Post-Quantum

Dos & Don’ts of Crypto Inventories for Quantum Readiness

Photo of Marin Ivezic Marin Ivezic Follow on X Send an email May 5, 2022
24 minutes read
Manual Cryptographic Inventory

Introduction

The impending arrival of quantum computing presents a double-edged sword: while it promises unprecedented computational power, it also threatens to render current cryptographic systems obsolete. Organizations worldwide are scrambling to prepare for this quantum leap. One of the first steps advised for quantum readiness initiatives is for organizations to perform a comprehensive cryptographic inventory. In the absence of more specific requirements or established industry best practices, many started relying on manual, interview-based, inventories recorded in spreadsheets as their go-to approach. It’s a box-ticking exercise that gives the appearance of action without true efficacy.

In IT and OT environments, cryptography is embedded into every device, application, and service—often embedded deeply in ways that aren’t immediately apparent. Relying on asset owners, developers or IT personnel to identify and report in interviews or survey responses every instance of cryptographic usage is not just impractical; it simply does not work. Even these, ostensibly best-positioned stakeholders, would not be aware of all the cryptographic uses and dependencies within systems under their control, leading to incomplete, unreliable, and ultimately useless inventories.

This article explores why the oft-used, manual cryptographic inventories are insufficient for quantum readiness. I’ll argue that a truly effective inventory must be comprehensive, utilizing multiple automated tools to uncover hidden dependencies and generate a detailed Cryptographic Bill of Materials (CBOM). Only with a complete and accurate CBOM can organizations properly prioritize remediation efforts and fortify their defenses against quantum threats.

Alternatively, some organizations consider bypassing the inventory process altogether. By assuming that every device and system will require cryptographic remediation, they focus immediately on updating the most critical systems. While this approach accelerates immediate action, it also carries risks if not managed carefully. I’ll describe that approach as well.

Ultimately, I’ll highlight the shortcomings of spreadsheet-based inventories and emphasize the need for more robust strategies. Whether through comprehensive tooling or strategic prioritization, organizations must move beyond these token efforts to achieve true quantum readiness.

The Flaws of Manual Cryptographic Inventories

Organizations often resort to manual, interview-based and/or survey-based cryptographic inventories because this approach appears straightforward, it’s easy and quick to start, and provides an illusion of progress. Creating a spreadsheet populated with data from interviews and surveys gives the impression that the organization is actively addressing its cryptographic management.

This approach requires minimal upfront investment in tools or training, making it an attractive option for organizations looking to quickly demonstrate action to stakeholders, auditors, or regulatory bodies. The simplicity of the approach allows teams to initiate the inventory process without the need for specialized software or technical expertise. It enables them to collect information rapidly by delegating data entry tasks across departments. This decentralized approach can be appealing in large organizations where coordinating a centralized effort seems daunting.

However, as we’ll discuss, this approach is misleading. An inadequate inventory, presented as a complete one, can lead to misguided decisions, misallocation of resources, and a neglect of critical vulnerabilities. The false confidence created with this approach might be even more detrimental than not conducting an inventory at all, as it may prevent the organization from recognizing the need for more thorough measures.

The Hidden Challenges of Cryptographic Inventory

Cryptography is not merely a standalone feature—it’s a fundamental thread woven throughout virtually every device, system, and application. One of the paradoxes of cryptography is that its very effectiveness often depends on its invisibility. Designed to operate seamlessly in the background, cryptographic processes are meant to protect systems and data without impeding functionality or drawing unnecessary attention.

This intentional obscurity is a double-edged sword: while it enhances security by reducing attack surfaces, it also means that many cryptographic operations occur without explicit user or administrator awareness. Users can send emails, make online purchases, and access corporate networks without needing to understand the complex encryption algorithms safeguarding their activities. This seamless integration is achieved through numerous protocols, standards, and libraries that hide and automate cryptographic functions.

The Layers Beneath Applications

Cryptography doesn’t only reside at the application level; it operates deep within operating systems, firmware, and hardware components. Modern processors include instruction sets specifically designed for cryptographic operations, accelerating encryption and decryption processes. Firmware updates for devices are often signed and verified using cryptographic techniques to prevent tampering.

Moreover, many applications rely on third-party libraries and frameworks that incorporate cryptographic functions. Developers might use these tools to handle authentication, data storage, or communication without interacting with underlying cryptographic implementations. As a result, even the developers themselves might not be fully aware of all the cryptographic elements at play within their applications.

The invisible nature of cryptography introduces significant challenges when attempting to catalog and assess all cryptographic usage within an organization. Dependencies on third-party components mean that cryptographic functions can be several layers removed from the primary application code. Modern software development often involves assembling applications from a mosaic of third-party libraries, frameworks, and modules. Each component may incorporate its own cryptographic functions, creating layers of encryption that are not immediately apparent. For instance, a simple function call to store data in a database might trigger a series of operations that include encrypting the data, securing the connection to the database server, and verifying the integrity of the data—all using cryptography hidden from the developer’s direct view.

Some of the layers of encryption that are not immediately apparent might include:

  • Embedded Cryptography in Libraries: Developers frequently use open-source or proprietary libraries that handle cryptographic tasks internally. For instance, a library for database connectivity might encrypt data transmissions without explicit calls from the primary application.
  • Inherited Dependencies: An application might depend on a library that, in turn, relies on other libraries with their own cryptographic implementations. These nested dependencies can obscure the presence of cryptography deep within the software stack.
  • Firmware and Hardware-Level Encryption: Devices often come with built-in cryptographic features at the firmware level, such as secure boot processes or hardware security modules (HSMs). These are not typically visible or configurable through standard software interfaces.

These hidden dependencies complicate efforts to create a comprehensive cryptographic inventory. Traditional methods, such as code reviews or interviews with developers and system administrators, may not uncover all instances of cryptographic use, especially when they are buried within third-party libraries or legacy codebases.

While the invisibility of cryptography enhances usability and, in some cases, security, it also poses risks. Unseen cryptographic components might use outdated or vulnerable algorithms, such as SHA-1 or MD5 hashing functions, which are no longer considered secure. If these components are not identified and updated, they can become weak links in the organization’s security chain.

Furthermore, the advent of quantum computing threatens to compromise widely used cryptographic algorithms like RSA and ECC. Organizations unaware of where these algorithms are used within their systems cannot effectively plan for their replacement with quantum-resistant alternatives. The invisible nature of cryptography thus becomes a barrier to proactive security measures.

The Limitations of Human Awareness

Even with diligent management, asset owners and IT professionals might not be fully aware of all cryptographic uses due to several additional factors, beyond layers of interdependent cryptography, such as:

  • Rapid Technological Evolution: The pace at which technology evolves means new cryptographic methods and implementations are continually introduced. Keeping abreast of all changes is an impossible task.
  • Shadow IT and Unmanaged Assets: Employees may use unauthorized applications or devices—collectively known as shadow IT—that introduce cryptographic elements unknown to the IT department.
  • Cloud Services and Virtualization: The use of cloud services and virtual environments adds layers of abstraction that complicate manual inventory efforts. Cryptographic controls in these environments are often managed differently and may not be fully visible to in-house IT staff.
  • IoT Devices: The proliferation of Internet of Things (IoT) devices introduces numerous endpoints with embedded cryptography. These devices may not be centrally managed or easily included in manual inventories.

To make matters worse, documentation is critical for understanding and managing cryptographic assets, but it is often incomplete or outdated.

  • Legacy Systems: Older systems might use obsolete cryptographic algorithms that were never thoroughly documented, especially if original developers have left the organization.
  • Vendor Black Boxes: Proprietary software and hardware from vendors may include cryptographic functions that are not disclosed in detail, citing intellectual property protections.
  • Open-Source Complexities: While open-source software provides transparency, the sheer volume of code and the rate of updates can make it challenging to track all cryptographic components.

The Inadequacy of Interviews and Spreadsheets

Given these complexities, relying on interviews with asset owners and IT professionals, supplemented by spreadsheet records, is woefully insufficient. Those challenges are further exacerbated by challenges of relying on human recollection and on using inadequate tools (e.g. spreadsheet) to record complex information. Some such additional challenges might include:

  • Specialization Silos: In large organizations, responsibilities are divided among teams specializing in different areas—networking, application development, security, etc. Cryptographic functions that cross these domains might not be fully understood by any single team.
  • Turnover and Tribal Knowledge: Staff changes can lead to loss of critical information, especially if documentation is lacking. Knowledge about cryptographic implementations may reside with former employees, leaving current personnel unaware of existing configurations.
  • Incomplete Knowledge: As discussed above, individuals may only be aware of the cryptographic functions they directly interact with, missing those embedded deeper within systems or introduced by third-party components.
  • Human Error: Manual data entry into spreadsheets is prone to errors and omissions, leading to inaccurate inventories.
  • Inconsistent Terminology: Different individuals might use varying terms to describe the same cryptographic functions, leading to confusion and duplication in records.
  • Subjectivity: Personal interpretations of questions can result in subjective answers that do not accurately reflect the technical realities.
  • Superficial Information: Interviews may yield high-level overviews but miss detailed configurations such as key lengths, algorithm versions, and specific cryptographic protocols in use.
  • Confirmation Bias: Individuals may unconsciously provide information that aligns with their beliefs or assumptions, overlooking contrary evidence.
  • Reluctance to Admit Ignorance: Staff may be hesitant to acknowledge gaps in their knowledge, leading to incomplete or inaccurate information.
  • Organizational Politics: Interdepartmental dynamics can affect the openness and honesty of responses during interviews, particularly if there are concerns about blame or accountability.
  • Dynamic Environments: Systems and applications are frequently updated, and new assets are added regularly. Static spreadsheets cannot capture these changes in real-time.
  • Missing Dependencies: Complex interdependencies and inheritances of cryptographic functions cannot be easily captured through interviews or recorded in spreadsheets.

The Illusion of Security

Perhaps the most insidious issue with relying on interviews and spreadsheets is the false sense of security they can create. Organizations may become overconfident, believing that their inventory is complete based on these inadequate methods. This misplaced confidence can lead them to underestimate their vulnerabilities, leaving them exposed to risks they are unaware of.

Complacency can also set in, fostering a checkbox mentality where the mere act of conducting interviews is seen as sufficient. This attitude discourages further proactive measures and diminishes the urgency to delve deeper into the cryptographic infrastructure. As a result, critical cryptographic assets may remain unidentified and unsecured. These neglected areas increase the risk of breaches or failures, especially in the face of emerging quantum threats.

Implications for Quantum Readiness

The inability to fully account for all cryptographic uses has serious consequences in the context of quantum readiness. As quantum computing advances, it poses a significant threat not only to traditional cryptographic algorithms like RSA and ECC, which are expected to be completely broken, but also to other cryptographic methods that will be substantially weakened. Symmetric encryption algorithms like AES may require larger key sizes to remain secure, and certain hashing algorithms could become vulnerable to quantum attacks. Unidentified cryptographic components within an organization’s infrastructure may still rely on these vulnerable algorithms or use insufficient key lengths, leaving critical systems and data exposed.

Without a comprehensive understanding of where and how these algorithms are implemented, organizations cannot effectively prioritize their replacement with quantum-resistant alternatives. This oversight undermines the very foundation of their security measures, as they remain oblivious to the lurking vulnerabilities that quantum computing will exploit. The risk extends beyond just encryption; digital signatures, authentication protocols, and key exchange mechanisms are also susceptible to quantum threats.

Regulatory compliance risks further compound the problem. Anticipating the challenges posed by quantum computing, it is expected that regulators, national security agencies, and industry bodies will soon introduce new related standards and requirements. Critical national infrastructure providers and government organizations may be mandated to capture comprehensive cryptographic inventories as an initial step in broader quantum readiness programs. Failure to maintain a complete and up-to-date inventory can result in non-compliance with these emerging regulations, leading to legal penalties, fines, and damage to the organization’s reputation. Stakeholders, customers, and partners may lose trust in an organization that cannot demonstrate control over its cryptographic practices, which can have long-term negative effects on business relationships and market position.

Inefficient resource allocation is another significant implication of inadequate cryptographic accounting. Without a clear understanding of where cryptography is used throughout the organization, efforts to strengthen security may be misdirected. Resources might be wasted on addressing non-critical areas that pose minimal risk, while critical vulnerabilities remain unaddressed. This misalignment not only squanders time and money but also leaves the most sensitive assets unprotected. In the context of preparing for quantum threats, such inefficiencies can have dire consequences, as organizations may find themselves ill-prepared to mitigate the quantum risks.

In summary, the failure to fully account for all cryptographic uses within an organization has profound implications for quantum readiness. It exposes vulnerabilities to quantum attacks, risks non-compliance with current and forthcoming regulatory standards, and leads to inefficient use of resources. Addressing these issues requires a comprehensive and proactive approach to cryptographic inventory management, ensuring that all assets are identified, assessed, and updated as necessary to withstand the challenges of a quantum-enabled future. Organizations must recognize that quantum readiness is not merely about replacing RSA and ECC algorithms; it involves a thorough evaluation of all cryptographic practices and readiness to comply with new regulations that are likely to emerge as quantum computing becomes a reality.

The Need for Automated Discovery Tools

To overcome these challenges, especially in preparation for quantum computing threats, organizations should employ automated tools capable of deep and comprehensive analysis. These tools offer a comprehensive, accurate, and efficient approach to identifying all cryptographic elements within an organization, overcoming the shortcomings inherent in manual processes. Automated tools can systematically scan networks, codebases, and system configurations to uncover cryptographic implementations, including those hidden within third-party libraries, firmware, and hardware components. This systematic approach ensures that even the most obscure cryptographic uses are identified.

Moreover, automated discovery tools provide the necessary depth of analysis to understand not just the presence of cryptography but its specific characteristics. They can detect the types of algorithms used, key lengths, protocol versions, and configurations. This granular level of detail is crucial for assessing vulnerabilities, particularly in the context of quantum threats. Without precise information about where and how these algorithms are used, organizations cannot effectively prioritize their replacement with quantum-resistant alternatives. Automated tools enable this level of insight, which is unattainable through manual methods.

The dynamic nature of IT environments further requires the adoption of automated discovery tools. Systems and applications are frequently updated, new devices are added, and configurations change regularly. Manual inventories quickly become outdated, leaving organizations blind to new vulnerabilities that may have been introduced. Automated tools offer continuous monitoring capabilities, ensuring that the cryptographic inventory remains current. This real-time visibility is essential for maintaining a robust security posture and for complying with regulatory requirements that increasingly mandate accurate and up-to-date records of cryptographic assets.

Eliminating human error is another significant advantage of automated discovery tools. As discussed, manual data collection and entry are susceptible to mistakes, inconsistencies, and omissions. Such errors can lead to incomplete inventories, misinformed risk assessments, and ultimately, security breaches. Automated tools reduce these risks by providing consistent and accurate data collection processes. They standardize the inventory methodology, ensuring that all cryptographic assets are assessed using the same criteria and that nothing is inadvertently overlooked.

Scalability is also a critical factor. As organizations grow, their IT infrastructures become more complex, often spanning multiple locations, cloud services, and incorporating a multitude of devices, including Internet of Things (IoT) endpoints. Manual inventory methods cannot keep pace with this growth without a disproportionate increase in resources and effort. Automated discovery tools are designed to scale, handling large and complex environments. This scalability ensures that organizations can maintain comprehensive cryptographic inventories regardless of their size or the complexity of their IT ecosystems.

Regulatory compliance is another area where automated discovery tools prove indispensable. Anticipating the challenges posed by quantum computing, regulators and national security agencies are expected to introduce new standards and requirements for cryptographic security. These may include mandates for comprehensive cryptographic inventories as part of broader quantum readiness initiatives. Automated tools not only facilitate compliance with existing regulations but also position organizations to meet future requirements proactively. By demonstrating due diligence in managing cryptographic assets, organizations can avoid legal penalties, protect their reputations, and build trust with customers and partners.

The efficient allocation of resources is further enhanced by automated discovery tools. With a clear and detailed understanding of all cryptographic uses, organizations can prioritize remediation efforts based on actual risk levels. This targeted approach ensures that critical vulnerabilities are addressed promptly, while resources are not wasted on non-critical areas. In contrast, manual methods often result in misallocated efforts due to incomplete or inaccurate information, leaving significant risks unmitigated.

Automated discovery tools also enable organizations to respond swiftly to emerging threats. In the context of quantum computing, the window for transitioning to quantum-resistant algorithms is narrowing. Organizations equipped with automated tools can quickly identify vulnerable cryptographic assets and implement necessary changes. This agility is crucial in staying ahead of adversaries who may exploit quantum vulnerabilities as soon as they become viable.

Finally, adopting automated discovery tools fosters a culture of proactive security. It moves organizations away from reactive, compliance-driven approaches to a strategic stance that anticipates future challenges. By investing in advanced tools and methodologies, organizations signal their commitment to robust security practices, which can have positive implications for their brand and stakeholder confidence.

In conclusion, the need for automated discovery tools in cryptographic inventory management is clear and compelling. These tools address the inherent limitations of manual methods by providing comprehensive, accurate, and up-to-date visibility into all cryptographic assets. They enhance the ability to assess and mitigate risks, ensure regulatory compliance, optimize resource allocation, and prepare organizations for the challenges posed by quantum computing. Embracing automated discovery is not just a technological upgrade; it is a strategic imperative for any organization committed to maintaining security and resilience in an increasingly complex digital landscape.

Selecting the Right Automated Discovery Tools for Comprehensive Cryptographic Inventory

For the reasons discussed above, identifying all cryptographic elements requires a multifaceted approach, and at present, there isn’t a single tool or vendor offering a solution that encompasses all possible discovery methods. Different automated tools use different techniques to detect cryptographic usage. Each method targets different layers and aspects of the IT environment, and understanding these can help in selecting the appropriate combination of tools.

1. Static Code Analysis

Static code analyzers examine source code or compiled binaries without executing them. They search for patterns, function calls, and code constructs that indicate the use of cryptographic algorithms.

Advantages:

  • Can analyze large codebases efficiently.
  • Identifies cryptographic functions embedded in the code.
  • Useful for detecting hard-coded keys or insecure implementations.

Limitations:

  • Requires access to source code, which may not be available for third-party or proprietary software.
  • May produce false positives or miss dynamically loaded cryptographic modules.

2. Dynamic Analysis (Runtime Monitoring)

Dynamic analysis tools monitor applications during execution to observe cryptographic operations in real-time. They track calls to cryptographic libraries, API usage, and data flows.

Advantages:

  • Can detect cryptographic functions that are loaded or executed dynamically.
  • Useful for applications where source code is unavailable.
  • Identifies actual runtime behavior, reducing false positives.

Limitations:

  • Requires setting up a controlled execution environment.
  • May not cover all execution paths, leading to incomplete detection.
  • Performance overhead during monitoring.

3. Network Traffic Analysis

Network analyzers inspect data packets transmitted over the network to identify encrypted communications and the protocols used.

Advantages:

  • Detects cryptographic protocols in use (e.g., TLS, SSH).
  • Useful for identifying unsecured communications or outdated protocols.

Limitations:

  • Encrypted traffic may not reveal the underlying cryptographic details.
  • Cannot detect cryptography used internally within applications or systems.

4. Configuration and System Scanning

These tools examine system configurations, registry settings, and installed software to identify cryptographic components and settings.

Advantages:

  • Can detect system-wide cryptographic policies and configurations.
  • Useful for identifying cryptographic modules and hardware components (e.g., TPMs, HSMs).

Limitations:

  • May not provide detailed information about application-specific cryptography.
  • Requires appropriate permissions to access system configurations.

5. Dependency Analysis

Dependency analyzers assess software dependencies and libraries used by applications to uncover embedded cryptographic functions.

Advantages:

  • Identifies third-party libraries that implement cryptography.
  • Useful for understanding inherited cryptographic usage from dependencies.

Limitations:

  • May not detect custom or proprietary cryptographic implementations.
  • Relies on accurate and up-to-date dependency data.

6. Binary Analysis

Binary analysis tools dissect compiled executables to identify cryptographic algorithms and functions without needing source code.

Advantages:

  • Useful when source code is unavailable.
  • Can detect embedded cryptographic code within binaries.

Limitations:

  • Complex and may require specialized expertise.
  • May not identify obfuscated or heavily optimized code.

7. Cloud Environment Scanning

These tools are designed to scan cloud infrastructures and services to identify cryptographic usage in cloud-based applications and storage.

Advantages:

  • Addresses the unique aspects of cloud environments.
  • Can detect cryptographic configurations in cloud services (e.g., AWS KMS, Azure Key Vault).

Limitations:

  • Cloud provider APIs and services vary, requiring tool specialization.
  • May have limited visibility due to cloud provider restrictions.

8. Hardware and Firmware Analysis

Tools that inspect hardware components and firmware to identify cryptographic functionalities embedded at the hardware level.

Advantages:

  • Detects cryptography in hardware devices (e.g., IoT devices, embedded systems).
  • Useful for assessing cryptographic implementations in firmware updates.

Limitations:

  • Requires specialized tools and expertise.
  • Hardware diversity makes standardization challenging.

9. Certificate and Key Management Discovery

These tools focus on discovering and analyzing digital certificates, keys, and key management systems within the organization.

Advantages:

  • Identifies certificates and keys in use, their expiration dates, and associated cryptographic algorithms.
  • Essential for managing public key infrastructures (PKIs).

Limitations:

  • May not detect keys hard-coded within applications or stored in unconventional locations.
  • Focused primarily on asymmetric cryptography.

10. Log Analysis

Analyzing system and application logs to identify records of cryptographic operations.

Advantages:

  • Can uncover cryptographic errors, deprecated algorithm usage, and security incidents.
  • Useful for historical analysis.

Limitations:

  • Dependent on the logging level and practices.
  • May generate large volumes of data to sift through.

Given the diverse methods of cryptographic discovery, selecting the right tools becomes a critical task. No single tool currently encompasses all these approaches, primarily due to the vast scope and technical challenges involved. Each tool specializes in certain areas, and relying on one would inevitably leave gaps in the cryptographic inventory.

For example, a static code analyzer excels at examining in-house developed software but falls short when dealing with third-party applications or runtime behaviors. A network traffic analyzer can detect the use of outdated protocols but cannot peer into the cryptographic functions within applications or hardware devices. Dependency analyzers can uncover third-party libraries but may miss custom cryptographic implementations.

To achieve a complete and accurate cryptographic inventory, organizations need to adopt a multi-tool strategy, combining several specialized tools that collectively cover all aspects of cryptographic usage.

Begin by evaluating the organization’s IT environment:

  • Application Landscape: Are applications primarily in-house developed, third-party, or a mix?
  • Infrastructure Complexity: What is the extent of cloud usage, IoT devices, and legacy systems?
  • Data Sensitivity: What types of data are being protected, and what are the regulatory requirements?

Choose tools that complement each other:

  • Static and Dynamic Analysis Tools: Combine tools that analyze code statically with those that monitor runtime behaviors to capture both declared and operational cryptographic uses.
  • Network and System Scanners: Use network analyzers alongside system configuration scanners to detect cryptographic protocols and system-level implementations.
  • Specialized Tools for Cloud and Hardware: Incorporate tools designed for cloud environments and hardware analysis if these are significant components of your infrastructure.

Evaluate Tool Capabilities. When selecting tools, consider:

  • Accuracy and Depth: Assess how thoroughly the tool can detect cryptographic elements and whether it provides detailed information.
  • Ease of Integration: Determine how well the tool integrates with existing systems and workflows.
  • Scalability: Ensure the tool can handle the size and complexity of your environment.
  • Vendor Support and Updates: Evaluate the vendor’s track record for updates, especially in response to emerging threats like quantum computing.

Conduct pilot tests with selected tools to gauge their effectiveness in your specific environment. This hands-on experience can reveal practical considerations that may not be apparent during initial evaluations.

Cryptographic inventory is not a one-time task but an ongoing process. As the IT environment evolves, so too will the cryptographic landscape. Regularly updating the inventory requires tools that can continuously monitor and adapt to changes.

The Importance of Using Multiple Tools

Each tool offers unique strengths and addresses specific aspects of cryptographic usage, but none can cover the entire spectrum alone. At least, none on the market at the time of writing this. Organizations must adopt a multi-faceted approach, carefully selecting and integrating various tools to ensure that all cryptographic elements are identified and assessed. By acknowledging the limitations of individual tools and embracing a combined strategy, organizations can overcome the challenges of cryptographic discovery. This comprehensive approach is essential for effective risk management, regulatory compliance, and preparation for the quantum computing era.

Building a Comprehensive Cryptographic Bill of Materials (CBOM)

Having selected a suite of automated discovery tools to uncover cryptographic usage throughout the organization, the next crucial step is to consolidate the findings into a Cryptographic Bill of Materials (CBOM). A CBOM serves as a detailed inventory of all cryptographic components within your systems, applications, and devices. It provides a holistic view of the cryptographic landscape, enabling informed decision-making and effective risk management in the face of quantum computing threats.

Creating a CBOM is essential for several reasons:

  • First, it offers complete visibility into where and how cryptography is implemented across the organization.
  • Second, a CBOM facilitates compliance with regulatory requirements. As the quantum threat becomes more imminent, regulators and national security agencies are beginning to mandate comprehensive cryptographic inventories as part of broader quantum readiness programs. Maintaining a CBOM ensures that the organization meets these obligations, avoiding legal penalties and preserving its reputation.
  • Third, the CBOM enables efficient resource allocation. By understanding the exact cryptographic components in use, organizations can prioritize remediation efforts, focusing on the most critical vulnerabilities and planning the transition to quantum-resistant algorithms strategically.

To build a CBOM, the data collected from the various automated discovery tools must be aggregated and analyzed. This process involves several key steps. First, consolidate the information from static code analyzers, dynamic runtime monitors, network traffic analyzers, dependency analyzers, and any other tools employed. This aggregation ensures that all cryptographic uses, from application-level implementations to hardware-embedded functions, are accounted for.

Next, categorize the cryptographic components based on factors such as the algorithms used, key lengths, protocols, and their respective applications or systems. This categorization helps in assessing the risk associated with each component, particularly concerning their susceptibility to quantum attacks.

Once the components are categorized, evaluate their quantum resilience. Identify which cryptographic algorithms are considered vulnerable in the quantum era and mark them for replacement or upgrading. This evaluation should also consider the criticality of the systems in which these algorithms are used, prioritizing those that protect the most sensitive data or perform essential functions.

Documenting this information in a structured and accessible format is essential. The CBOM should be comprehensive yet clear, providing stakeholders with the necessary insights without overwhelming them with technical details. It should include details such as the location of the cryptographic component, its function, the algorithms and key sizes used, and any dependencies or related systems.

Maintaining the CBOM is an ongoing effort. As systems are updated, new applications are deployed, and configurations change, the CBOM must be kept current. Integrating continuous monitoring practices ensures that the CBOM remains an accurate reflection of the organization’s cryptographic posture. Regular reviews and updates are necessary to adapt to new threats, technological advancements, and changes in regulatory requirements.

By establishing a CBOM, the organization not only gains a clear understanding of its current cryptographic landscape but also lays the groundwork for future-proofing its security infrastructure. It enables proactive planning for the transition to quantum-resistant algorithms, ensuring that the organization stays ahead of emerging threats. Moreover, it fosters a culture of security awareness and responsibility, engaging stakeholders across the organization in the collective effort to safeguard critical assets.

In conclusion, the creation of a Cryptographic Bill of Materials is a pivotal step in achieving quantum readiness. It transforms the data gathered from automated discovery tools into actionable intelligence, guiding strategic decisions and remediation efforts. As the quantum era approaches, organizations equipped with a comprehensive CBOM will be better positioned to navigate the challenges ahead, maintaining robust security and compliance in an increasingly complex digital landscape.

Forgoing Cryptographic Inventory—An Alternative Approach

Some organizations consider bypassing the comprehensive cryptographic inventory process altogether. Instead of meticulously cataloging every cryptographic use within their systems, they opt to assume that all devices and applications require cryptographic remediation. This approach focuses on immediately updating the known critical systems without the preliminary step of inventorying.

The Logic Behind Skipping the Inventory

The primary appeal of foregoing a cryptographic inventory lies in the desire for swift action. Quantum computing poses imminent risks to current cryptographic systems, and organizations feel the pressure to act promptly. By assuming that all systems are potentially vulnerable, they can immediately begin remediation efforts on high-priority assets without the delay of conducting an extensive inventory.

This method also simplifies decision-making processes. Rather than allocating time and resources to identify which systems use vulnerable cryptographic algorithms like RSA or ECC, organizations can proceed directly to implementing quantum-resistant solutions on their most critical infrastructure. This can be particularly advantageous for organizations with limited resources or those operating in highly dynamic environments where systems and applications change rapidly.

Challenges of the No-Inventory Approach

While the intent to act quickly is commendable, bypassing a cryptographic inventory presents significant challenges. Without a detailed understanding of where and how cryptography is used, organizations risk misallocating their efforts. Critical vulnerabilities may remain unnoticed in less obvious parts of the system, while resources are expended on areas that may not require immediate attention.

Moreover, cryptographic functions are deeply embedded in various layers of technology—from applications and operating systems to firmware and hardware components. These functions often interact in complex ways, and without an inventory, it’s difficult to grasp the full scope of what’s in use. This oversight can lead to incomplete remediation, leaving the organization exposed to potential security breaches.

Another concern is regulatory compliance. As governments and industry bodies recognize the threats posed by quantum computing, they are beginning to require organizations, especially those in critical infrastructure sectors, to maintain comprehensive cryptographic inventories. Skipping this step could result in non-compliance, leading to legal repercussions and damage to the organization’s reputation.

The Hybrid Approach: Immediate Action with Concurrent Inventory Development

Acknowledging the drawbacks of both a complete inventory and no inventory at all, a balanced strategy emerges. Organizations can initiate immediate remediation on systems known to be critical while simultaneously developing a comprehensive cryptographic inventory using automated discovery tools.

This hybrid approach offers several advantages. By acting on critical systems first, organizations address the most significant risks without delay. Concurrently, building an inventory ensures that no cryptographic use is overlooked in the long term. As the inventory becomes more detailed, it can guide further remediation efforts, leading to a more robust and secure environment.

Developing the inventory alongside remediation allows organizations to demonstrate progress to stakeholders and regulators. It shows a commitment to both immediate action and strategic planning, aligning with best practices in risk management and compliance requirements.

By combining immediate remediation with automated inventory development, organizations can mitigate the risks associated with both inaction and inadequate action. Automated tools provide a more accurate and comprehensive view of cryptographic uses, uncovering hidden dependencies and embedded functions that manual methods miss.

This approach allows for:

  • Prioritized Remediation: Immediate action on known critical systems reduces exposure to significant risks.
  • Comprehensive Coverage: Concurrent inventory development ensures that all cryptographic uses are eventually identified and assessed.
  • Regulatory Compliance: Demonstrating both proactive remediation and systematic inventory efforts satisfies regulatory expectations and reduces legal risks.
  • Efficient Resource Allocation: Understanding the full cryptographic landscape enables better decision-making and more effective use of resources.

A hybrid strategy that initiates immediate remediation on critical systems while simultaneously building a comprehensive cryptographic inventory through automated tools might present the most effective path forward. This method addresses the need for quick action without sacrificing the thoroughness required for long-term security. It allows organizations to demonstrate progress, meet regulatory obligations, and, most importantly, establish a solid foundation for defending against the complex challenges that quantum computing will bring.

Conclusion

The advent of quantum computing heralds a transformative era in technology, bringing with it both unprecedented opportunities and significant threats to existing cryptographic systems. Organizations face the critical task of preparing for these changes to safeguard their data and operations. Throughout this article, we’ve explored the shortcomings of manual, interview-based, spreadsheet-driven cryptographic inventories in achieving true quantum readiness.

Cryptography is intricately woven into the fabric of modern technology, often operating invisibly and deeply embedded within systems, applications, and devices. This hidden nature makes it unrealistic to rely on asset owners and IT professionals alone to identify all instances of cryptographic use. Manual methods not only fall short in uncovering these hidden elements but also create a false sense of security. The illusion of completeness that spreadsheets provide can lead to overconfidence, complacency, and ultimately, neglected vulnerabilities that quantum computing could exploit.

Automated discovery tools emerge as an essential component in building a comprehensive cryptographic inventory. While no single tool can capture all cryptographic uses, a strategic combination of static code analyzers, dynamic runtime monitors, network traffic analyzers, and other specialized tools can collectively provide the depth and breadth of analysis required. This multi-faceted approach uncovers hidden dependencies and embedded cryptographic functions that manual methods inevitably miss.

Developing a Cryptographic Bill of Materials (CBOM) is a pivotal step in this process. A CBOM offers complete visibility into an organization’s cryptographic landscape, enabling the identification of vulnerabilities, efficient resource allocation, and compliance with emerging regulatory requirements. It transforms the aggregated data from automated tools into actionable intelligence, guiding strategic decisions and remediation efforts.

Some organizations might consider bypassing the inventory process altogether, opting to assume that all systems require remediation and focusing solely on critical assets. While this approach addresses immediate risks, it overlooks the comprehensive understanding needed for long-term security and compliance. Critical vulnerabilities may remain hidden, and resources may be misallocated without a clear roadmap.

A hybrid strategy presents the most effective path forward. By initiating immediate remediation on known critical systems and concurrently building a comprehensive cryptographic inventory using automated tools, organizations can address urgent threats while laying the groundwork for sustained security. This balanced approach satisfies the need for swift action without sacrificing thoroughness, ensuring that both immediate and future challenges are met with resilience.

In conclusion, preparing for the quantum era demands more than superficial measures. It requires a deep and accurate understanding of the cryptographic assets within an organization, achievable only through comprehensive, automated methods. Manual, spreadsheet-based inventories are insufficient and potentially detrimental. By embracing advanced tools and methodologies, organizations can move beyond the checkbox mentality, mitigate risks effectively, and confidently navigate the uncertainties of a quantum-enabled future. The stakes are high, but with the right approach, the path to quantum readiness is clear and attainable.

Photo of Marin Ivezic Marin Ivezic Follow on X Send an email May 5, 2022
24 minutes read
Photo of Marin Ivezic

Marin Ivezic

I am the Founder of Applied Quantum (AppliedQuantum.com), a research-driven professional services firm dedicated to helping organizations unlock the transformative power of quantum technologies. Alongside leading its specialized service, Secure Quantum (SecureQuantum.com)—focused on quantum resilience and post-quantum cryptography—I also invest in cutting-edge quantum ventures through Quantum.Partners. Currently, I’m completing a PhD in Quantum Computing and authoring an upcoming book “Practical Quantum Resistance” (QuantumResistance.com) while regularly sharing news and insights on quantum computing and quantum security at PostQuantum.com. I’m primarily a cybersecurity and tech risk expert with more than three decades of experience, particularly in critical infrastructure cyber protection. That focus drew me into quantum computing in the early 2000s, and I’ve been captivated by its opportunities and risks ever since. So my experience in quantum tech stretches back decades, having previously founded Boston Photonics and PQ Defense where I engaged in quantum-related R&D well before the field’s mainstream emergence. Today, with quantum computing finally on the horizon, I’ve returned to a 100% focus on quantum technology and its associated risks—drawing on my quantum and AI background, decades of cybersecurity expertise, and experience overseeing major technology transformations—all to help organizations and nations safeguard themselves against quantum threats and capitalize on quantum-driven opportunities.
Share via
Facebook
X (Twitter)
LinkedIn
Mix
Pinterest
Tumblr
Skype
Buffer
Pocket
VKontakte
Parler
Xing
Reddit
Line
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
MeWe
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap