1. As quantum computing progresses, it becomes a vulnerability that needs to be addressed to traditional cryptographic systems. Migration to Post-Quantum Cryptography is no longer an abstract future event but a present imperative for many. Yet, when and how to start such a migration process can be a bit tricky.
2. One of the most important first steps would be to know what is in the current cryptographic environment and what assets are the most important ones to focus on migrating first. In this post, we will be discussing four important documents that each organization should set up as part of their Quantum-Vulnerability Diagnosis:
- Risk Assessment,
- Inventory of Cryptographic Assets
- Inventory of Data Handled
- Inventory of Cryptographic Asset Suppliers.
3. All these documents would help organizations measure their preparedness, point out potential risks, and set up a smooth migration to quantum-resistant systems.Lets discuss one by one:-
- Risk Assessment: The Risk Assessment is a very important document that will help organizations evaluate the threats that may arise from quantum computing. It analyses the current security posture, identifies critical assets, and determines exposure to future quantum risks. This document should assess the types of data handled, system dependencies, and the use of vulnerable cryptographic protocols. It predicts quantum-related threats and their potential impact, allowing organizations to prioritize assets and establish realistic timelines for migration.
- Inventory of Cryptographic Assets : Lists all cryptographic systems, algorithms, and protocols in use. It helps identify assets vulnerable to quantum threats and prioritize those for migration to post-quantum alternatives. The inventory should also assess the lifespan of each asset, highlighting those at risk of obsolescence or quantum vulnerability.
- Inventory of Data Handled by the Organization : This inventory of data handled catalogs all sensitive data types, including customer information, financial records, and intellectual property. It helps an organization identify what data is most vulnerable to quantum threats and prioritizes protection efforts. Highly sensitive or mission-critical data should be prioritized in the migration plan to ensure maximum security against quantum computing risks.
- Inventory of Suppliers of Cryptographic Assets: This inventory tracks third-party vendors and service providers who supply cryptographic tools. It enables organizations to understand the potential quantum vulnerabilities in third-party systems, allowing for joint work with suppliers to ensure solutions are quantum resistant. This document also helps to manage external dependencies and ensures that there is a coherent and consistent PQC migration strategy.