Step 1 for Post-Quantum Cryptography Transition is Inventory: The Five Pillars of Cryptographic Discovery & Inventory.
In minutes. Continuously.
The Five Pillars of Cryptographic Discovery & Inventory
External Network Internal Network IT Assets Databases Code
To effectively tackle the discovery, analysis, and inventory of cryptography, organizations should adopt the Five Pillars of Cryptographic Discovery & Inventory.
External Network
The first pillar focuses on the External Network, which includes any encryption that is visible outside of the organization’s perimeter. This encompasses SSL/TLS certificates, digital signatures, and encrypted communication channels that interact with customers, partners, and external stakeholders.
Failure to properly manage external encryption exposes organizations to a variety of risks. For instance, expired or misconfigured SSL certificates can allow attackers to intercept sensitive communications. Additionally, external-facing encryption is often the first line of defense against quantum-based attacks. Quantum adversaries will likely target weak encryption methods that protect externally accessible systems.
To address these risks, organizations must regularly audit their external encryption infrastructure. This includes:
Discovering SSL/TLS certificates
Identify all certificates in use across websites, APIs, and email servers, ensuring that strong encryption algorithms (such as TLS 1.3) are employed
01
Assessing cryptographic strength
Evaluate the strength of external cryptographic mechanisms in the context of post-quantum risks. Are there algorithms still relying on RSA or ECC? If so, these must be prioritized for upgrading to quantum-safe alternatives.
02
Inventory management
Ensure that all cryptographic assets, such as certificates and digital signatures, are properly inventoried and renewed before expiration.
03
Internal Network
The second pillar addresses encryption within the Internal Network, focusing on how data is secured as it moves between internal systems, databases, and devices.
Encryption plays a critical role in securing data in transit within the organization’s perimeter, especially in environments that handle sensitive information like healthcare, financial, and personal data.
Encryption protocols used in internal communications must be reviewed to ensure their resilience to quantum threats. Organizations should:
Identify encryption used for internal communications
This includes the encryption of internal APIs, cloud services, and internal messaging systems. Is data being transmitted securely between systems?
01
Verify the use of secure protocols
Outdated protocols like SSL and older versions of TLS should be flagged and replaced with quantum-resistant alternatives.
02
Monitor encryption configuration
Ensure that internal encryption is properly configured to minimize vulnerabilities. Misconfigurations can lead to unnecessary exposure of sensitive data, even within the internal network.
03
IT Assets
The third pillar involves discovering how encryption is applied across IT Assets, including endpoints, IoT (Internet of Things) devices, and servers. These assets often handle vast amounts of sensitive data, making it crucial to understand the encryption mechanisms protecting them.
In many cases, IT assets such as laptops, mobile devices, and IoT systems use a mix of encryption protocols that may vary depending on their purpose or operating system.
Organizations must:
Inventory all encryption mechanisms on endpoints
Ensure that encryption is applied to protect sensitive data stored on devices, such as employee laptops or mobile devices.
01
Review IoT encryption
IoT devices often rely on lightweight cryptographic algorithms to manage limited computational resources. These may not be strong enough to withstand quantum threats and should be evaluated for post-quantum migration.
02
Ensure server-side encryption:
Critical data stored on servers should be encrypted both at rest and in transit. Outdated algorithms such as AES-128 should be upgraded to stronger quantum-safe standards, such as AES-256.
03
Databases
The fourth pillar emphasizes the importance of securing Databases. Databases are a prime target for cyberattacks, as they often contain sensitive personal data, financial information, and intellectual property.
A cryptographic inventory must include a detailed analysis of how databases are encrypted, how encryption keys are managed, and whether quantum-safe encryption standards are applied.
Key steps in this pillar include:
Discover and inventory databases
Identify all databases within the organization, including relational databases (e.g., MySQL, PostgreSQL) and non-relational databases (e.g., MongoDB, Cassandra).
01
Evaluate encryption mechanisms
Ensure that databases are encrypted at rest and in transit using strong algorithms, and identify any databases that still rely on deprecated encryption standards.
02
Assess key management practices
Review the management of encryption keys to ensure they are stored securely and are regularly rotated. In preparation for quantum computing, organizations should explore quantum-safe key management solutions.
03
Code
The final pillar focuses on Code, emphasizing the need to search for and inventory encryption used within software applications and code libraries.
Encryption is often embedded deep within application logic, making it critical to identify vulnerable or deprecated algorithms used in proprietary or third-party code.
Organizations should:
Conduct a code review for cryptography
Search through code repositories to identify where cryptographic algorithms are implemented, whether through native code or third-party libraries.
01
Replace deprecated cryptographic algorithm
Ensure that legacy algorithms, such as MD5 or SHA-1, are replaced with modern, quantum-resistant alternatives.
02
Maintain an up-to-date cryptographic inventory
Create and maintain an inventory of all cryptographic algorithms used in the codebase, ensuring that developers follow best practices for post-quantum encryption.
03
Starting an inventory of cryptographic assets through the Five Pillars framework is critical for organizations preparing for post-quantum security.
This structured approach ensures that encryption across the External Network, Internal Network, IT Assets, Databases, and Code is discovered, analyzed, and cataloged, building a foundation for managing cryptographic risk. By systematically addressing each pillar, organizations can identify vulnerabilities, misconfigurations, and outdated algorithms, enabling proactive migration to quantum-safe standards.
This thorough cryptographic inventory prepares organizations for future threats by securing critical communication channels, protecting internal data flow, safeguarding IT assets, securing databases, and updating cryptographic algorithms within code.