RSAC 2025: The time for crypto-agility adoption is now
An RSAC 2025 speaker explained why companies should begin their quantum-safe journey now and how crypto-agility adoption helps prepare for post-quantum cryptography.
It might be five, 10 or 15 years away, but the day of a cryptographically relevant quantum computer will be here before you know it. Organizations must prepare now for that day -- and one way to do that is by adopting crypto-agility.
Crypto-agility enables organizations to adapt to changes in the evolving cryptographic landscape by dynamically swapping algorithms, keys and certificates without disrupting the underlying IT infrastructure.
Greg Wetmore, vice president of product development at identity security vendor Entrust, spoke about crypto-agility implementation and adoption during a session at RSAC Conference 2025.
Why companies should adopt crypto-agility now
Cryptography has largely been static for the past several decades, Wetmore said, which is why many organizations aren't ready for this change.
"RSA has been widely used for more than 30 years. Elliptic [curve cryptography] for more than 20," he said. "We've done small cryptographic changes, but we haven't faced a discontinuity that the quantum threat represents."
This is where crypto-agility comes into play.
Crypto-agility is more than just a response to quantum computing, according to Wetmore -- though it is often the reason companies adopt it. Broadly, he said, crypto-agility is about an organization's resilience in a changing threat landscape that requires adapting to new cryptographic algorithms and policies.
Wetmore said crypto-agility helps companies counter the following challenges:
- Post-quantum cryptography (PQC) and "harvest now, decrypt later" attacks.
- Shortened certificate lifecycles.
- Device sprawl, which complicates crypto asset inventorying and data security.
- Operational complexity that makes cryptography management difficult.
For many, the timeline for PQC is drawing near. For example, organizations that work with national security systems must begin using quantum-safe algorithms for software, firmware and browsers by the end of 2025. NIST will deprecate classical asymmetric algorithms in 2030, and the deprecated algorithms will be disallowed starting in 2035.
How to begin crypto-agility adoption
Wetmore provided steps to help organizations become quantum-safe.
To start, put together a team to handle crypto-agility strategy and transitions. Ensure all relevant stakeholders -- from C-suite executives to infosec professionals and developers -- understand the importance of crypto-agility and are aware of crypto-agility best practices. Develop PQC security policies to manage cryptography changes and updates.
Next, create an inventory of all crypto assets -- for example, using cryptographic bills of materials -- to understand what cryptography is in use and where. Document whether current and future algorithms comply with relevant regulations and data security policies.
Use the inventory to perform a risk assessment. This assessment and the company's risk appetite help prioritize changes and updates.
Start updating and replacing crypto assets based on the risk assessment and risk appetite.
Test all cryptography instances to ensure assets are updated. Make sure the organization can audit standards and processes for compliance. Centrally manage policies and access control, and automate certificate lifecycle management.
As an organization begins or continues its crypto-agility adoption journey, it can compare its progress against a maturity model. This helps organizations understand where they are and what they must do to mature.
Kyle Johnson is technology editor for Informa TechTarget's SearchSecurity site.
