When we started to hear the term crypto-agility more frequently in conversation with our customers, we decided to dig a little deeper into the practical meaning. You may have heard that the concept of crypto-agility focuses on the ability to smoothly transition to post-quantum (PQ) resistant algorithms, but that’s not exactly the whole truth. We have found that crypto-agility in practice is a much broader approach to application architecture. The objective is to deliver , providing the adaptability to not only prepare the organization to transition to quantum-resistant algorithms where appropriate, but to also seamlessly adjust the data security posture to meet new threats and vulnerabilities on the fly, without extensive changes to applications, and while addressing operational demands and regulatory requirements.

We believe crypto-agility should be viewed not just as PQ preparedness, but as a framework that addresses a variety of data protection needs to enable adaptive, application-level data security across a shifting threat landscape. Enterprises are better set up for success long term when they define and enforce a broader scope of capabilities for protecting sensitive data. The goal isn’t to focus solely on future-proofing against evolving quantum threats, but rather to build an application architecture with centralized policy control and decentralized enforcement so that the data protection can seamlessly respond to changes over time, whether it’s new attack vectors or regulatory changes.

Download Whitepaper Now: Thinking Beyond Post-Quantum Readiness with Crypto-Agility

What is Crypto-Agility?

According to Gartner®, “crypto-agility is the capability to transparently swap out encryption algorithms and related artifacts in an application, replacing them with newer, different, and presumably, safer algorithms.” [1]

Crypto-agility is more than simply transitioning to quantum-resistant algorithms. For any company looking to save time, cut costs, and avoid re-architecting applications (which we can assume is pretty much all of them), crypto-agility could be better defined as “data protection agility.” This concept ensures that organizations can effectively respond to evolving threats, which may include threats resulting from advancements in computing technology, as well as virtually any security, regulatory, or business demand that requires a change in how sensitive information is secured or revealed.

[1] Gartner Hype Cycle™ for Data Security, 2024, 29 July 2024, Andrew Bales.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and HYPE CYCLE is a registered trademark of Gartner, Inc. and/or its affiliates and are used herein with permission. All rights reserved.

Why is Agility Important?

What we know from being in business for almost half a century is that change is inevitable. Not only is the threat landscape constantly evolving but use cases and business requirements continue to change. Sensitive information today is acquired, processed, and shared in ever-evolving ways that require us to rethink how we protect data as a critical business resource. Not only are algorithms continuing to evolve, but in the wider data security context, many factors must be considered such as the datasets that we should protect and the various techniques that we might use to protect them (such as encryption, tokenization, digital signing, redaction, hashing, etc.).

Organizations ought to ask themselves, “Should all data be revealed in the same way to all users that are authorized to access data?” What if there are new reasons to secure the same data in different ways? For example, expanding and more stringent regulations that mandate not only what data needs to be protected, but also how and where data needs to be processed and stored, are driving the need to quickly adapt to change. This requires a proactive approach to cryptography with flexibility at its core. Enterprises implementing data security in their application can forecast with certainty that change is coming. If applications are not architected to handle this change seamlessly, things get messy… and expensive.

Post-Quantum Computing Driving the Need for Change

While there is certainly a myriad of practical drivers for implementing crypto-agile applications, quantum computing may be one of the best and most relevant examples of changing threats that all enterprises will need to address. As advancements in quantum computing heighten the risk of brute-force attacks, existing cryptographic algorithms become vulnerable and will need to be replaced with stronger, more resistant ciphers.

Even though the concept of crypto-agility has become widely used across the industry in the context of PQ preparedness, three recently published Federal Information Processing Standards (FIPS) for PQ cryptography, never specifically mention crypto-agility. The new FIPS-approved lattice-based key encapsulation, digital signature, and stateless hash-based digital signature standards provide a family of robust new algorithms to address the quantum threat.

We often hear of vendors interchanging post-quantum readiness with crypto-agility, but what they often mean is crypto-readiness – meaning that their product or service, which might already be deployed at a given enterprise, should have PQ algorithms ready for consumption. However, this often involves complex application re-architecture to make use of these algorithms. Organizations who may have believed that their applications were PQ-ready may run into unexpected re-work and costs as they need to update algorithms. A truly crypto-agile architecture should enable seamless consumption of new algorithms, without the headache of re-architecture.

[2] National Institute of Standards and Technology, FIPS 203, 204, and 205, Post-Quantum Cryptography Standardization Project, August 13, 2024.

Beyond Quantum Preparedness

Beyond migrating to new quantum-resistant algorithms, peripheral capabilities must include the wider set of mechanisms to effectively counter threats to data security. This must be done while ensuring that organizations can continue to meet operational demands within established government and industry regulatory frameworks, to deliver true data protection agility. We often discuss a variety of reasons with our customers as to why they need to implement a crypto-agile architecture. Typically, these include performance, as well as the need for interoperability, compatibility, and adaptability of their security posture to quickly change any aspect without having to rearchitect and reintegrate changes into applications.

Addressing these needs ensures that organizations can achieve and maintain a robust and resilient security posture with minimal disruption in a rapidly evolving threat landscape.

The Way Forward

Organizations that want to take a more holistic approach to crypto-agility and prepare for emerging threats should implement architectures and data protection techniques that allow for changes to security over time with little to no application re-work. Consider looking for solutions that address the security of structured and unstructured data across all applications, on-premises, in the cloud, and in hybrid environments. Implementing centralized management of data protection policies helps simplify the work that needs to be done to change security enforcement. However, the enforcement of data protection should be distributed to minimize system load and network dependencies. It’s important to ensure the ability to apply a broad range of security techniques to address security, performance, and regulatory needs. And it is critical that key management is robust, as it will establish the foundation of a powerful data encryption strategy.

Overall, solutions should not only support the ability to implement new security algorithms, but also deliver architectural approaches and security functionality that enable changes to be made quickly and easily, so that new requirements, which are certain to come, can be addressed at a speed and cost that protects the interests of the enterprise. Implementing a crypto-agile architecture doesn’t have to be complex or costly either. Prime Factors offers a free, full-feature proof-of-concept of EncryptRIGHT to demonstrate how abstracting security from the application creates a robust, crypto-agile architecture. EncryptRIGHT leverages the concept we like to call “data protection agility,” so that our customers save time and money by being able to quickly change any aspect of security, without complex reintegration.

Click here to download the complete whitepaper, Thinking Beyond Post-Quantum Readiness: Building a Secure Infrastructure for Tomorrow with Crypto-Agility.