COMMENTARY: For the last decade, quantum computing has been a technology that was coming, but not soon enough to worry about it today. We had important work to do: like killing the password and patching every server.That luxury has evaporated. The future arrived faster than we expected. Guidance from NIST, CISA, and Gartner has shifted from gentle nudges to loud warnings.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]NIST has said that the transition to a secured quantum computing era will consist of a “long-term intensive community effort that will require extensive collaboration between government and industry.”NIST goes on to tell organizations to start their quantum computing journeys sooner than later.By 2029, quantum computing will likely crack traditional RSA and ECC encryption that now holds the internet together.And, sophisticated attackers aren’t waiting for quantum computers to begin exploiting cryptography: they are already harvesting encrypted data today. Nation-state actors are collecting encrypted communications and long-lived sensitive data, betting that future advances will render today’s protections ineffective.Ransomware groups exfiltrate encrypted backups and archives, knowing that weak key governance, identity exposure, or cryptographic decay can turn inaccessible data into future leverage.This resets the assumptions security leaders have relied on for decades.
The inventory nightmare
The industry presents post-quantum migration as a linear process: team, inventory, prioritize, and migrate. While it's easy to recommend building a cryptographic inventory, it's very hard to operationalize at scale.Most security teams rely on traditional discovery tools that are great at scanning networks for public certificates. But those scans are surface-level. They completely miss the messy, tangled reality of modern infrastructure.They miss the keys in applications. From the hard-coded keys buried in legacy applications to software libraries used by off-the-shelf and in-house developed or open source software to ephemeral keys spinning up and down in Kubernetes clusters. They miss shadow IT service accounts that developers set up to bypass friction.We don’t just have to know what keys and libraries are crypto-capable, we now need to know what our systems actually use. Just because our systems are crypto-capable doesn’t mean they actually use post-quantum cryptography (PQC). For example, a server might use an RSA PQC vulnerable certificate, but it’s capable of using a PQC algorithm for key exchange (ML-KEM). This means that we need both static discovery and observation of what’s happening on the network.Lacking that visibility, many of us are flying blind today.Stop counting keys, start tracking identities
How do we fix the visibility gap? We need to stop treating cryptography as a math problem and start treating it as an identity problem.Cryptographic credentials don't float in space. They are always attached to something: a person, a server, a bot, an agent, or an application. A certificate, key, or equivalent credential is effectively just an ID card for a machine or service.When we shift our focus from "finding keys" to "mapping identities," the picture clears up. We move from a chaotic list of random file paths to a contextual map of our environment. This identity-first approach can make PQC migration manageable. It does the following:- Contextualizes risk: If we hand a generic list of 10,000 weak certificates to an IT team, they will freeze. Where do they start? But if we link those certificates to identities, we can triage. We can see that this certificate belongs to a critical payment gateway, while that other one belongs to a dev-test sandbox. We fix the items that actually matter first.
- Solves the "Who owns this?" mystery: We’ve all been there: staring at a vulnerable SSH key on a critical server, afraid to rotate it because we don't know what it breaks. When we discover crypto through the lens of identity, we automatically see the owner. We turn a detective project into a simple remediation ticket.
- Catches the machines: In modern DevOps, machine identities outnumber human users by a massive margin. Bots create their own keys, use them for seconds, and discard them. Traditional scanners miss this entirely. An identity-centric view captures the automated underbelly of the enterprise, ensuring we aren't leaving the back door open while we lock the front.
