The Role of Technology Vendors in Your Quantum-Safe Migration
Who is responsible for migrating your systems to quantum-safe algorithms? Is it your vendors or your cybersecurity team?
The customers I speak to are not always clear on this question. But from my perspective, the answer is your cybersecurity team. They have the ultimate responsibility of ensuring your organization is secure in a post-quantum future. However, they will need a lot of help from your technology vendors.
This article outlines what you should expect (or demand) from your vendors, and what remains the responsibility of your cyber team.
What To Expect From General Vendors
A general vendor does not offer specific cryptographic services to you. Instead, they provide a business service that uses cryptography to maintain security and resilience.
Consider the accounting platform SAP. It is no doubt riddled with cryptography, yet its purpose is to manage your finances. Therefore, SAP’s focus will be on migrating their underlying cryptography to post-quantum technologies, while maintaining your business services without interruption.
You should expect a general vendor to share a quantum-safe migration roadmap with you, complete with timelines. They should explain the activities they will complete to address the quantum threat, and how they will impact you as a user.
Although your vendor will not begin migration until the NIST post-quantum algorithms are standardised next year, you should expect them to already have a roadmap in place. If they don’t, this is a cause for concern.
Some vendors may already offer a test version of their product, which uses post-quantum algorithms. This allows your cyber team to experiment with the impact on performance or interoperability.
What To Expect From Cryptographic Vendors
A cryptographic vendor provides you with services directly related to cryptography, such as network security, data encryption or key management.
The expectations that apply to general vendors also apply to cryptographic vendors. However, you will need more information from your cryptographic vendors to pull off a smooth migration.
Cryptographic vendors must provide you with detailed guidance on how to migrate between their current product suite and the new versions that use post-quantum algorithms. For instance, you might need to understand how to re-process legacy data so that it’s protected by the new algorithms. Similarly, network security vendors will need to provide detailed instructions on migrating traffic flows while maintaining uptime.
I would expect cryptographic vendors to be far more hands-on during your migration. Expect to have discussions of your deployment architecture with their account management teams, and don’t be afraid to ask the hard technical questions.
What Information You Should be Ready to Share
The flow of information will not be one-way. You should be prepared to share information with your vendors to help them help you.
Having your migration plan developed, at least at a high level, will be critical for meaningful conversations with your vendors. This will allow you to contrast their timelines for migration versus your expectations.
Vendors will also benefit from understanding how you use their products in conjunction with products from other vendors. The goal here is to spot edge cases, where you risk business downtime because the vendor wasn’t anticipating how you were using their product.
Finally, make sure you know the configuration of your deployment. The devil is in the details when it comes to planning migration, so be prepared to tell your vendor which features you are using and how you’ve configured product security settings.
What is Out of Scope for Your Vendor?
While your vendors should provide a lot of help and guidance, they are not responsible for everything.
Your cybersecurity team will be responsible for planning your overall migration strategy, including prioritising which systems to migrate first. This will involve understanding the relative importance of business systems, and the requirements for data security.
While vendors should provide some guidance for interoperability, ultimately the IT and cybersecurity teams are responsible for ensuring updates to one service do not impact another service.
Finally, you must ensure your IT and cyber teams are leading the conversation with your end users. You cannot rely on vendors to manage the communication with your customers and internal stakeholders.
What Should You Expect to See Today?
A good vendor will already be talking to you about their plans for quantum-safe migration.
For mass-market products, this might be via blog posts and thought-leadership articles. For products with a deeper client/vendor relationship, the topic of quantum-safe migration should already be appearing in quarterly business reviews.
For cryptographic vendors, you should also be expecting test versions to be available today, to allow for experimentation.
Overall, if any vendor is not able to talk about their plans for quantum-safe migration today, even at a high level, then you should flag this as a cause for concern.
Kaniah is Chief Legal Counsel and SVP of Government Relations for Quantinuum. In her previous role, she served as General Counsel, Honeywell Quantum Solutions. Prior to Honeywell, she was General Counsel, Honeywell Federal Manufacturing and Technologies, LLC, and Senior Attorney, U.S. Department of Energy. She was Lead Counsel before the Civilian Board of Contract Appeals, the Merit Systems Protection Board, and the Equal Employment Opportunity Commission. Kaniah holds a J.D. from American University, Washington College of Law and B.A., International Relations and Spanish from the College of William and Mary.
Jeff Miller is Chief Information Officer for Quantinuum. In his previous role, he served as CIO for Honeywell Quantum Solutions and led a cross-functional team responsible for Information Technology, Cybersecurity, and Physical Security. For Honeywell, Jeff has held numerous management and executive roles in Information Technology, Security, Integrated Supply Chain and Program Management. Jeff holds a B.S., Computer Science, University of Arizona. He is a veteran of the U.S. Navy, attaining the rank of Commander.
Matthew Bohne is the Vice President & Chief Product Security Officer for Honeywell Corporation. He is a passionate cybersecurity leader and executive with a proven track record of building and leading cybersecurity organizations securing energy, industrial, buildings, nuclear, pharmaceutical, and consumer sectors. He is a sought-after expert with deep experience in DevSecOps, critical infrastructure, software engineering, secure SDLC, supply chain security, privacy, and risk management.
Todd Moore is the Global Vice President of Data Encryption Products at Thales. He is responsible for setting the business line and go to market strategies for an industry leading cybersecurity business. He routinely helps enterprises build solutions for a wide range of complex data security problems and use cases. Todd holds several management and technical degrees from the University of Virginia, Rochester Institute of Technology, Cornell University and Ithaca College. He is active in his community, loves to travel and spends much of his free time supporting his family in pursuing their various passions.
Retired U.S. Army Major General John Davis is the Vice President, Public Sector for Palo Alto Networks, where he is responsible for expanding cybersecurity initiatives and global policy for the international public sector and assisting governments around the world to prevent successful cyber breaches. Prior to joining Palo Alto Networks, John served as the Senior Military Advisor for Cyber to the Under Secretary of Defense for Policy and served as the Acting Deputy Assistant Secretary of Defense for Cyber Policy. Prior to this assignment, he served in multiple leadership positions in special operations, cyber, and information operations.