization, assessing support for quantum-safe cryptography. This will take time.

For all organizations, procurement should require verification of quantum safe cryptography support in hardware and firmware purchased today. Major hardware vendors have already made this possible. Hardware lifetimes for some systems and devices can be as long as 1-2 decades, and this is a place where you’ll need to ensure your vendors are prepared today so that you can gradually end-of-life systems and devices that cannot be made quantum safe against the decryption attacks possible with quantum computing. Existing legacy hardware, constrained devices, including IoT and lightweight HSMs may need to consider alternate solutions when Adapting Constrained Devices for Post-quantum Cryptography.

Planning Application Support

For application-level changes, there is time before any actions can be taken by most organizations as the standards evolve to support the newly selected cryptographic algorithms and mechanisms. Application developers can follow directly along with the IETF discussions and follow guidance from NIST as well as other sources such as the UK NCSC who have published helpful next step documents. 

Support Available Today in Web Applications!

Announcements as well as software updates will continue to emerge, with the web being an early candidate. Announcements with timelines from Akamai and the existing capabilities from Cloudflare demonstrate feasibility to migrate this year since browser support exists for one algorithm. The content delivery networks host upwards of 70% of all web traffic and have skilled teams supporting these transitions, enabling this capability in 2025.

________________________________________________________