Some thoughts about post-quantum cryptographic asset inventory

With the threat of quantum computers looming over us within the next 5 to 9 years, a common theme that many large organizations are pushing for is to work on an inventory of all cryptographic assets used in the organization.

I'm not quite convinced that it is such a great idea to do a organization-wide cryptographic asset inventory right now (as in 2024). In fact, I'll even say that planning for such an exercise now may delay your post-quantum readiness journey. Hear me out.

100% or nothing

For the cryptographic asset inventory to be useful, it has to cover 100% of all usage. Afterall, security is always equal to the weakest link. If the inventory missed out a couple of cryptographic libraries, then this is where the attackers are going to find a way into the system.

Yet, it is currently next-to-impossible to get a proper 100% accurate cryptographic asset inventory for an organization today. That's because today's systems are dynamic, with new changes pushed into production on a regular basis, with zero-day patches applied without human intervention, etc. Until proper post-quantum practices and policies are put in place, any inventory exercise conducted will be immediately inaccurate the day after.

A very leaky bucket

Since the National Institute of Standards and Technology (NIST) has just published the new post-quantum cryptographic (PQC) standards in Aug 2024, most vendors have not yet announced, much less embarked on their post-quantum migration. I don't see any official post-quantum roadmap announcements coming from the likes of Microsoft, Google, Amazon, Oracle, SAP, IBM, etc on when their products will be post-quantum ready. 

So aren't organizations stuck with a very leaky bucket with many of the holes waiting to be plugged by many of the big tech over the next few years? And if you are holding this leaky bucket, what's the point of counting all the holes now? Wouldn't it be better to start figuring a way to patch some of the critical holes, and leave the search for the remaining ones after most of them have been closed? 

Mitigating today's threats

An organization-wide cryptographic asset inventory exercise is neither cheap, easy nor fast. It will take significant resources, time and likely require the engagement of a large team of external consultants to perform the task. Should this activity take precedence over mitigating some of today's quantum threats such as harvest-now-decrypt-later (HNDL) attacks? I think not.

And you don't need to conduct the exercise to know where your HNDL vulnerabilities are today. Just look at the public-facing applications that your organization operates. It can be a transaction portal (e.g. online payments), a data collection portal (e.g. reporting, file uploads), or even an informational portal (e.g. internet banking) where private or confidential information is exchanged. That is a probably good place to start a project to plug the gap. Once you and your team have gotten the hang of it, your capabilities and productivity will improve, and you'll be ready when the real threat happens.

Inventorize in 2027

I'll predict that planning for a cryptographic asset inventory exercise in 2027 is a far better move. By then, you would have nailed down your post-quantum strategy and policies, gotten clarity on your migration budgets, and your team already have some experience in carrying out post-quantum migration projects. 

Moreover, I expect that many of the vendors would have released post-quantum versions of their products, leading to less false positives in the inventory report and allowing for a more accurate mitigation plan to follow after the exercise.

Let me know your thoughts.