Delivering wholesale change to the trust management of the entire organization is an overly complex endeavor, which should be accurately planned and processed. We would like to stress some of the most relevant aspects, which must be addressed within the planning and delivery process of such a project.
The following are prerequisites for successful migration project to post-quantum cryptography:
Project sponsorship
The commitment from the organization’s top management is necessary because the project is likely to address several departments and cooperation of all relevant parties must be assured. Often, cryptography is below the radar of management, and it must be carefully explained to increase awareness of the quantum threat. There is only a small chance that the migration will be successful without commitment and support from the management.
Knowhow and staffing
Consider the available resources within the organization. What is their available capacity, and do they have sufficient experience and skills to analyze all the use-cases and technologies, assess the risks and manage the whole migration? In some cases, it would be necessary to engage external experts and seek advice on the proper prerequisites before the migration will happen. Wrong understanding and technology choices may have a long-term impact on data protection and privacy.
Visibility and inventory
Having a complete inventory of all the cryptographic objects, their location, ownership, stakeholders, and usage is a prerequisite for the successful delivery of any migration project. The project is likely to be performed in stages, so assembling a full inventory of certificates and cryptographic keys is not a one-time exercise, but a continuous process, which must reflect ongoing changes and development of the organization infrastructure. How can you migrate if you do not know what should be migrated?
Assembling use cases
In every organization there are many cryptographic keys, which serve the same purpose and should be managed according to common principles. Structuring your cryptographic inventories into services or use cases may simplify the migration process. Migration everything at once typically ends with a failure and splitting based on the use cases can provide companies a systematic approach on what should be migrated and manage the migration in phases.
Ranking the use cases according to the complexity and importance
Not all use cases are equal, some are more critical for the operations than others. Also, the management options can vary according to the use of the various technologies and adoption of procedures. Every use case should be assessed individually and based on the analysis the migration should be ranked. This will provide important input for the migration project to be phased and resources prioritized. Each use case should have a defined scope on which the migration can be executed in sequence or in parallel.
Preparing the right technology stack
The technology (current and new) should support new cryptographic algorithms. Some components can have insufficient computing power to sustain the increased requirements for the processing of the post-quantum algorithms. The technology should be carefully selected, so that it is compatible with current and future needs and can be integrated across the organization, while cryptographic agility is a key factor.
Consider migration platform
Using the platform for management and automation of cryptography related operations can be vital for systematic migration to post-quantum cryptography. Upgrading your cryptographic objects can be the right moment to review the secure operations and consider implementing new methods to improve efficiency and agility of your infrastructure.
Get more information about the CZERTAINLY
CZERTAINLY is an open-source platform for effective and efficient trust lifecycle management and automation for companies of any size and individuals. One of its goals is to provide an easy and affordable way to secure digital communication and support information security in more and more connected world.