Webinar Recording: Cryptographic Inventory: Where To Start? Watch here

CryptoNext
Contact
En
Crypto-agility

Crypto-agility

What is crypto-agility?

Crypto-agility is the ability of an organization to modify a cryptographic asset ; algorithm, key, certificate, protocol, or library, without disrupting its systems or business processes. In practice, a crypto-agile infrastructure can evolve its cryptography quickly, at scale, and at lower cost, with no service interruption.

A structural need, not a temporary fix

Asymmetric cryptography; RSA, elliptic curves, is the foundation of modern digital security: data confidentiality, authenticity of digital certificates, trust in access protocols. That foundation is now facing multiple, simultaneous pressures that force organizations to fundamentally rethink their approach to cryptographic risk.

The most widely discussed threat is that of quantum computers. Once powerful enough, they will render current asymmetric algorithms vulnerable, compromising the security of every information system that depends on them. In response, major standardization bodies have initiated a transition toward post-quantum cryptography (PQC) algorithms,deemed to be resistant to the computational capabilities of quantum computers. The NIST finalized and published three new standards — FIPS 203, 204, and 205 — defining the ML-KEM, ML-DSA, and SLH-DSA algorithms, which now represent the international reference for post-quantum cryptography.

But this transition, estimated at a minimum of ten years for a large organization, is only one piece of the problem.

Cryptographic standards evolve continuously. Regulations vary by geography, imposing different cryptographic policies depending on whether an organization operates in the European Union, North America, or Asia. New vulnerabilities are discovered regularly in algorithms and their implementations, through side-channel attacks. Open-source cryptographic libraries, present in the vast majority of applications, are no exception: OpenSSL alone accumulated 203 identified vulnerabilities between 2005 and 2022. The ability to respond quickly to that kind of incident is, in itself, a form of crypto-agility.

What crypto-agility changes in practice

In most current infrastructures, cryptography is hard-coded into each application inconsistently, across teams, languages, and development habits. Changing an algorithm means modifying, testing, and revalidating each application individually. The complexity and cost are considerable and the pace is incompatible with the speed at which threats evolve.

A crypto-agile organization operates differently, building on a set of complementary capabilities organized as a continuous cycle:

  • Algorithm-agnostic APIs, decoupling application logic from cryptographic choices and providing unified visibility over all deployed cryptographic assets;
  • Automation tools — PKI, KMS, HSM, CLM — to distribute keys and certificates at infrastructure scale, without manual handling that introduces errors and delays;
  • Centralized management of cryptographic policies, enabling a Crypto Officer to monitor and update all configurations in real time, regardless of the size of the application landscape;
  • Continuous monitoring, to verify that defined policies match what systems are actually executing, and to detect any operational deviation.

This model, built on automation and centralization, drastically reduces the complexity of future algorithmic migrations. It also ensures that the security level of the infrastructure is never limited by its weakest link.

An investment justified by the risks

According to a Boston Consulting Group study (link study?), the budget required for the post-quantum transition; including inventory, remediation, and crypto-agility implementation , represents approximately 2.5% of the annual IT budget over ten years. The study also warns that delaying could double that cost.

Beyond the quantum threat, investing in crypto-agility today means building the capacity to respond to any future cryptographic shift — normative, regulatory, or security-driven — without starting from scratch each time, and without the pressure of a transition carried out under urgency.

Is crypto-agility only relevant to the quantum threat?
No. While quantum computers represent one of the most visible drivers of urgency, crypto-agility addresses a permanent need; evolving standards, diverging geographic regulations, recurring vulnerabilities in cryptographic libraries, new attacks targeting implementations. It is a structural organizational and technical capability, not a response to a single threat.

Where should an organization start?
The first step is the cryptographic inventory: the mapping of all algorithms, keys, certificates, and libraries deployed across the full infrastructure. Without that initial visibility, no coherent migration or risk prioritization is possible. It is the starting point of any serious implementation cycle.

Why is manual management of cryptographic assets no longer sufficient?
At the scale of a modern infrastructure, manual management cannot keep pace with security incidents or normative changes. Automation, through PKI, KMS, HSM, and CLM tools, is a prerequisite for distributing new keys, renewing digital certificates, and enforcing cryptographic policies without delay or human error. Without it, operational complexity becomes a risk in its own right.

More terms:

Quantum Cryptography Post-Quantum Cryptography Cryptographic Inventory