Cryptographic Discovery: The First Step Toward Post-Quantum Resilience

Cryptography: A Blind Spot in the Information System

Cryptography is omnipresent throughout all organizations, quietly embedded throughout every layer of the information system (IS). It underpins our digital security and protects our data, servers, and digital communications.

For more than forty years, cryptography has been regarded as inherently robust and reliable. Built on algorithms considered unbreakable with today’s computing power, its use within IT architectures has not received the same level of scrutiny or ongoing oversight as other components of cybersecurity posture. But that era is over.

Cryptography remains a blind spot in information systems that must urgently be addressed. Most organizations still do not know where or how it has been deployed, within which software or hardware components. Cryptographic discovery aims to close this visibility gap. As the first step in regaining control, it involves identifying all of an organization’s cryptographic assets: algorithms, keys, certificates, protocols, and libraries. This in-depth analysis spans both IT and OT systems, from internal applications to network communications.

However, conducting such an exhaustive mapping exercise is complex for several reasons:

• The heterogeneous nature of cryptographic sources and uses
• The multitude of software and system dependencies (OS versions, unmanaged libraries, package calls, etc.)
• The lack of visibility into the cryptographic mechanisms embedded within third-party products
• Blind spots across the network
• The sheer volume of servers, subnets, databases, and applications to analyze, which makes any manual approach unrealistic

The Quantum Threat Reveals a Critical Vulnerability

The anticipated arrival of quantum computers threatens the confidentiality, authenticity, and integrity of data currently protected by traditional asymmetric cryptography — particularly RSA, elliptic curve, and Diffie-Hellman algorithms. This new technology will be capable of breaking encryption systems long considered secure and will do so in record time. This risk is not theoretical: with Harvest Now, Decrypt Later attacks, sensitive data can already be intercepted and stored today with the intent of decrypting it once quantum capabilities become available.

The stakes are both urgent and critical: all uses of asymmetric cryptography must be replaced with implementations based on post-quantum cryptography (PQC), the only approach validated by national security agencies. This transition is known as post-quantum migration — but the first challenge is knowing what needs to be migrated.

As mentioned earlier, few organizations have a complete and up-to-date inventory of their cryptographic assets and associated mechanisms. Cryptographic discovery is the starting point for any post-quantum migration. This phase focuses on detecting the algorithms, symmetric and asymmetric keys, certificates, cipher suites, and protocols present within the information system. Its purpose is to build an accurate and actionable inventory that enables organizations to prioritize migration efforts and effectively initiate the process of strengthening their cryptographic posture.

A Cryptographic Inventory Is No Longer Optional

The quantum threat is no longer merely a technical concern. It is now recognized as a critical issue by cybersecurity agencies and regulators who are issuing an increasing number of recommendations, guidelines, and compliance requirements. They all agree on one common priority: the need to conduct a detailed inventory of cryptographic assets. Notable examples include:

• ANSSI (France’s National Cybersecurity Agency) recommends that organizations “start immediately […] with a quantum threat analysis consisting of an inventory of [cryptographic] assets.”
• ENISA (European Union Agency for Cybersecurity) emphasizes the need for “EU-wide harmonized guidelines to manage the security […] of cryptographic products and services […], such as an inventory or catalog of cryptographic products.
• The European Commission stresses that “an essential first step […] is to create and maintain up-to-date inventories of assets performing cryptographic operations.”
• DORA (Digital Operational Resilience Act, EU regulation on digital operational resilience), effective January 2025, requires financial institutions and their critical ICT providers to “develop and implement a policy on encryption and cryptographic controls” and to “identify vulnerabilities and threats, and conduct risk assessments on cryptographic techniques.”
• NCSC (UK National Cyber Security Centre) sets a clear timeline, recommending that organizations “conduct a full discovery exercise [by 2028] to assess their assets and identify which services and infrastructure relying on cryptography need to be migrated to PQC.”
• FS-ISAC (Financial Services Information Sharing and Analysis Center) advises its members to build and maintain cryptographic inventories, highlighting that “having a clear inventory of cryptographic assets and uses enables an organization to proactively identify risks and challenges associated with PQC advancements and remain crypto-agile in planning for future cryptographic requirements.”

Driving Crypto-Agility

Finally, cryptographic discovery paves the way for a true crypto-agility strategy. This involves the ability to manage and adjust the cryptography in use without requiring heavy system reconfiguration. Once assets are mapped and centralized, it becomes possible to implement dynamic governance:

• Management of cryptographic policies
• Integration of new algorithms
• Monitoring of vulnerabilities
• Rapid updates in the event of a breach

In a world where even recently established standards are likely to evolve and new algorithms will emerge, this agility becomes a necessity.

Conclusion

Driven by the quantum threat, regulators and organizations alike recognize the need for better control over cryptography. Cryptographic discovery is no longer optional: it is an essential first step. It provides a solid foundation for initiating the migration to post-quantum cryptography (PQC) while delivering immediate benefits, from regulatory compliance to crypto-agile governance. Time is of the essence. Act now to prevent critical delays and secure your cryptographic assets: immediate action is key to staying ahead of cryptographic risks.