Quantum computing sounds like something straight out of science fiction. It brings to mind images of impossibly powerful machines solving humanity’s biggest problems, from discovering new medicines to modeling climate change. That part is true. But there’s another side to this story, one that security leaders need to start raising in their boardrooms: the same power that could revolutionize industries also poses a fundamental threat to the cryptography that has protected the digital world for decades.
The cryptographic algorithms securing everything from bank transactions to your company’s most sensitive data are on a collision course with quantum computing. This is not a far-off problem for the next generation of leaders—it’s an identity security risk organizations face today.
Adversaries are already operating on the principle of Harvest Now, Decrypt Later (HNDL). They are siphoning off and storing encrypted data today, waiting for the moment a quantum computer is powerful enough to break it open. The data you think is safe today might just become compromised tomorrow.
Why post-quantum risk puts identity security in the spotlight
When we talk about post-quantum risk, the conversation often focuses on breaking encryption. But the threat goes deeper, striking at the very heart of digital trust: identity.
Digital signatures: The cornerstone of trust
Digital signatures are the cornerstone of trust online. They establish the integrity and authenticity of the X.509 certificates used in authentication, code signing, device identity, and secure communications.
Once a powerful enough quantum computer arrives, it could forge these signatures. In that scenario, an attacker could create counterfeit certificates, impersonate trusted services, and dismantle the entire chain of trust that secures human and machine identities.
Static secrets: The hidden vulnerability
But digital signatures aren’t the only identity asset at risk. Static secrets such as passwords, API keys, and other persistent credentials still play a critical role in identity security and are particularly vulnerable to quantum-enabled attacks.
If attackers harvest these encrypted secrets today, and your organization does not regularly rotate or change them, then those credentials may become exposed once quantum capabilities can break current encryption.
The real danger lies with secrets that are difficult or impractical to rotate due to application dependencies, operational disruptions, downtime, resource constraints, or overall architectural complexity. In these cases, an attacker eventually could decrypt and use those secrets, putting your systems and data at risk in the post-quantum era.
Taken together, these risks highlight a fundamental challenge for digital trust. This goes beyond technical vulnerability; it represents a fundamental threat to the way we verify and control access online. Protecting sensitive data is essential, but if you can’t trust or properly secure the identities—whether users, devices, or applications—that access it, then even the best encryption strategies will fall short. This makes identity security a critical line of defense in the post-quantum era.
The good news: Post-quantum cryptography (PQC)
Despite the risks of broken encryption and forged digital signatures, here’s some good news: we don’t need a quantum computer to fight a quantum threat. A new class of quantum-resistant cryptographic algorithms—known as post-quantum cryptography (PQC)—is already available. These algorithms have been designed to run on the traditional computers we use today and are built to withstand post-quantum attacks.
Recognizing the substantial risk that quantum computers pose to current cryptography, transitioning to PQC is a business imperative. Proactive measures are necessary to maintain regulatory compliance, preserve customer trust, and enable continued secure operations in a post-quantum world. But this migration is far from a simple “find and replace.” It requires a strategic approach built on crypto-agility.
The shared responsibility for post-quantum identity security
Achieving post-quantum identity security readiness isn’t a solo mission. It requires a shared responsibility between identity security vendors and their customers.
- Identity security vendors, as a prerequisite, need to secure their own solutions against PQ threats. These solutions should clearly identify the post‑quantum risks associated with the customer’s organization’s identities and provide the customer with the means to achieve PQ readiness across their identity landscape.
- Organizations, on the other hand, must take proactive steps to achieve readiness within their own environments. You can’t simply wait for a vendor patch to solve the entire problem.
Vendor responsibility
Like other vendors of complex software systems, identity security vendors should ensure their solutions are protected against PQ threats. This includes:
- Analysis-based readiness: Conduct comprehensive cryptographic analysis across the whole solution portfolio to identify where cryptography is used, assess post-quantum risks, estimate migration effort, and examine external dependencies.
- Crypto-agility infrastructure: Build a cryptographic infrastructure that supports rapid algorithm replacement and hybrid cryptographic models, enabling smooth transitions in line with evolving cryptographic changes.
- Risk-based prioritization: Apply risk-based planning to focus first on services and components most exposed to HNDL attacks, particularly communication channels that are easily recordable and systems handling long-term confidential information, specifically cloud-connected identity services.
Beyond hardening their own solutions against PQ threats, identity security vendors must ensure their solutions enable customers to achieve quantum readiness across their organizational identities:
- Quantum-ready certificate management: Provide quantum-ready certificate management solutions that automate the discovery, inventory, and transition of certificates to post-quantum algorithms across diverse environments. Enable automated certificate renewal and provisioning, and provide crypto-agile certificate lifecycles to test, transition, and manage post-quantum algorithms without operational disruption.
- Quantum-ready management of static secrets: The primary challenge lies in static secrets that are difficult to rotate. Address the management of static secrets by supporting modern secure standing privilege solutions with discovery services and rigorous credential rotation. For stronger PQ resilience, enable strategies for ephemeral access, such as just-in-time (JIT) and zero standing privileges (ZSP), to minimize persistent secrets.
Customer responsibility
Organizations themselves must take proactive steps to ensure their environments are quantum-ready. These include:
- Partnering with identity solution providers who are dedicated to post-quantum security.
- Building a management‑facing business case for PQ readiness to secure the required organizational resources for new processes, tools, and automation.
- Becoming crypto-agile by discovering and inventorying certificates, keys, and PKI services, and adopting automated certificate management practices. Identify static secrets that cannot be easily changed and implement measures to support their rotation.
- Adopting ephemeral access solutions such as JIT and ZSP to reduce dependence on static secrets.
- Ensuring continuous rotation of static secrets used by users and workloads to minimize long-term exposure.
These steps aren’t just “nice-to-haves”—they should be standard for any organization looking to stay ahead. Anchoring the organization’s working plan around crypto-agility, automation, and ephemeral access creates a flexible, threat-adaptive PQ identity security posture.
Preparing your organization for post-quantum identity threats
Quantum computing will ultimately redefine the boundaries of digital trust. This formidable challenge cannot be solved by waiting for the threat to emerge; instead, it requires recognizing that the first phase of quantum risk is already underway. Organizations must act now by strengthening identity resilience—prioritizing proactive identity protection, building agile cryptographic readiness, and safeguarding digital trust for the long term as we enter the post-quantum era.
Peleg Yiftachel is a product security and vulnerability management lead at CyberArk.
Ready to take the next step in post-quantum readiness? For a deeper understanding of how CyberArk is preparing its own identity security solutions for the quantum era—and how your organization can take practical, confident steps toward post-quantum readiness—read our full white paper: From Risk to Readiness: Identity Security in the Post-Quantum Era.
