Note: Although this document describes the migration steps (diagnosing-planning-executing) sequentially, in practice an organisation should not wait to entirely complete one step before starting the next one. Organisations should start by identifying their most critical assets, planning a first migration phase for these critical parts and proceeding to this migration, while in parallel actively working on extending the diagnosis to a larger part of their infrastructure that will be migrated in a second phase.

Risk assessment

Risk is assessed using these parameters:

  • The value of the information
  • The vulnerability
  • The threat

The quantum does not change the value of the information but it creates new vulnerabilities - some information that was protected by cryptographic algorithms considered secure in a classical model is not protected any more. Organisations should anticipate on new threats created by this situation. A proper risk assessment will be vital to decide which systems should be migrated first.

Inventory cryptographic assets

Identify all the cryptographic assets within your organisation, including assets that will soon enter the organisations. It will be used to determine whether a cryptographic asset is vulnerable to quantum attacks and which quantum-safe solution could be used instead. This inventory could take the form of a Configuration Management Database (CMDB). You may use automated assest discovery tools such as testssl.sh.

  • Make sure all assets will be correctly migrated
  • Both software and hardware
  • The information collected should be as detailed as possible, including the nature of the algorithm, key length, usage, etc.
  • For assets that are not controlled by your organisation, you should identify the supplier
  • Take into account that this step will take a significant amount of time.
  • Useful outside the scope of this migration project
  • Will ease the mitigation of both quantum and non-quantum threats
  • May also be used to simplify compliance issues
  • This inventory should be continuously updated
  • This inventory or overview should be properly secured and cannot be accessed by outsiders, as it contains very sensitive data, such as vulnerabilities of an organisation

Inventory data assets

More precisely, you do not need an exhaustive list of the data, but rather a list of types of data, depending on several factors:

  • Kind of data (data at rest, data in transit or data in use);
  • Location of the data;
  • Value of the data (confidentiality, availability);
  • Classification of data;
  • Risk assessment for each data asset.

Inventory of the suppliers of cryptographic assets.

For most organisations, a significant part of the cryptographic assets (hardware and software) are provided by external suppliers. The goal of this inventory is to identify your cryptography supply-chain.

  • Large part of migration is making sure the suppliers are migrating or finding new suppliers that are quantum-safe
  • For each supplier, list all products that you use from them and whether you have an ongoing contract with them
  • List the supplier’s contact details
  • This list should also include certificate authorities
  • Besides the official suppliers of cryptographic assets, consider internal communication tools (instant messaging, collaborative platforms) as well as shadow IT.

Note: this also holds the other way around, if you supply solutions using cryptography. The organisations you supply to will be making a similar assessment of their dependencies and might require you to properly communicate your intentions with respect to PQC. It is not necessary to make an exhaustive list of all of your clients but keep this in mind when deciding on an appropiate strategy.