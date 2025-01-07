BY Elizabeth Green3 minute read

Quantum computing poses a significant threat to modern encryption protocols. This compels the world to move to a different paradigm: one where your cryptography falls under a zero-trust model and adapts to the uncertain future of cryptography. Data in motion is most at risk. In November 2024, NIST gave guidance to deprecate algorithms such as RSA, ECDSA, EdDSA, DH, and ECDH by 2030 and disallow these algorithms by 2035. AES, often used for data at rest is still considered safe until at least 2050.

For those counting, 2030 is five short years to deprecate most of the encryption for data in motion worldwide. NIST warns that “Historically, the journey from algorithm standardization to full integration into information systems can take 10 to 20 years.” NIST also warned about Steal Now Harvest Later (SNHL) attacks and is urging action for critical data saying “Act Now.” Adding to this existential challenge, NIST released an initial set of algorithms in August 2024, followed by 14 additional candidates in October. NIST also published new guidance urging organizations to stay agile in their ability to quickly switch between emerging and unknown algorithms and libraries of post-quantum cryptography. Among the various approaches to securing networks, solving PQC through orchestrated crypto agility at the network layer stands out as a fast, more efficient, and affordable solution compared to alternatives like APIs, point-to-point VPNs, or quantum key distribution (QKD).

Here’s why. ORCHESTRATED CRYPTO AGILITY AT THE NETWORK LAYER: A HOLISTIC SOLUTION Orchestrated crypto agility (OCA) refers to the ability to quickly switch between cryptographic algorithms, libraries, and key lengths without significant disruption. Implementing at the network layer means embedding PQC-ready encryption protocols directly into network infrastructure through lightweight proxies.

This approach layers new encryption standards on top of existing encryption, with no need to rip and replace. Orchestration ensures that all traffic across the network is automatically protected, managed, and viewed through a single pane of glass. COMPARISON WITH ALTERNATIVES Unlike the alternatives discussed below, OCA at the network layer avoids costly individual implementations and provides universal protection without requiring vendor-dependent or endpoint-specific solutions.

1. APIS: FRAGMENTED AND COMPLEX Using APIs to solve PQC involves embedding cryptographic updates directly into applications. While this may provide some flexibility, it creates a fragmented approach where each application must be independently updated and managed. APIs offer localized security improvements but fail to provide the holistic protection achievable with network-layer crypto agility and a single pane of glass, making it very difficult to manage. This approach also lacks scalability and leaves room for human error.

2. POINT-TO-POINT VPNS: NARROW AND RESOURCE-INTENSIVE Point-to-point VPNs are often suggested as a solution to encrypt data between specific endpoints. While VPNs provide robust encryption for individual connections, they are inherently limited in scope as they primarily work at the network layer (layer 3 of the OSI stack). The general movement in the VPN market is towards a centralized service mesh, where all end-points are aware of what’s happening across the technology landscape. Service mesh architectures lend themselves better to crypto agility as they can work across layers 2-7 of the OSI stack. Point-to-point VPNs are effective for specific, static use cases but are not a viable solution for securing large, dynamic networks.

3. QUANTUM KEY DISTRIBUTION (QKD): EXPENSIVE AND NICHE Quantum key distribution (QKD) is a cutting-edge approach that uses quantum mechanics to securely exchange cryptographic keys. While QKD offers theoretical security against quantum threats, its practical limitations are significant and the NSA does not recommend its use for this purpose. While QKD represents a fascinating technological advancement, its high costs and logistical hurdles make it impractical for most organizations. IMPLEMENTING ORCHESTRATED CRYPTO AGILITY