Table of contents
Key Takeaways
- Post-quantum cryptography (PQC) is the practice of adopting encryption algorithms that can withstand attacks from quantum computers, which are expected to break the RSA and ECC algorithms that secure most of today’s internet traffic.
- The migration window is already here: adversaries are harvesting encrypted data today to decrypt once quantum computing matures, a threat known as “Harvest Now, Decrypt Later” (HNDL).
- Most cloud environments have significant cryptographic blind spots, with quantum-vulnerable algorithms buried across workloads, services, and third-party dependencies in ways that are genuinely hard to track.
- Orca gives you visibility into where vulnerable algorithms live across your cloud environment and maps that exposure to a new PQC compliance framework to help you prioritize remediation.
Why Is Post-Quantum Cryptography Necessary?
For most of the internet’s history, two cryptographic algorithms have done the heavy lifting: RSA and ECC. They secure TLS connections, authenticate digital signatures, and protect data in transit. And for decades, they’ve worked remarkably well.
The problem is quantum computing is on the horizon. A sufficiently capable quantum machine could break both RSA and ECC in a fraction of the time it would take today’s computers, undermining the mathematical foundations that modern encryption depends on. That possibility has triggered a global effort to develop and adopt what is termed Post-Quantum Cryptography (PQC), a new generation of algorithms designed to be secure even against quantum attacks.
In August 2024, NIST finalized its first three PQC standards. The US government has set a 2030 deadline for federal agencies to complete migration. The path forward is now defined. What’s less defined, for most organizations, is where to start.
The most urgent pressure isn’t Q-Day, the moment when a quantum computer becomes capable of breaking today’s encryption, itself. It’s an attack pattern called “Harvest Now, Decrypt Later”, or HNDL. Adversaries are collecting encrypted data today, banking on their ability to decrypt it once a capable quantum computer exists. That makes PQC readiness a present-tense problem, not a future one.
For cloud security teams, the challenge is visibility. Algorithms like RSA and ECC are embedded across modern environments in ways that are genuinely hard to track: nested in third-party libraries, managed by cloud services, negotiated at runtime. Most organizations don’t have a clear picture of where quantum-vulnerable cryptography lives, let alone a plan to migrate it.
Why Is Cryptographic Debt a Cloud Security Problem?
Most organizations think of cryptography as a set-it-and-forget-it layer. You configure TLS, rotate certificates when reminded, and move on. The problem is that approach has compounded into decades of cryptographic debt: deprecated algorithms, weak key lengths, and insecure configurations scattered across environments that are often not fully mapped.
In a cloud environment, this debt is especially hard to surface. Cryptographic assets live in a lot of places simultaneously:
- Cloud-managed services like KMS, load balancers, and API gateways
- TLS and SSH configurations on public endpoints
- Certificates and keys with varying algorithms and key lengths
- Open-source libraries and third-party components buried inside container images
- Runtime behaviors that static scanners simply miss
Without a comprehensive picture of where vulnerable cryptography exists, building any kind of migration plan is guesswork. And the window for that planning is already here.
What Orca Now Provides
Orca has built a new Post-Quantum Cryptography compliance framework that gives security teams the visibility they need to understand where quantum-vulnerable algorithms, specifically RSA and ECC, are in use across their cloud environments.
This is grounded in the same approach that’s made Orca effective for cloud security broadly: agentless, deep-scanning visibility across your entire cloud estate, organized into actionable findings that help you understand and prioritize risk.
A Cryptographic Asset Inventory for Your Cloud
You can’t migrate what you can’t see. Orca now surfaces cryptographic exposure across your cloud environment, mapping algorithm usage to the assets that rely on it. Rather than a one-time audit, this is continuous visibility that updates as your environment changes.
The framework uses Orca’s detailed alerts and data models to identify where quantum-vulnerable cryptography is in use, giving teams a clear starting point for migration planning.
Mapped to a PQC Compliance Framework
Orca’s new PQC compliance framework organizes findings into a structured, priority-ordered view so teams know where to focus first. It aligns to NIST’s finalized PQC standards, helping organizations build a migration roadmap grounded in what regulators and standards bodies are actually requiring.
Instead of a raw list of cryptographic findings, you get findings organized by urgency: what’s vulnerable to classical attacks today, what’s at risk from HNDL, and what requires longer-term migration planning. Each finding is tied directly to the affected asset, so there’s no ambiguity about what needs to change and where.
The PQC framework sits alongside Orca’s library of 200+ pre-built and customizable compliance frameworks, all of which benefit from the same continuous visibility into your compliance posture. As your environment changes, your compliance status updates with it. And when you need to report, one-click reporting gives you a shareable snapshot without the manual work.
Getting Started
NIST finalized its first three PQC standards in August 2024. Regulatory timelines are set. For most cloud security teams, the work ahead isn’t understanding why PQC matters — it’s figuring out where to start.
That’s the gap Orca’s new PQC compliance framework is built to close. If you’re an existing customer, it’s available in the platform now. Start with the framework, see where your exposure is, and build your migration plan from there.
If you’re not yet a customer, request a demo to see what your cryptographic footprint actually looks like across your cloud environment.
Facts Only
* Post-quantum cryptography (PQC) involves adopting encryption algorithms resistant to quantum computer attacks.
* RSA and ECC are the current algorithms securing most internet traffic.
* Adversaries are performing "Harvest Now, Decrypt Later" (HNDL), collecting encrypted data for future decryption.
* NIST finalized its first three PQC standards in August 2024.
* The US government set a 2030 deadline for federal agencies to complete migration.
* Quantum computing could break RSA and ECC quickly, undermining current encryption foundations.
* Cryptographic debt involves deprecated algorithms and insecure configurations scattered across environments.
* In cloud environments, cryptographic assets exist in cloud services (KMS, load balancers), TLS/SSH configurations, certificates, and open-source libraries.
* Orca provides a compliance framework to show where RSA and ECC are used across cloud environments.
* The framework organizes findings by urgency: classical attack risk, HNDL risk, and long-term migration needs.
Executive Summary
Post-quantum cryptography (PQC) involves adopting encryption algorithms resistant to quantum attacks, which are expected to break current RSA and ECC methods. The "Harvest Now, Decrypt Later" (HNDL) threat means adversaries are collecting encrypted data now for future decryption once quantum computing matures. Most cloud environments contain quantum-vulnerable algorithms embedded across various services and dependencies, creating cryptographic blind spots. Cryptographic debt, stemming from deprecated algorithms and insecure configurations across cloud assets, is compounded in cloud environments where sensitive keys and certificates are scattered across managed services, public endpoints, and third-party libraries.
The necessity for PQC arises because quantum machines could rapidly break existing cryptographic foundations. While the migration deadline of 2030 is set by the US government for federal agencies, the immediate pressure is the HNDL threat. The challenge for security teams is visibility into where these vulnerable algorithms reside within complex cloud architectures, making migration planning difficult without a comprehensive inventory.
Orca addresses this by providing a compliance framework that surfaces quantum-vulnerable algorithms, specifically RSA and ECC, across cloud environments. This visibility maps algorithm usage to assets, offering a continuous view that aligns with NIST PQC standards. The framework prioritizes findings based on risk urgency—classifying vulnerabilities according to their exposure to classical attacks today versus the HNDL threat—to guide remediation planning.
Full Take
The narrative establishes a critical divergence between the historical practice of assuming cryptography is a static layer and the reality of cumulative cryptographic debt exacerbated in dynamic cloud environments. The core tension lies between the abstract future threat of quantum computing (Q-Day) and the present, active threat vector of HNDL. The structure effectively frames PQC readiness not as a distant engineering problem, but as an immediate visibility challenge for existing security teams burdened by historical accumulation.
The pattern observed is the strategic framing of complex technological transition—PQC migration—as a failure of visibility, rather than solely a mathematical hurdle. This shifts the focus from *if* migration is needed to *where* it must begin. The juxtaposition of abstract mathematical risk with concrete operational reality (cloud asset mapping and compliance frameworks) serves to lower the barrier to action by providing an actionable diagnostic tool.
The underlying implication suggests that organizational inertia, built on treating security as a set-it-and-forget-it configuration, is a major impedance to necessary large-scale transitions. The existence of Orca’s solution highlights that the critical gap is not algorithmic knowledge but the operational mapping and prioritization of inherited risk within complex infrastructure. Further inquiry should focus on whether this visibility framework adequately addresses the governance structures required for managing multi-decade cryptographic debt across disparate ownership models inherent in cloud services.
