Migrating an organization to become secure in the quantum era can be complex and costly. However, it does not have to be when combined with legacy system migration, with the introduction of zero trust capabilities or with the move to secure software supply chains. While there isn't a fully standardized set of algorithms for quantum-safe key exchanges or signatures, the threat of quantum computing to asymmetric cryptography is well recognized. Beyond just the awareness of a such a threat, it is instrumental to already now prepare organizations for a full transition to quantum-safe cryptography as soon as the relevant standardization is ratified. This implies that actions need to be put in place to establish an inventory of cryptography algorithms currently in use, such that those vulnerable to quantum computing can readily be migrated. The latter implies the establishment of a migration plan, for which adequate funding and management structure is a must-have. The migration plan might consist of a single step directly to the exclusive use of QSC algorithms, or it can be a two step procedure using hybrid “legacy and quantum-safe” algorithms as an intermediate solution. Enabling a migration without any disruption of business services must be a strong focus point: Beyond the inventory of cryptography algorithms and a related migration plan, the establishment, distribution, verification and revocation of QSC-certificates needs to be addressed.
How it works: Discover and locate cryptography, prioritize, move to quantum-safe cryptography
Our approach for cryptography inventory and migration consists of three non-intrusive and active methods to discover a cryptography presence and use in systems, software, or Software as a Service (SaaS):
Prioritize cryptography inventory. Passively or actively scan the IT environment to identify all cryptography in use and enrich the findings with contextual information about the value and criticality of related data.
Root cause and migration recommendations. Perform a deep scan of prioritized systems and software to locate where the unwanted cryptography resides and provide a prioritized action plan for remediation.
Upgrade to quantum-safe cryptography. Use ready-made drop-in replacements to upgrade systems and software from a rapidly growing quantum-proofed software repository.
Cryptography Bill of Materials (CBOM)
To address this need to move to quantum-safe solutions, our cryptography team behind the IBM Quantum Safe technology and NIST algorithm contributions has developed a new approach, dubbed Cryptography Bill of Materials (CBOMs).
The CBOM is an extension of the well-known Software Bill of Materials (SBOM) concept from software supply chains that allows systems and software to be described using a standardized list of components, libraries, and dependencies. Our CBOM describes cryptographic assets while extending existing software supply chain tooling. It simplifies the creation and management of a cryptography inventory across diverse software, services, and infrastructure, and allows complex cryptographic components to be added to well-established tools and processes to assess software supply chain security and integrity.
Our CBOM specification and tooling is available for organizations as a basis for information-capturing and exchange of cryptography assets.