Who is responsible for migrating your systems to quantum-safe algorithms? Is it your vendors or your cybersecurity team?
The customers I speak to are not always clear on this question. But from my perspective, the answer is your cybersecurity team. They have the ultimate responsibility of ensuring your organization is secure in a post-quantum future. However, they will need a lot of help from your technology vendors.
This article outlines what you should expect (or demand) from your vendors, and what remains the responsibility of your cyber team.
What To Expect From General Vendors
A general vendor does not offer specific cryptographic services to you. Instead, they provide a business service that uses cryptography to maintain security and resilience.
Consider the accounting platform SAP. It is no doubt riddled with cryptography, yet its purpose is to manage your finances. Therefore, SAP’s focus will be on migrating their underlying cryptography to post-quantum technologies, while maintaining your business services without interruption.
You should expect a general vendor to share a quantum-safe migration roadmap with you, complete with timelines. They should explain the activities they will complete to address the quantum threat, and how they will impact you as a user.
Although your vendor will not begin migration until the NIST post-quantum algorithms are standardised next year, you should expect them to already have a roadmap in place. If they don’t, this is a cause for concern.
Some vendors may already offer a test version of their product, which uses post-quantum algorithms. This allows your cyber team to experiment with the impact on performance or interoperability.
What To Expect From Cryptographic Vendors
A cryptographic vendor provides you with services directly related to cryptography, such as network security, data encryption or key management.
The expectations that apply to general vendors also apply to cryptographic vendors. However, you will need more information from your cryptographic vendors to pull off a smooth migration.
Cryptographic vendors must provide you with detailed guidance on how to migrate between their current product suite and the new versions that use post-quantum algorithms. For instance, you might need to understand how to re-process legacy data so that it’s protected by the new algorithms. Similarly, network security vendors will need to provide detailed instructions on migrating traffic flows while maintaining uptime.
I would expect cryptographic vendors to be far more hands-on during your migration. Expect to have discussions of your deployment architecture with their account management teams, and don’t be afraid to ask the hard technical questions.
What Information You Should be Ready to Share
The flow of information will not be one-way. You should be prepared to share information with your vendors to help them help you.
Having your migration plan developed, at least at a high level, will be critical for meaningful conversations with your vendors. This will allow you to contrast their timelines for migration versus your expectations.
Vendors will also benefit from understanding how you use their products in conjunction with products from other vendors. The goal here is to spot edge cases, where you risk business downtime because the vendor wasn’t anticipating how you were using their product.
Finally, make sure you know the configuration of your deployment. The devil is in the details when it comes to planning migration, so be prepared to tell your vendor which features you are using and how you’ve configured product security settings.
What is Out of Scope for Your Vendor?
While your vendors should provide a lot of help and guidance, they are not responsible for everything.
Your cybersecurity team will be responsible for planning your overall migration strategy, including prioritising which systems to migrate first. This will involve understanding the relative importance of business systems, and the requirements for data security.
While vendors should provide some guidance for interoperability, ultimately the IT and cybersecurity teams are responsible for ensuring updates to one service do not impact another service.
Finally, you must ensure your IT and cyber teams are leading the conversation with your end users. You cannot rely on vendors to manage the communication with your customers and internal stakeholders.
What Should You Expect to See Today?
A good vendor will already be talking to you about their plans for quantum-safe migration.
For mass-market products, this might be via blog posts and thought-leadership articles. For products with a deeper client/vendor relationship, the topic of quantum-safe migration should already be appearing in quarterly business reviews.
For cryptographic vendors, you should also be expecting test versions to be available today, to allow for experimentation.
Overall, if any vendor is not able to talk about their plans for quantum-safe migration today, even at a high level, then you should flag this as a cause for concern.