Notifications
Clear all
Topic starter
08/06/2026 4:41 pm
TL;DR: Quantum-safe migration is already a live planning problem because data with long confidentiality lifetimes may be harvested now and decrypted later, and the article argues that inventorying cryptographic assets, mapping protocol use, and aligning vendors and standards are now prerequisite steps, according to SSH Communications Security. The real challenge is governance: PQC migration exposes where infrastructure, firmware, and embedded encryption assumptions outlast the controls meant to manage them.
NHIMG editorial — based on content published by SSH Communications Security: post-quantum cryptography migration and preparation guidance
By the numbers:
Questions worth separating out
Q: How should organisations start planning post-quantum cryptography migration?
A: Start with a cryptographic inventory that shows where encryption, keys, certificates, and protocols are used across the environment.
Q: Why does post-quantum cryptography affect identity and access management?
A: Identity systems depend on cryptography for certificates, trust chains, secure transport, and workload authentication.
Q: What breaks when cryptographic dependencies are not inventoried?
A: Teams lose the ability to estimate migration scope, identify non-upgradable firmware or hardware, and prioritise the systems carrying the longest-lived data.
Practitioner guidance
- Inventory cryptographic assets across all layers Build a register that includes TLS, certificates, keys, embedded firmware, hardware modules, and any hard-coded algorithms.
- Map long-lived data to quantum exposure horizons Classify data by how long it must remain confidential, especially records that need protection for years or decades.
- Test vendor and platform roadmaps now Ask suppliers how they plan to support post-quantum algorithms, which components are upgradeable, and which require replacement.
What's in the full article
SSH Communications Security's full webinar covers the operational detail this post intentionally leaves for the source:
- The expert discussion of how embedded firmware and hardware-level encryption complicate migration paths
- Practical guidance on inventorying cryptographic assets across web servers, protocols, and configuration layers
- The collaboration model for aligning standards bodies, vendors, and internal stakeholders
- The longer-form explanation of why SHA-1 to SHA-2 was only a rehearsal for PQC
👉 Watch SSH Communications Security's webinar on post-quantum cryptography migration →
Post-quantum cryptography migration: what IAM teams need to inventory?
Explore further
08/06/2026 6:27 pm
Post-quantum migration is a cryptographic governance problem before it is a technical refresh. The article is right to frame PQC as a multi-layer change, because encryption choices sit inside workload trust, certificate handling, and platform dependency chains. That means identity programmes cannot treat cryptography as an adjacent issue. Practitioners should treat cryptographic inventory as part of identity governance, not a separate security project.
A few things that frame the scale:
- NIST launched its post-quantum cryptography standardization project in 2015, according to Ultimate Guide to NHIs , Key Research and Survey Results.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who should be accountable for post-quantum readiness across the enterprise?
A: Accountability should sit with the owners of identity, infrastructure, application, and supplier risk together, because cryptography crosses all of those boundaries. Standards, architecture, and vendor management have to move in the same direction or migration will stall in the gaps between teams.
👉 Read our full editorial: Post-quantum cryptography migration is now an identity problem
