Post-Quantum Cybersecurity: Preparing Identity & Access Systems for the Quantum-Era

The horizon of quantum computing is no longer a distant mirage; it is an impending reality with profound implications for modern cybersecurity. At the recent VULNCON 2025 CXO Panel, industry leaders convened to dissect a critical challenge: future-proofing our identity and access management (IAM) systems against the post-quantum threat.

Here is a deep dive into the insights shared by these experts on navigating the transition to Post-Quantum Cryptography (PQC).

The Accelerating Quantum Timeline and SNDL

The conversation around post-quantum cryptography is not as new as it seems; early focus groups and NIST drafts date back to 2010 and 2012. However, the acceleration of hardware capabilities has drastically shortened our preparation window. With breakthroughs like Google's Willow chip and rapid advancements in Chinese supercomputing, the timeline for quantum viability is shrinking. NIST advises that organisations must have a transition plan to quantum-resistant algorithms by 2026, with migration completed by 2030.

The most immediate threat posed by this acceleration is the "Store Now, Decrypt Later" (SNDL) attack vector. Adversaries and nation-state actors are actively harvesting encrypted sensitive data—from financial transactions to national secrets—anticipating the day when quantum computers can effortlessly break current encryption standards like RSA and ECC.

As Dipendu Biswas noted, while closed-loop quantum communication networks exist for military and government use, the open internet remains vulnerable. Whatever encrypted data has already been harvested by adversaries is largely exposed to future decryption; the focus now must be on mitigating the attack surface for future transactions and limiting data retention.

Identity and Access Management (IAM) in the Crosshairs

IAM infrastructure is the bedrock of digital trust, relying heavily on Public Key Infrastructure (PKI), digital certificates, and security tokens. If the underlying cryptography is compromised, the entire foundation of trust collapses. Gagan Mathur emphasised that organisations should not attempt to rip and replace their entire IAM architecture overnight. Instead, the focus must shift to crypto-agility.

• Visibility Baseline: Identify where public key cryptography is deployed across all IAM systems and assess the business criticality of those workflows.
• Dual-Mode Cryptography: Because different industries and supply chain partners will transition at different paces, systems must support interoperable, backward-compatible dual-mode cryptography.
• Continuous Evolution: PQC is not a one-time deployment. Architectures must be adoptable and capable of evolving alongside new algorithmic standards.

The Role of Regulation and Supply Chain Accountability

In the cybersecurity realm, regulatory backing drives implementation. Jason Joseph highlighted the Indian BFSI sector, where regulators like the RBI are already mandating a Cryptographic Bill of Materials (CBOM). By inventorying certificates, tokens, and encryption protocols, organisations can explicitly define their mitigation strategies and extend these requirements to their supply chain partners.

However, organisations cannot afford to treat PQC readiness as a mere check-the-box compliance exercise driven by audit deadlines. It requires a phased, hybrid approach. For instance, while full Quantum Key Distribution (QKD) might be impractical for many organisations today, transitioning to Quantum Random Number Generators (QRNG) serves as a viable, immediate stepping stone. Furthermore, regulatory bodies and leading institutions are heavily collaborating to build frameworks around new NIST standards (such as FIPS 203, 204, and 205) supported by algorithms like Dilithium and Kyber.

Dispelling the Myth: Panic or Pragmatism?

A common skepticism in the industry is whether PQC is a genuine threat or simply a marketing hype generated by hardware vendors. The panel firmly dismantled the "hype" argument. Hilal Ahmad Lone pointed out that the mathematical foundation for breaking modern encryption—Shor's algorithm—already exists and proves that polynomial factorisation used in asymmetric encryption (like RSA and ECC) is fundamentally insecure against quantum computational cycles. The systemic risk is catastrophic. Consider Root Certificate Authorities (CAs), the most trusted components in internet security. If trust in Root CAs is compromised, the integrity of digital signatures, financial systems, and global digital economies is instantly invalidated. Nation-states with strategic interests are operating at an immense scale, making the issue an urgent societal and industrial priority rather than an individual panic.

Key Takeaways for Security Leaders

To prepare for the quantum era, the panel recommended the following practical steps:

1. Map Your Cryptography: Build a comprehensive visibility baseline of all public key cryptography within your systems.
2. Assess the Lifespan of Secrets: Determine how long your encrypted data needs to remain secure and prioritise the migration of long-term secrets.
3. Evaluate Supplier Readiness: Engage with your vendors and cloud providers to ensure they have an active crypto-agility roadmap.
4. Adopt a Phased Strategy: Embed crypto-agility into your core design principles immediately, treating it as a continuous lifecycle rather than a one-off project.

Conclusion