Data Encryption Methods

🚨 New OMB Report on Post-Quantum Cryptography (PQC)🚨 The Office of Management and Budget (OMB) has released a critical report detailing the strategy for migrating federal information systems to Post-Quantum Cryptography. This report is in response to the growing threat posed by the potential future capabilities of quantum computers to break existing cryptographic systems. **Key Points from the Report:** 🔑 **Start Migration Early**: The report emphasizes the need to begin migration to PQC before quantum computers capable of breaking current encryption become operational. This proactive approach is essential to mitigate risks associated with "record-now-decrypt-later" attacks. 🔑 **Focus on High-Impact Systems**: Priority should be given to high-impact systems and high-value assets. Ensuring these critical components are secure is paramount. 🔑 **Identify Early**: It's crucial to identify systems that cannot support PQC early in the process. This allows for timely planning and avoids migration delays. 🔑 **Cost Estimates**: The estimated cost for this transition is approximately $7.1 billion over the period from 2025 to 2035. This significant investment underscores the scale and importance of the task. 🔑 **Cryptographic Module Validation Program (CMVP)**: To ensure the proper implementation of PQC, the CMVP will play a vital role. This program will validate that the new cryptographic modules meet the necessary standards. The full report outlines a comprehensive strategy and underscores the federal government’s commitment to maintaining robust cybersecurity in the quantum computing era. This is a critical step in safeguarding our digital infrastructure against future threats. #Cybersecurity #PQC #QuantumComputing #FederalGovernment #Cryptography #DigitalSecurity #OMB #NIST

✏️CEPS (Centre for European Policy Studies) has just published the report "Strengthening the EU transition to a quantum-safe world" This 125-page publication offers a comprehensive and very timely analysis of the global transition toward quantum-safety, highlighting key recommendations and identifying the hurdles that we, as a community, still need to overcome. Accross its 10 general recommendations and 16 additional sector-specific ones, two key aspects take a prominent role: 👉 Operational challenges of the transition, like establishing business-level priorities, building executive support, addressing the limited cryptographic talent issue, cryptographic homogeneization in products, and building cryptographic inventories based on priorities. 👉 Coordination and the role for regulators, identifying that the EU lacks a coherent, unified transition framework, the need to ensure alignment and coherence across roadmaps and the risks of a fragmented transition. Key conclusions on the later, aligned with previous statements from the Europol Quantum Safe Financial Forum and FS-ISAC, is that quantum-safety is already part of the EU's operational resilience compliance through the “state of the art” security principle embedded in GDPR, DORA, CRA and NIS2. However, there is a recognised need for further guidance that can be achieved through open collaboration between the public and private sector. Although the report focuses on the financial, public, and defence sectors, its main takeaways can easily be extended to other critical domains—transport, energy, healthcare, and many more. The principles are the same, and the urgency is the same. This report is an important step forward, and my hope is that the ideas it lays out help shape the conversations and, more importantly, the actions we need across the EU. A well-aligned and coordinated transition is essential if we want the whole ecosystem to move toward a new age where we manage cryptography in a more mature, proactive, and resilient way. Kudos to CEPS, lorenzo pupillo, Carolina Polito, Swann A. and Afonso Ferreira, PhD for achieving this milestone. https://lnkd.in/dpWJ86q2

The CXO’s guide to Quantum Security Customers often tell me that the migration to post-quantum cryptography (PQC) will take them years, and some assets won’t ever be upgraded. While quantum’s long-term threat is clear, security leaders are grappling with the practical, multiyear journey of upgrading potentially thousands of devices, applications and data stores to be quantum-resistant. The “harvest now, decrypt later” threat raises the stakes. Nation-state actors are siphoning and stockpiling encrypted data today, waiting for the arrival of quantum computers to retroactively break it. The implication? Sensitive data may already be in the wrong hands and it’s only a matter of time before it can be put to use. What CXOs need is a clear path forward: Discover - Complete a comprehensive crypto inventory across your environment. You cannot protect what you cannot see. Protect - Achieve post-quantum decryption at scale with NGFW that have crypto-agility built right in, enabling your security as standards evolve.   Accelerate - Leverage segmentation along with emerging new capabilities, like cipher translation, to instantly upgrade legacy devices and applications to secure your data now while your organization upgrades devices and applications.  Read more https://bit.ly/4nVkurw

The biggest threat to your data isn’t happening tomorrow. It happened yesterday. If you haven’t heard of HNDL (Harvest Now, Decrypt Later), your long-term data strategy has a massive blind spot. Here is the reality: State actors and cybercriminals are capturing your encrypted data today. They can’t read it yet, so they’re storing it in massive data vaults, waiting for the "Qday"—the moment quantum computers become powerful enough to break current encryption. If your data needs to stay private for 5, 10, or 20 years, it’s already at risk. What’s on the line? ↳ Intellectual Property (IP) and trade secrets. ↳ Government and identity data. ↳ Long-term financial records and contracts. ↳ Sensitive customer health data. How do we solve it? 🛠️ We cannot wait for quantum supremacy to react. The fix starts now: ↳ Inventory: Identify which data has a long shelf-life. ↳ Crypto-Agility: Move toward systems that can swap encryption methods without a total overhaul. ↳ Hybrid PQC: Implement Post-Quantum Cryptography alongside classical methods to ensure traffic captured today remains a mystery tomorrow. The transition to quantum-resistant security is a marathon, not a sprint. Are you tracking HNDL on your current risk register? Let’s discuss in the comments. 👇 P.S. If you want help mapping your exposure or building a PQC migration plan, drop me a message. ♻️ Share this post if it speaks to you, and follow me for more. #QuantumSecurity #PQC

Quantum computing is moving from "science fiction" to "business reality" faster than most predicted. Two recent papers have fundamentally shifted the timeline for when we need to care about Quantum-Safe security: 1️⃣ The "10,000 Qubits" Milestone: New research shows that we can execute Shor’s algorithm—the math that breaks today’s encryption—with far fewer resources than previously thought. By using reconfigurable atomic qubits, the hardware requirements for cracking RSA-2048 have dropped by nearly 20x. 2️⃣ The "9-Minute" Crypto Warning: Google’s latest whitepaper highlights a terrifying reality for digital assets. Under advanced quantum scenarios, the encryption protecting a cryptocurrency wallet could be cracked in under 10 minutes. This puts billions in "dormant" assets at immediate risk of "at-rest" attacks. The Bottom Line: The "Q-Day" window is shrinking. It’s no longer about if a quantum computer can break your encryption, but when your current migration timeline will run out. How do we respond? We can't just flip a switch on "Q-Day." For many organizations, becoming quantum safe is a multi-year journey. This is where Palo Alto Networks Quantum-Safe Security comes in. Instead of a manual, multi-year overhaul, we provide a path to Agentic Resilience: - Continuous Discovery: It automatically maps your "cryptographic bill of materials" (CBOM), identifying exactly where vulnerable RSA and ECC algorithms are hiding in your network. - Risk Prioritization: It correlates your encryption strength with business criticality, telling you exactly which high-value assets need to move to Post-Quantum Cryptography (PQC) first. - Real-Time Remediation: For legacy systems that can’t be easily upgraded, a "Quantum-Safe Proxy" re-encrypts vulnerable traffic into post-quantum algorithms (like ML-KEM) at the network edge. The transition to a quantum-safe future is a marathon, but the starting gun has already fired. Learn how to take your first steps at the link in the comments.

📌The financial sector has now moved from quantum awareness to quantum execution. Europol , FS-ISAC , and the Quantum Safe Financial Forum (QSFF), together with major financial institutions, published: “Prioritising Post-Quantum Cryptography Migration Activities in Financial Services” ; a practical migration framework designed specifically for financial institutions. What makes this report particularly relevant for #boards, #regulators, and #CISOs? It introduces a structured prioritisation methodology based on two measurable dimensions: 1️⃣ Quantum Risk Score Derived from: • Shelf life of protected data • Exposure • Severity of compromise 2️⃣ Migration Time Score Derived from: • Solution availability • Execution cost and time • External dependencies Migration Priority is determined by combining both scores into a risk–time matrix (see pages 8–10) of the Report below ⬇️ . ♨️ This shifts the conversation from “When will Q-Day happen?” to “Which business use cases require action now, and which require long-term orchestration?” Two examples in the report illustrate this distinction: 🔹 Points of Sale (#PoS) Medium quantum risk but high migration complexity due to hardware lifecycles, ecosystem coordination, and standardisation uncertainty (pages 12–15) . ⛔️Early planning is essential to avoid costly out-of-cycle replacements. 🔹 Public Websites (#TLS_confidentiality) Medium quantum risk but low migration time due to hybrid schemes such as X25519MLKEM768 already supported by major browsers and CDNs (pages 16–19) . ⛔️This is one of the earliest practical deployment opportunities for quantum-safe protection in production environments. Another important contribution of the report is its focus on cryptographic antipatterns (pages 21–24) . Before large-scale PQC migration, institutions can implement no-regret actions: • Automate TLS certificate lifecycle management • Standardise TLS configurations (TLS 1.3 baseline) • Eliminate legacy cipher dependencies • Remove hard-coded credentials • Strengthen key management governance This approach aligns closely with supervisory expectations: #quantum_readiness must integrate into existing risk frameworks, asset lifecycle planning, and vendor coordination. For financial institutions, the message is clear: ❌Quantum safety is not a single migration event. ❌It is a prioritised, staged governance programme that integrates cryptography, procurement, architecture, and regulatory alignment. Full publication: Europol (2026), Prioritising Post-Quantum Cryptography Migration Activities in Financial Services Available via Europol Publications Office: https://lnkd.in/d2bgsVKm #PostQuantumCryptography #PQC #QuantumRisk #FinancialServices #CybersecurityGovernance #DigitalResilience #CryptoAgility #QuantumTransition #FinancialStability

The EU published its Post-Quantum Cryptography (PQC) Roadmap in June 2025, setting out fairly aggressive target dates for migration. But without introducing any explicit enforcement mechanisms. That has led many to conclude that the roadmap lacks enforcement power and is therefore “just a non-binding recommendation.” It’s a very common misconception. The roadmap expects all EU Member States to begin transitioning to PQC by launching national strategies and taking concrete “first steps” in the migration process. In practical terms, this means starting assessments, awareness campaigns, and cryptographic inventories no later than 2026. I’m increasingly involved in conversations around these topics. So I tried to clarify how EU recommendations typically operate in conjunction with binding regulations. The roadmap is more than a polite suggestion. While non-binding on its own, it aligns closely with enforceable frameworks such as NIS2 and DORA, effectively creating indirect mandates through risk-based compliance requirements. The EU does not need a standalone PQC regulation for the roadmap to matter. It functions more like a lens through which regulators and auditors will interpret what “appropriate,” “proportionate,” and “state-of-the-art” cryptography means under existing law. NIS2 already requires entities to maintain policies and procedures on the use of cryptography. DORA goes further, explicitly requiring financial entities to track the evolving cryptographic threat landscape - including “threats from quantum advancements.” And the Commission is not presenting this as permanently voluntary. It has made clear that it will monitor progress and may take additional steps, including proposing binding acts of Union law, if necessary. I tried to summarize this “roadmap + binding law” logic here: https://lnkd.in/dcf4bsht #PQC #PostQuantum #QuantumSecurity #Cybersecurity #Cyber #NIS2 #DORA

🚨 NEW PEER-REVIEWED RESEARCH: PQC Migration Timelines Excited to share my latest paper published in MDPI Computers: "Enterprise Migration to Post-Quantum Cryptography: Timeline Analysis and Strategic Frameworks." The transition to Post-Quantum Cryptography (PQC) represents a watershed moment in the history of our digital civilization. Organizations planning for a 3-5 year "upgrade" will fail. The reality is a 10-15-year systemic transformation. Key Contributions: 📊 Realistic Timeline Estimates by Enterprise Size: Small (≤500 employees): 5-7 years Medium (500-5K): 8-12 years Large (>5K): 12-15+ years ⚠️ Critical Finding: With FTQC expected 2028-2033, large enterprises face a 3-5 year vulnerability window—migration may not complete before quantum computers break RSA/ECC. 🔬 Novel Framework Analysis: Causal dependency mapping (HSM certification, partner coordination as critical paths) "Zombie algorithm" maintenance overhead quantified (20-40%) Zero Trust Architecture implications for PQC 💡 Practical Guidance: Crypto-agility frameworks and phased migration strategies for immediate action. Strategic Recommendations for Leadership: 1. Prioritize by Data Value, Not System Criticality: Invert the traditional triage model. Systems protecting long-lived data (IP, PII, Secrets) must migrate first, regardless of their operational uptime criticality, to mitigate SNDL. 2. Fund the "Invisible" Infrastructure: Budget immediately for the expansion of PKI repositories, bandwidth upgrades, and HSM replacements. These are long-lead items that cannot be rushed. 3. Establish a Crypto-Competency Center: Do not rely solely on generalist security staff. Invest in specialized training or retain dedicated PQC counsel to navigate the mathematical and implementation nuances. The talent shortage will only worsen. 4. Demand Vendor Roadmaps: Contractual language must shift. Procurement should require vendors to provide binding roadmaps for PQC support. "We are working on it" is no longer an acceptable answer for critical supply chain partners. 5. Embrace Hybridity: Accept that the future is hybrid. Design architectures that can support dual-stack cryptography indefinitely, viewing it not as a temporary bridge but as a long-term operational state. 6. Implement Automated Discovery: You cannot migrate what you cannot see. Deploy automated cryptographic discovery tools to continuously map the cryptographic posture of the estate, identifying shadow IT and legacy instances that manual surveys miss. The quantum clock is ticking. Start planning NOW. https://lnkd.in/eHZBD-5Y 📄 DOI: https://lnkd.in/ejA9YpsG #PostQuantumCryptography #Cybersecurity #QuantumComputing #PQC #InfoSec #NIST #CryptoAgility

𝗪𝗵𝘆 𝗧𝗿𝗮𝗻𝘀𝗽𝗼𝗿𝘁 𝗘𝗻𝗰𝗿𝘆𝗽𝘁𝗶𝗼𝗻 𝗔𝗹𝗼𝗻𝗲 𝗜𝘀 𝗡𝗼 𝗟𝗼𝗻𝗴𝗲𝗿 𝗘𝗻𝗼𝘂𝗴𝗵 𝗳𝗼𝗿 𝗠𝗙𝗧 For years, Managed File Transfer security has been judged at the edges: Is the connection encrypted? Are files encrypted in transit? That view is no longer sufficient. Most MFT platforms rely on transport (TLS/SFTP) and payload (PGP) encryption to protect data entering and leaving the system, but this only covers part of the data lifecycle. Once files are inside the platform, they are parsed, queued, logged, stored, and routed across internal components. In many legacy MFT architectures, those internal paths rely on implicit trust and classical cryptographic assumptions that were never designed for long-term resilience. 𝗧𝗵𝗮𝘁’𝘀 𝘄𝗵𝗲𝗿𝗲 𝗿𝗶𝘀𝗸 𝗮𝗰𝗰𝘂𝗺𝘂𝗹𝗮𝘁𝗲𝘀. Even with strong edge encryption, many MFT systems:  • Trust internal components by default  • Encrypt data only at ingress and egress  • Rely on classical cryptography internally  • Lack crypto agility and granular enforcement This becomes a real governance issue and not a theoretical one. 𝗣𝗼𝘀𝘁-𝗤𝘂𝗮𝗻𝘁𝘂𝗺 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗥𝗲𝗾𝘂𝗶𝗿𝗲𝘀 𝗠𝗼𝗿𝗲 𝗧𝗵𝗮𝗻 𝗮 𝗖𝗶𝗽𝗵𝗲𝗿 𝗦𝘄𝗮𝗽 Post-quantum cryptography (PQC) isn’t just a future TLS upgrade. It exposes whether a platform was designed for end-to-end protection. 𝗔 𝗽𝗼𝘀𝘁-𝗾𝘂𝗮𝗻𝘁𝘂𝗺 𝗿𝗲𝗮𝗱𝘆 𝗠𝗙𝗧 𝗺𝘂𝘀𝘁 𝗮𝗽𝗽𝗹𝘆 𝘀𝘁𝗿𝗼𝗻𝗴 𝗰𝗿𝘆𝗽𝘁𝗼𝗴𝗿𝗮𝗽𝗵𝘆 𝗰𝗼𝗻𝘀𝗶𝘀𝘁𝗲𝗻𝘁𝗹𝘆:  • To data in transit  • To data at rest  • To internal service-to-service communication Anything less leaves gaps that time will eventually exploit. 𝗭𝗲𝗿𝗼 𝗧𝗿𝘂𝘀𝘁 𝗠𝘂𝘀𝘁 𝗘𝘅𝗶𝘀𝘁 𝗜𝗻𝘀𝗶𝗱𝗲 𝘁𝗵𝗲 𝗣𝗹𝗮𝘁𝗳𝗼𝗿𝗺 PQC alone isn’t enough. A modern MFT platform must also enforce zero trust internally, not just at the perimeter. That means no implicit trust, explicit authentication everywhere, encrypted internal communication, flow-level policy enforcement, and full auditability. For CISOs, this is the difference between assuming security and being able to prove it. 𝗧𝗵𝗶𝘀 𝗶𝘀 𝗲𝘅𝗮𝗰𝘁𝗹𝘆 𝘄𝗵𝘆 𝘄𝗲 𝗿𝗲𝗱𝗲𝘀𝗶𝗴𝗻𝗲𝗱 𝗧𝗗𝗫𝗰𝗵𝗮𝗻𝗴𝗲 𝘃𝟱. TDXchange v5 was architected to move beyond edge-only security by:  • Supporting TLS, PGP or NIST-approved post-quantum cryptographic (PQC) encryption  • Encrypting data in transit and at rest, including internal datastores  • Enforcing zero-trust principles between internal components  • Eliminating implicit trust assumptions inside the platform The goal wasn’t another feature, it was an architecture that can defend sensitive data throughout its entire lifecycle, even as cryptographic threats evolve. 𝗘𝘅𝗲𝗰𝘂𝘁𝗶𝘃𝗲 𝗧𝗮𝗸𝗲𝗮𝘄𝗮𝘆 Transport and payload encryption are table stakes. In the post-quantum era, they are no longer enough on their own. Does your MFT protect data everywhere, or only at the edge? That distinction will increasingly determine which platforms remain defensible as post-quantum risk becomes operational reality.

🔐Word o’ the Day | Year | Decade: Crypto-agility, Baby! Yesterday morning, I did a fun fireside chat with Bethany Gadfield - Netzel at the FIA, Inc. Expo in Chicago. We talked about cyber resilience, artificial intelligence, Rubik’s cubes, and that thing called quantum! A question came up at the end, “What can firms actually do today to begin transitioning to post-quantum cryptography?” So thought I would take the opportunity to share my thoughts more broadly on this important, but not super well understood, topic: 1. Don’t wait. The clock for quantum-safe cryptography is already ticking. NIST released its first set of post-quantum standards last year (https://lnkd.in/esTm8uPw) and CISA put out a “Strategy for Migrating to Automated Post-Quantum Discovery and Inventory Tools” last year as part of its broader Post Quantum Cryptography (PQC) Initiative (https://lnkd.in/evpF4umv). h/t Garfield Jones, D.Eng.! 2. Inventory & prioritize. Map all cryptographic usage: what keys, certificates, protocols, and data streams exist today? Which assets hold long-lived value and are at risk of “harvest-now, decrypt-later”? Build a migration roadmap that prioritizes highest-risk systems (e.g., financial settlement platforms, inter-bank links, legacy encryption). 3. Establish crypto-agility. Ensure your architecture supports swapping algorithms, updating certificates, & layering classical + post-quantum primitives without a full system rebuild. This kind of flexibility is key for resilience. 4. Pilot and migrate. Use the new NIST-approved algorithms; experiment first on less time-sensitive systems, validate performance and interoperability, then scale to mission-critical applications. NIST’s IR 8547 report provides a framework for this transition. 5. Vendor & supply-chain alignment. Ask your vendors & service providers: “What’s your PQC transition plan? When will you support NIST-approved post-quantum algorithms? Are your update paths crypto-agile?” If the answer isn’t clear or (as a former boss of mine used to say) they look at you like a “pig at a wristwatch,” you’ve got a potentially serious third-party risk. 6. Board and Exec engagement. Position this not as an IT problem but a fiduciary risk and resilience imperative. The transition to quantum-safe cryptography is multi-year and multi-layered—waiting until it’s urgent means it will be too late.