Keyfactor, IBM Consulting Partner to Guide Enterprises, MSSPs to Post-Quantum Cryptography

Cryptography is a critical component that underpins much of modern security, from authentication and encryption, and it’s central to connections, transactions, and digital interactions, according to Ted Shorter, co-founder and CTO of Keyfactor, which manages digital trust through secure connections.

That’s why it’s largely ignored by enterprises, as long as everything goes smoothly, Shorter told MSSP Alert. But things don’t always go as expected.

“Very often, there are unseen security issues, such as outdated algorithms or protocols, weak keys, or improperly used cryptography, which can ultimately manifest as audit failures or breaches if not addressed,” he said. “It’s a bit like looking behind your refrigerator; you’re probably not going to like what you see, but finding a water line that’s about to crack could save a lot of trouble in the future.”

Cryptography is on the cusp of significant changes over the next several years, particularly with the accelerating quantum computing timeline, and right now, many organizations don’t have a unified view of the myriad certificates, keys, algorithms, protocols, and libraries that stretch across their infrastructure, networks, devices, applications, and third-party offerings, according to Keyfactor executives.

That’s a central driver for the company’s newly announced partnership with IBM Consulting, which combines its various capabilities – cryptography discovery, Public Key Infrastructure (PKI), digital signing, and certificate lifecycle automation among them – with IBM Consulting’s cybersecurity expertise, governance frameworks, and enterprise-scale quantum-safe capabilities.

The alliance will give organizations and MSSPs the tools they need to assess the cryptography assets they have and the help to ensure they can adapt to the oncoming quantum era and the regulatory changes that are happening.

Help is on the Way

Ensuring that enterprises and SMBs have post-quantum cryptography (PQC) in place when the so-called “Q-Day” – when threat actors will be able to use quantum computing to break public key encryption that is used to protect today’s data, and which could be as early as 2030 – arrives is moving up security vendors’ to-do lists.

Most recently, AI-powered technology maker Forward Edge-AI earlier this month expanded its global channel program, which includes MSSPs and MSPs, and highlighted work with tech partners to strengthen their cryptography and be ready when Q-Day arrives. In addition, PQC company Patero unveiled its Cryptographic Inventory Workshop to help organizations define what they have and how to plan their transition to post-quantum cryptography.

Last month, Kyndryl rolled out its Quantum Safe Assessment service to help enterprises prepare simultaneously for the opportunities and risks that quantum computing will pose.

A Massive Transition

For Keyfactor’s Shorter, this transition is going to be a large and time-consuming undertaking given the amount changes required.

“Replacing RSA and ECC with the new PQC standards means that everything that communicates on a network, signs or accepts software updates, or performs almost any sort of encryption or authentication, will need to be changed or updated,” he said. “It’s just an enormous amount of stuff that has to change. And the change has to be coordinated carefully. If you switch to an algorithm that some of your systems still don’t support, you run the risk of breaking things.”

Those changes will vary, Shorter said. For some, software or firmware updates will be enough, while others will need to replace hardware.

“If your suppliers or vendors are slow to provide these updates – or even worse, are unable to, for some reason – then the problem becomes even more difficult and expensive,” he said. “Legacy systems that can’t be updated can cause real problems in this process.”

IBM Consulting’s expertise in both cryptography and aiding organizations work through complex changes will help both organizations and the MSSPs they rely on, Shorter said.

“MSPs and MSSPs have two roles in this transition: they have their own PQC transition to manage with their own systems, but their customers will also likely be looking to the MSPs and MSSPs to help them through this transition as well,” he said.

A Well-Defined Path Forward

The joint Keyfactor-IBM Consulting offering is designed to give organizations a structured and automated path from today’s reactive cryptography management to quantum-safe readiness in line with the National Institute of Standards and Technology (NIST), the EU, and international PQC guidance, according to the companies.

It includes tools for discovering and inventorying cryptographic components – including if they’re in the cloud, on premises or in DevOps environments – risk scoring, governance models, and remediation plans, and PQC-ready PKI, centralized signing, and automated certificate lifecycle management via Keyfactor’s  EJBCA, SignServer, and Command solutions.

In addition, IBM Consulting will establish governance frameworks, key performance indicators (KPIs), training, and cryptographic Centers of Excellence.