Table of contents
Key Takeaways
- Post-quantum cryptography (PQC) is the practice of adopting encryption algorithms that can withstand attacks from quantum computers, which are expected to break the RSA and ECC algorithms that secure most of today’s internet traffic.
- The migration window is already here: adversaries are harvesting encrypted data today to decrypt once quantum computing matures, a threat known as “Harvest Now, Decrypt Later” (HNDL).
- Most cloud environments have significant cryptographic blind spots, with quantum-vulnerable algorithms buried across workloads, services, and third-party dependencies in ways that are genuinely hard to track.
- Orca gives you visibility into where vulnerable algorithms live across your cloud environment and maps that exposure to a new PQC compliance framework to help you prioritize remediation.
Why Is Post-Quantum Cryptography Necessary?
For most of the internet’s history, two cryptographic algorithms have done the heavy lifting: RSA and ECC. They secure TLS connections, authenticate digital signatures, and protect data in transit. And for decades, they’ve worked remarkably well.
The problem is quantum computing is on the horizon. A sufficiently capable quantum machine could break both RSA and ECC in a fraction of the time it would take today’s computers, undermining the mathematical foundations that modern encryption depends on. That possibility has triggered a global effort to develop and adopt what is termed Post-Quantum Cryptography (PQC), a new generation of algorithms designed to be secure even against quantum attacks.
In August 2024, NIST finalized its first three PQC standards. The US government has set a 2030 deadline for federal agencies to complete migration. The path forward is now defined. What’s less defined, for most organizations, is where to start.
The most urgent pressure isn’t Q-Day, the moment when a quantum computer becomes capable of breaking today’s encryption, itself. It’s an attack pattern called “Harvest Now, Decrypt Later”, or HNDL. Adversaries are collecting encrypted data today, banking on their ability to decrypt it once a capable quantum computer exists. That makes PQC readiness a present-tense problem, not a future one.
For cloud security teams, the challenge is visibility. Algorithms like RSA and ECC are embedded across modern environments in ways that are genuinely hard to track: nested in third-party libraries, managed by cloud services, negotiated at runtime. Most organizations don’t have a clear picture of where quantum-vulnerable cryptography lives, let alone a plan to migrate it.
Why Is Cryptographic Debt a Cloud Security Problem?
Most organizations think of cryptography as a set-it-and-forget-it layer. You configure TLS, rotate certificates when reminded, and move on. The problem is that approach has compounded into decades of cryptographic debt: deprecated algorithms, weak key lengths, and insecure configurations scattered across environments that are often not fully mapped.
In a cloud environment, this debt is especially hard to surface. Cryptographic assets live in a lot of places simultaneously:
- Cloud-managed services like KMS, load balancers, and API gateways
- TLS and SSH configurations on public endpoints
- Certificates and keys with varying algorithms and key lengths
- Open-source libraries and third-party components buried inside container images
- Runtime behaviors that static scanners simply miss
Without a comprehensive picture of where vulnerable cryptography exists, building any kind of migration plan is guesswork. And the window for that planning is already here.
What Orca Now Provides
Orca has built a new Post-Quantum Cryptography compliance framework that gives security teams the visibility they need to understand where quantum-vulnerable algorithms, specifically RSA and ECC, are in use across their cloud environments.
This is grounded in the same approach that’s made Orca effective for cloud security broadly: agentless, deep-scanning visibility across your entire cloud estate, organized into actionable findings that help you understand and prioritize risk.
A Cryptographic Asset Inventory for Your Cloud
You can’t migrate what you can’t see. Orca now surfaces cryptographic exposure across your cloud environment, mapping algorithm usage to the assets that rely on it. Rather than a one-time audit, this is continuous visibility that updates as your environment changes.
The framework uses Orca’s detailed alerts and data models to identify where quantum-vulnerable cryptography is in use, giving teams a clear starting point for migration planning.
Mapped to a PQC Compliance Framework
Orca’s new PQC compliance framework organizes findings into a structured, priority-ordered view so teams know where to focus first. It aligns to NIST’s finalized PQC standards, helping organizations build a migration roadmap grounded in what regulators and standards bodies are actually requiring.
Instead of a raw list of cryptographic findings, you get findings organized by urgency: what’s vulnerable to classical attacks today, what’s at risk from HNDL, and what requires longer-term migration planning. Each finding is tied directly to the affected asset, so there’s no ambiguity about what needs to change and where.
The PQC framework sits alongside Orca’s library of 200+ pre-built and customizable compliance frameworks, all of which benefit from the same continuous visibility into your compliance posture. As your environment changes, your compliance status updates with it. And when you need to report, one-click reporting gives you a shareable snapshot without the manual work.
Getting Started
NIST finalized its first three PQC standards in August 2024. Regulatory timelines are set. For most cloud security teams, the work ahead isn’t understanding why PQC matters — it’s figuring out where to start.
That’s the gap Orca’s new PQC compliance framework is built to close. If you’re an existing customer, it’s available in the platform now. Start with the framework, see where your exposure is, and build your migration plan from there.
If you’re not yet a customer, request a demo to see what your cryptographic footprint actually looks like across your cloud environment.
