While we cannot determine when commercially available quantum computers (aka Q-Day) will be able to break asymmetric cryptography and algorithms, Forrester’s best estimate is that this will happen in 10 years. But it could also happen in five or 20 years. Currently, many governments have established a deadline of 2035 for full migration to use of postquantum cryptography. The Australian Signals Directorate’s guidelines for cryptography are the most aggressive, with 2030 as the deadline.

A Full Migration To Postquantum Is An Enormous Undertaking

Recognizing the urgency and impact, governments have issued guidance and deadlines for migration. Industry-specific entities have issued guidance, such as the European Telecommunications Standards Institute’s framework for quantum-safe migrations, the Financial Services Information Sharing and Analysis Center’s framework for replacing an insecure algorithm, and the Bank of Israel’s directive for banking system preparedness for cyber risks arising from quantum computing capabilities. Regulatory requirements and standards such as the Payment Card Industry Data Security Standard and the EU’s Digital Operational Resilience Act highlight the need to monitor developments and vulnerabilities in cryptography as well as the need for cryptoagility.

Balance Short-Term Fixes With Longer-Term Strategic Plans

As architects migrate their applications and systems to quantum-secure versions, different approaches will lead to debates around time and cost. For example, an engineer might replace an application that uses RSA encryption with a new application version that has implemented one of the approved postquantum algorithms, which could meet the immediate requirement. But architects looking to future-proof their environment against ongoing cryptographic changes might want to implement cryptographic agility systems that add short-term cost but make upgrading simpler in the long term — the architect would make a configuration change in the cryptoagility tool rather than spending time directly upgrading large numbers of complex and critical systems and software that serve enterprise resource planning, security, and other parts of the business.

The Architect’s Guide To Quantum Security

Our latest report, The Architect’s Guide To Quantum Security, breaks down the common architectural building blocks that architects will use to construct a quantum-safe environment. These building blocks can be arranged into a few different patterns, and architects should choose the patterns that best support their organization’s business cases and technology environment. Crucially, these patterns are not mutually exclusive and should be used in combination where appropriate — an architect can apply different patterns to different components in the same environment.

To understand the common quantum security architectural building blocks and patterns, please read our report and schedule an inquiry or guidance session with us.