COMMENTARY: Around the world, the quantum community is making huge progress in creating stable, commercially viable quantum computers. As the idea of quantum technology becoming a part of everyday applications becomes more realistic, there's a growing sense of uncertainty.
Recently, NIST released an Initial Public Draft (IPD) report outlining a roadmap for transitioning from traditional public-key cryptographic algorithms to standardized post-quantum cryptography (PQC). This includes a transition plan, including timelines and key considerations for migration, aimed at helping federal agencies, industries, and standards organizations transition their Infrastructure, products, and services to PQC-ready by 2035. The report also includes a list of current and widely-used key establishment and digital signature algorithms that will soon be deprecated.
NIST also points out that transitioning from algorithm standardization to full integration into information systems can take anywhere between 10 to 20 years. Given the time it takes and the rise of “harvest now, decrypt later” attacks, it’s more important than ever for organizations to start preparing for post-quantum cryptography (PQC) now. NIST’s report serves as a vital resource, offering clarity and direction to help begin and speed up the PQC adoption journey.
Quantum machines could potentially break traditional encryption methods, putting sensitive information at risk. For businesses, getting ready for these threats is no longer optional—it’s a necessity. This is where Managed Security Service Providers (MSSPs) can aid in, offering valuable consultation service, support and Implementation plan.
Why Post-Quantum Security Matters
Current encryption methods, like RSA and ECC, rely on complex math problems that are hard for regular computers to solve. However, quantum computers, using algorithms like Shor’s, can break these encryptions much faster. Knowing that a large-scale quantum computer could effortlessly break today’s cryptographic algorithms like RSA, DSA, ECDH, ECDSA, and EdDSA and expose sensitive, confidential data means businesses' financial data, intellectual property, and customer information could be at risk; and a major concern for many CISOs.
Migration to PQC is a much more complex undertaking when compared to other cryptographic migrations from the past. The new PQC algorithms have significantly different properties from the current algorithms in terms of key sizes, signature sizes, key exchange, computational requirements, entropy, and others. Naturally, the challenges in migration are multifaceted, involving changes to infrastructure, algorithms, applications, and compliance frameworks. MSSPs must help organizations plan extensively, ensuring that their systems are robust enough to handle the demands of PQC while maintaining seamless operations.
History and Background of PQC Algorithms
Before we dwell on the role of MSSPs, let us understand a bit about the NIST’s finalized PQC encryption algorithm standards and the key factors to consider for the PQC migration.
2016
In 2016, NIST kicked off the Post-Quantum Cryptography (PQC) Standardization Project aimed at developing trusted and tested PQC encryption algorithms that are secure against attacks by both classical and quantum computers.
2022
In July 2022, after the third round of the standardization process, NIST made a preliminary announcement, unveiling the first four selected algorithms:
- CRYSTALS-Kyber for KEM (Key Establishment Mechanism) for general encryption
- CRYSTALS-Dilithium, Falcon, and SPHINCS+ for digital signature schemes
2023
In August 2023, NIST released the Initial Public Drafts (IPD) of three of the above algorithms to get industry feedback and make appropriate revisions.
2024
A year later, after completing the fourth round of standardization, on August 13, 2024, NIST released the finalized PQC encryption algorithm standards with name changes:
- FIPS 203: Referred to as ML-KEM, based on the CRYSTALS-KYBER algorithm for general encryption
- FIPS 204: Referred to as ML-DSA, based on the CRYSTALS-Dilithium algorithm for digital signatures
- FIPS 205: Referred to as SLH-DSA, based on the SPHINCS+ algorithm for digital signatures
The Critical Role of MSSPs in Achieving Crypto-Agility
Rising cyber threats mean more chances for managed security service providers. The world of PKI is transforming rapidly, driven by an unprecedented growth of machine (non-human) identities and disruptions like the shift towards shorter TLS certificate validity, Certificate Authority Browser (CA/B) Forum rulings, post-quantum cryptography, and new compliance mandates. As disruptions intensify and become more common, crypto-agility has become critical to adapt, stay the course, ensure security, and preserve digital trust.
Gartner forecasts global spending on security and risk management to reach $215 billion in 2024, up 14.3% from 2023's $188 billion.
Gartner forecasts that spending on security services including consulting, IT outsourcing, implementation and hardware support will total $90 billion in 2024, an 11 percent increase from 2023. Security services are expected to represent 42 percent of total security and risk management end-user spending.
With the complexities of the PQC transition, MSSPs can play a crucial role in helping organizations strengthen their security against quantum threats through a strong Crypto-Agile framework. Achieving crypto-agility is a journey, but with the right solutions, this transition becomes seamless and sustainable, ensuring robust mitigation ahead of emerging threats.
Here’s how MSSPs can help:
1. PQC Risk Assessment and Readiness
MSSPs can partner with key cybersecurity vendors to create awareness across CISOs and Security architects. A consultative security service to their customers through a phased approach and a comprehensive assessment of an organization’s cryptographic infrastructure would be key. Identifying vulnerable systems and educating clients about the implications of quantum computing can be a critical first step toward preparedness.
2. Implementing Quantum-Resilient Algorithms
MSSPs can stay ahead by using quantum-safe algorithms recommended by organizations like NIST. They can help clients gradually switch to these algorithms as part of a broader plan to prepare for post-quantum security.
3. Crypto Agility
MSSPs can collaborate with OEMs to help organizations build a comprehensive crypto-agile framework, enabling critical systems to quickly adapt to evolving cryptographic standards. With shorter TLS validity, certificate compromises, and post-quantum threats on the horizon, MSSPs need to ensure that organizations can be crypto-agile to ensure security and compliance. This flexibility is key to minimizing disruption during the transition to post-quantum solutions across their customers.
4. Cost-Effective Transition
For many enterprises, the cost of transitioning to post-quantum security can be daunting. MSSPs offer scalable, cost-effective solutions tailored to their clients' needs, eliminating the need for significant in-house expertise or resources.
Preparing Today for Tomorrow’s Threats
Cryptography is foundational to internet security, and crypto-agility is crucial to staying ahead of evolving threats and preserving digital trust. Quantum computing may still be years away from mainstream adoption, but the risks it presents demand action now. MSSPs provide the expertise, tools, and proactive strategies to help businesses secure their digital assets in a post-quantum world.
For organizations looking to future-proof their security, partnering with an MSSP is not just a smart move—it’s a necessity. The time to prepare is today, and MSSPs can lead the way towards a secure future.
MSSP Alert Perspectives columns are written by trusted members of the managed security services, value-added reseller and solution provider channels. Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to [email protected].
