Introduction

In my work with various clients, I frequently encounter a significant misunderstanding about the scope of preparations required to become quantum-ready. Many assume the transition to a post-quantum world will be straightforward, involving only minor patches to a few systems or simple upgrades to hardware security modules (HSMs). Unfortunately, this is a dangerous misconception.

Preparing for this seismic shift is far more complex than most realize. It is not just about patching a few systems; it requires a comprehensive, enterprise-wide overhaul. (See Ready for Quantum: Practical Steps for Cybersecurity Teams for more information). Nearly every system that utilizes cryptography will need to be evaluated and updated. It is hard to imagine any system that does not, in some way, depend on cryptographic techniques—whether for encrypting and decrypting data, authenticating and authorizing users, hashing information, verifying data and file integrity, or securing communications. Consequently, every single system in a large enterprise requires evaluation and, likely, some changes. There may be a few niche or legacy systems with minimal cryptographic dependencies, but very few and their number is decreasing.

Affected Categories of Enterprise Systems

Operating Systems (OS)

Operating systems, including Windows, Unix, Linux, AIX, MacOS, etc. form the foundation of enterprise IT infrastructure. These systems rely heavily on cryptographic methods to secure data storage, manage user authentication, and protect communications. Encryption is used to secure sensitive files and directories, while cryptographic protocols ensure the integrity and confidentiality of data transmitted over networks. Additionally, OS-level security features, such as secure boot and disk encryption, depend on cryptographic algorithms. As quantum computing becomes a reality, operating systems will need to be updated to support quantum-resistant cryptographic techniques to ensure the overall security of enterprise environments.

Internal Business Operational Systems

Most modern internal operational systems, such as Enterprise Resource Planning (ERP) systems, Customer Relationship Management (CRM) systems, and Human Resource Management (HRM) systems, rely heavily on cryptography. These systems use encryption to secure data at rest and in transit, ensuring that sensitive information such as employee records, customer data, and financial transactions are protected from unauthorized access. User authentication and access control mechanisms also depend on cryptographic methods to verify identities and manage permissions. Due to regulatory requirements and evolving security standards, even legacy systems that may not have been initially designed with strong cryptographic measures have likely been updated to incorporate these technologies.

Financial Systems

Financial systems, including accounting software, transaction processing systems, and online banking platforms, are deeply intertwined with cryptographic methods. Encryption ensures the confidentiality and integrity of financial data, digital signatures authenticate transactions, and secure communication protocols (like TLS) protect data in transit. These systems often employ multiple layers of cryptographic protection to comply with stringent regulatory standards and safeguard against financial fraud and cyber threats.

Communication Platforms

Enterprise communication platforms, such as email servers, collaboration tools, and instant messaging applications, utilize cryptography extensively to secure communications. Encryption protocols protect the content of messages, ensuring that sensitive information shared within the organization or with external partners remains confidential. Digital certificates verify the identity of users and servers, preventing impersonation and ensuring trusted and secure communications.

Data Storage and Management Systems

Databases and data warehouses store vast amounts of sensitive information. Cryptographic techniques ensure that organizations encrypt data at rest, protecting it even if physical storage media are accessed without authorization. Encryption keys are securely managed to prevent unauthorized access to data. Backup systems and data recovery solutions also depend on encryption to safeguard against unauthorized access, ensuring that backups cannot be read or tampered with by malicious actors.

Network Security Systems

Firewalls, intrusion detection systems (IDS), and virtual private networks (VPNs) rely on cryptography to secure network traffic, authenticate users, and protect against cyber threats. Secure protocols, such as IPsec and SSL/TLS, encrypt data transmitted over networks, ensuring confidentiality and integrity. These systems also use cryptographic methods to verify the identity of devices and users, preventing unauthorized access and ensuring that network communications are secure.

Cloud Services

Enterprises extensively use cloud services for a range of functions, from data storage and processing to application hosting and collaboration tools. Cryptography plays a critical role in securing these cloud interactions. Communication with cloud providers relies on encryption to protect data in transit. Additionally, enterprises often need to encrypt sensitive data before uploading it to the cloud, both to comply with regulatory requirements and to ensure data privacy. While cloud providers are expected to upgrade to post-quantum cryptography (PQC) solutions, enterprises must verify that their providers are making these upgrades and ensure that their own related cryptographic practices are robust and up-to-date.

AI Systems

Artificial Intelligence (AI) systems, which encompass machine learning models, data analytics platforms, and intelligent automation tools, are increasingly becoming integral to enterprise operations. These systems rely heavily on cryptographic methods to secure sensitive training data, ensure the integrity and confidentiality of the models, and protect the results of AI-driven decisions. Encryption safeguards the data used to train AI models, preventing unauthorized access and tampering. Additionally, cryptographic techniques are employed to verify the authenticity of AI models and to secure communications between AI systems and other components of the enterprise infrastructure. As AI systems often process and generate critical business insights, ensuring their cryptographic robustness is essential.

Web Servers and Application Servers

Web servers and application servers are crucial components of modern IT infrastructure, facilitating the delivery of web content and application services to users. These servers heavily rely on cryptography to secure communications between clients and servers. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols encrypt data in transit, protecting it from interception and tampering. Additionally, web and application servers use cryptographic certificates to authenticate themselves to clients, ensuring that users are communicating with legitimate servers and not malicious impersonators.

Identity and Access Management (IAM) Systems

IAM systems are critical for managing user identities, access permissions, and authentication within an enterprise. These systems use cryptographic methods to secure user credentials, enforce access controls, and enable single sign-on (SSO) capabilities. Encryption ensures that passwords and other sensitive identity information are protected, while cryptographic tokens and certificates are used for authentication and authorization. As enterprises prepare for the quantum era, IAM systems will need to incorporate quantum-resistant cryptographic algorithms to maintain secure access management.

Endpoint Security Solutions

Endpoint security solutions, such as antivirus software, endpoint detection and response (EDR) systems, and mobile device management (MDM) platforms, rely on cryptographic techniques to protect devices and data. These solutions use encryption to safeguard data stored on endpoints, secure communications between devices and management servers, and verify the integrity of software updates. Ensuring that these solutions are upgraded to support quantum-resistant cryptographic methods is essential for maintaining endpoint security in a post-quantum world.

Internet of Things (IoT) Devices

IoT devices are increasingly being integrated into enterprise environments, from smart sensors and industrial control systems to connected medical devices and smart office solutions. These devices often rely on cryptographic methods to secure data transmission, authenticate devices, and protect firmware updates. Given the diversity and scale of IoT deployments, preparing for the quantum era will require ensuring that IoT devices and their associated management platforms support quantum-resistant cryptographic algorithms.

Commonly Missed Enterprise Systems in Quantum Preparation

While traditional IT systems like servers, databases, and communication platforms that we described above are typically well-managed and secured, there are numerous other categories of systems that often fall outside the purview of enterprise IT and cybersecurity teams. These commonly missed systems pose significant risks, especially in the context of quantum readiness, due to their cryptographic dependencies and potential vulnerabilities.

Shadow IT

One of the most prevalent issues in large enterprises is the existence of shadow IT. Departments often implement their own IT solutions without the approval or knowledge of the central IT department. This can include anything from simple spreadsheet applications to complex data processing systems. Shadow IT systems frequently bypass established security protocols and may not be updated with the latest cryptographic standards, making them vulnerable targets for attackers. As quantum computing introduces new threats, the cryptographic weaknesses in these systems could be exploited, leading to significant data breaches or unauthorized access.

Shadow Cloud Usage

Similarly, shadow cloud usage is another area of concern. Individual departments may adopt cloud services independently to meet their specific needs. While these services offer flexibility and scalability, they often operate outside the oversight of enterprise IT. This lack of visibility and control can result in the use of weak or outdated encryption methods, inadequate access controls, and poor data management practices. Ensuring quantum readiness for these shadow cloud services requires a comprehensive audit and integration into the organization’s overall security strategy, including the implementation of quantum-resistant encryption.

Shadow AI

In addition to shadow IT and cloud services, shadow AI systems are increasingly being deployed by departments eager to leverage artificial intelligence for various applications. These AI systems, developed and maintained without central IT governance, often handle sensitive data and make critical decisions. The cryptographic measures protecting these systems are usually insufficient, and the algorithms themselves may not be designed with security in mind. As quantum computing becomes a reality, these AI systems must be evaluated and updated to incorporate quantum-resistant cryptography to prevent data manipulation and ensure the integrity of their operations.

Other – Environmental Systems, Physical Security Systems, Power Systems…

Beyond the realm of shadow systems, enterprises also need to consider a wide array of other systems managed by non-IT departments. Environmental systems, such as heating, ventilation, and air conditioning (HVAC) controls, are typically overseen by facilities management. These systems are increasingly connected to enterprise networks for remote monitoring and control, often using basic cryptographic protections that are vulnerable to quantum attacks. As such, they must be included in the quantum readiness strategy to prevent unauthorized access and potential disruptions to critical environmental controls.

Physical security systems, including access control systems, surveillance cameras, and alarm systems, are usually managed by physical security teams. These systems rely on cryptography to secure communications and data storage. However, they are often overlooked in enterprise-wide security assessments. The integration of these systems into the broader IT infrastructure and their cryptographic dependencies necessitate a thorough review and upgrade to quantum-resistant standards to prevent breaches and maintain the security of physical premises.

Modern smart office buildings and data centers present another significant challenge. A smart office building can have hundreds of connected systems ranging from building management systems and vertical transportation systems to digital surveillance and safety systems. Each of these systems uses cryptography to some extent, whether for secure communication, data integrity, or user authentication. Similarly, data centers house dozens of connected mechanical and electrical systems, such as HVAC units, power distribution units (PDUs), and monitoring systems. These systems are critical to the operation of the facility but are often managed independently of enterprise IT. Their integration into the quantum readiness plan is crucial to prevent them from becoming entry points for attackers or vulnerabilities within the network.

The Interconnected Ecosystem

While internal systems and infrastructure often receive the bulk of attention in quantum readiness assessments, the interconnected nature of modern enterprises necessitates a broader focus. Modern enterprises rely extensively on third-party vendors for a range of services, from cloud computing and data storage to software development and IT support. These vendors, in turn, may depend on their own subcontractors, creating a complex web of interdependencies. Each link in this chain potentially utilizes cryptographic methods to secure data, authenticate users, and protect communications. As quantum computing threatens to break many of these cryptographic safeguards, it becomes crucial for organizations to ensure that all parties in their supply chain are prepared to transition to quantum-resistant algorithms.

Organizations should consider all of their critical dependencies on third and n-th parties. Some of the approaches to address it should include: including quantum readiness requirements in contractual agreements; developing (and testing) contingecy plans in case vendors are not ready on time;

The complexity of supply chains means that organizations must also consider the readiness of n-th parties—vendors’ subcontractors and their partners. The security of these n-th parties can significantly impact the overall risk profile. Therefore, organizations should extend their quantum readiness assessments to include key n-th parties. This involves working with primary vendors to ensure that their subcontractors are also adhering to quantum-resistant standards and are included in contractual obligations.

Potential Exceptions: Minimal Cryptographic Dependencies

While it’s rare, there are certain systems that might exhibit minimal cryptographic dependencies:

Legacy Industrial Control Systems (ICS)

Legacy ICS used in manufacturing and critical infrastructure may have limited or no cryptographic measures, particularly if they were designed and implemented decades ago before modern security standards were in place. These systems often prioritize availability and real-time performance over security. However, there’s a growing trend towards IT-OT convergence, which involves connecting these traditionally isolated systems to corporate IT networks for centralized monitoring and control. As a result, even legacy ICS are increasingly being retrofitted with cryptographic protections to safeguard against cyber threats and unauthorized access. And therefore, they should be included in quantum readiness evaluations.

Isolated, Air-Gapped Systems

Systems that are completely isolated from external networks (air-gapped systems) might operate with minimal cryptographic measures. These systems rely on physical security controls to protect data and operations. However, even air-gapped systems are increasingly incorporating cryptographic methods to safeguard against insider threats and unauthorized physical access. Furthermore, the trend towards integrating these systems into broader networked environments for operational efficiency necessitates the adoption of cryptographic protections.

Highly Specialized Legacy Applications

Certain highly specialized legacy applications, particularly those designed for very specific industrial or scientific tasks, might have minimal cryptographic dependencies. These systems often run in controlled environments with strict access controls. However, as with ICS, there’s a movement towards enhancing their security with cryptographic protections as part of broader cybersecurity initiatives. Ensuring that even these specialized systems are protected against emerging threats is crucial for maintaining overall organizational security.

Conclusion

In the modern enterprise environment, cryptography is foundational to the security and functionality of most systems. As organizations prepare for the quantum computing era, it is essential to recognize that nearly every system that utilizes cryptographic methods will require evaluation and likely significant changes. While a few niche or legacy systems may exhibit minimal cryptographic dependencies, the trend towards IT-OT convergence and the increasing integration of specialized systems into broader networked environments mean that even these systems must be considered in quantum readiness preparations.

In addition to internal systems, organizations must consider the readiness of third-party and n-th party systems. Ensuring that external vendors and their subcontractors implement quantum-resistant cryptographic standards is essential for maintaining a secure and resilient supply chain.

By adopting a holistic approach and starting with the assumption that every system will need adaptation, organizations can develop a robust and proactive strategy to safeguard their data and operations against the CRQC.

Avatar of Marin Ivezic
Marin Ivezic
 | Website

For over 30 years, Marin Ivezic has been protecting critical infrastructure and financial services against cyber, financial crime and regulatory risks posed by complex and emerging technologies.

He held multiple interim CISO and technology leadership roles in Global 2000 companies.