How SaaS Applications and Cloud Services Affect PQC Migration
Louise E. Turner, Quantum Security Advisor, QAI
Introduction: Why Software as a Service (SaaS) Complicates Post-Quantum Cryptography (PQC) Migration
The impressive power of quantum computers offers exciting opportunities in sectors such as life sciences, chemistry, and energy among many others. Unfortunately, this power could be harnessed to break widely used encryption algorithms in the future, causing vast amounts of sensitive data to become compromised.
To combat this threat, new encryption algorithms have been developed and are in the process of being standardized and deployed. Post-quantum cryptography (PQC) is a new type of cryptography designed to defend against future quantum attacks. To utilize these new encryption algorithms and defend against quantum hacks, organizations must begin the lengthy and involved process of PQC migration.
One of the first steps in PQC migration is to create a detailed inventory of all cryptography used within an organization. For large organizations with complex network environments, cataloguing every asset that utilizes cryptography can seem insurmountable. The shift toward Software as a Service (SaaS) applications, cloud computing, and third-party tools further exacerbates these blind spots in cryptographic catalogues, many of which can only be addressed using information vendors are willing to share.
With utilization of more SaaS than ever, companies have increasingly less control over how company data is transported once it leaves the corporate network. For example, SaaS providers often handle encryption, key management, backups, and authentication outside of an organization’s direct control, limiting visibility into how cryptography is implemented and maintained. In the context of post-quantum readiness, this lack of control and visibility creates a significant and often frustrating pain point.
Although third parties will eventually be required to comply with post-quantum cryptography standards, any organization wanting to get a head start on their migration process is stopped in its tracks when it comes to assessing the post-quantum readiness of their SaaS vendors.
The Issue: A Visibility Gap
When planning for post-quantum cryptography migration, every published guideline has the same suggestion: a cryptographic inventory is essential to success. This guideline is indeed correct. Without knowledge of where cryptography is employed in a network, security teams cannot be sure that migration efforts have covered every edge case. With the average organization using just over 100 SaaS applications in their environment (BetterCloud, 2023), there are over 100 potential areas where cryptographic data may be unavailable, creating dozens of opaque cryptographic dependencies.
This lack of cryptographic data makes it difficult to assess a post-quantum readiness posture and prevents organizations from effectively achieving cryptographic agility. Limited visibility and lack of control over cryptography usage makes agility almost impossible at scale.
Combatting the Issue: Mitigating SaaS Blind Spots in PQC Migration
1. Start communicating with vendors as soon as possible.
Every organization’s PQC migration plan should dedicate ample time and resources to communications with service and application vendors. Vendors may take a long time to respond, which must be considered when creating a PQC roadmap.
The responses received from vendors will vary greatly. Some may provide information about their cryptography usage in detail, while others may neglect to respond entirely. To ensure some level of consistency in vendor responses, it is useful to provide them with a repeatable set of questions. The Canadian National Quantum Readiness Group has provided a standard set of questions within Appendix G of the Canadian National Quantum Readiness Best Practices and Guidelines.
2. Consider backup options for non-compliant vendors.
Even before learning about a vendor’s compliance with post-quantum standards, it is advised to start exploring alternative services in case their PQC plans are insufficient. Researching alternative service providers early on will prevent a future scramble in the case of non-compliance.
3. Hold vendors accountable.
Just like the quantum threat itself, post-quantum cryptography standards aren’t going away. Organizations must routinely check in on the PQC progress of their vendors and hold them accountable when standards are not met.
Furthermore, organizations should cite relevant standards and compliance documents when communicating with vendors, asking how vendors are compliant with specific standards and requesting proof where applicable. With a vendor offering paid services, organizations should expect alignment with relevant security standards and be prepared to request evidence of compliance where applicable.
4. Create a SaaS inventory.
The number of inventories required in an organization’s post-quantum cryptography migration may feel overwhelming, but inventories are indeed necessary and useful tools for cryptographic agility and overall security posture. To strengthen that visibility, organizations should create and maintain an inventory of all SaaS, third-party, and cloud software in use. This will keep track of vendors that must be contacted, and services that may need to be replaced.
The inventorying effort should be included in every PQC migration roadmap. Tracking SaaS usage across an organization presents challenges like those of maintaining a cryptographic inventory. Because of this, adequate time and resources must be allocated to this effort.
Conclusion: Closing the SaaS Visibility Gap
With SaaS usage being such a large blind spot for many organizations, contacting service and application vendors as soon as possible and holding them accountable to post-quantum security standards is highly recommended. It should not be assumed that all of an organization’s vendors are, or are planning to be, post-quantum ready. They are undergoing the same migration process and will be at different stages of that journey.
The road to quantum readiness is long and complex, but preparing for the quantum threat presents opportunities to gain a clearer understanding of how cryptography is used across a corporate environment. Strengthening insight through cryptographic and SaaS inventories will support not only the post-quantum migration, but also any future cryptographic and security transitions.
References
BetterCloud. SaaS Statistics.
https://www.bettercloud.com/monitor/saas-statistics/
Additional Resources
Want to know more about post-quantum readiness? Refer to the resources below:
CFDIR, Canadian National Quantum Readiness Group. Best Practices and Guidelines.
https://ised-isde.canada.ca/site/spectrum-management-telecommunications/sites/default/files/documents/Quantum-Readiness%20Best%20Practices%20-%20v04%20-%2010%20July%202024.pdf
QAI. Quantum Computing and Cyber Security.
https://www.qai.ca/resource-library/quantum-computing-and-cybersecurity
QAI. An Introduction to Post-Quantum Cryptography.
https://www.qai.ca/resource-library/an-introduction-to-post-quantum-cryptography
QAI. Shor’s Algorithm and RSA Encryption.
https://www.qai.ca/resource-library/shors-algorithm-and-rsa-encryption
Quantum Safe Canada.