Kyndryl Aims New Quantum Safe Assessment At Future Security Risks

“The main issue now is “harvest now, decrypt later.’ This is the big challenge that we are addressing today, and this has to do with actors recognizing that at some point legacy encryption algorithms are going to be vulnerable, and so therefore they are siphoning off encrypted data now so that they can decrypt it later,” says Kris Lovejoy, Kyndryl’s global security and resiliency leader.

Global enterprise technology services provider Kyndryl Thursday unveiled a new assessment service aimed to ensure enterprises that their IT infrastructures are prepared for the security issues they will likely see as quantum computing starts to impact the industry.

The Kyndryl Quantum Safe Assessment service from Kyndryl, ranked No. 11 in CRN’s 2025 Solution Provider 500, is aimed at identifying and analyzing cryptographic risk exposure before quantum computing becomes a security risk, said Kris Lovejoy, global security and resiliency leader for the New York-based solution provider.

While quantum computing may still be a few years off, the risks are already here, Lovejoy told CRN.

“The main issue now is ‘harvest now, decrypt later,’” she said. “This is the big challenge that we are addressing today, and this has to do with actors recognizing that at some point legacy encryption algorithms are going to be vulnerable, and so therefore they are siphoning off encrypted data now so that they can decrypt it later.”

The vulnerability of existing data to future advances in quantum computing depends on which of three types of encryption is used, Lovejoy.

The first type is symmetric encryption, which is usually referred to as AES256, and is generally a safe or quantum-resistant algorithm, she said.

The other two categories are more worrying, Lovejoy said.

One of those, asymmetric RSA encryption, is typically used for things like web traffic and digital signatures and is an urgent threat, she said.

“There is a belief that this form of encryption will be broken by quantum computing within the next 10 years,” she said.

The last category, legacy symmetric encryption, which includes data encryption standard, and 3DES, is already possibly broken by traditional computers so with enough compute power, one can break this encryption, Lovejoy said.

“Unfortunately, what this quantum threat is kind of bringing to bear is that a lot of organizations still have a good amount of technical debt that they need to clean up,” she said. “And I think this particular discussion is creating some urgency in and around that technical debt area.”

Unfortunately, the latter two forms of encryption are still widely used, Lovejoy said.

“And this is why we’re ringing the bell,” she said. “Unfortunately, we do have quite a bit, particularly in critical infrastructure, of this kind of technology being used. So keep in mind that legacy symmetric encryption is often apparent in older mainframes. And you’ll find symmetric RSA encryption, the urgent threat for web traffic and digital signatures, often in non-financial services critical infrastructure, whether that be telco or other kinds of utilities infrastructure, anything that’s highly dependent on network, and where businesses may not be upgrading their technology very frequently.”

The situation exists across the entire IT industry, Lovejoy said.

“As a strategic outsourcer, we manage a lot of this infrastructure on behalf of our clients,” she said. “And so, fortunately or unfortunately, we have the clients’ inventory, and we see in our inventory that there’s a lot of legacy equipment. Now I’m not suggesting that the world’s burning down by any stretch of imagination. Part of the challenge is that many organizations may have these devices up and running, but they may not be doing anything significant, or perhaps they’re about to be decommissioned, etc. We’re saying, just do a crypto census, figure out what you’ve got running. This is really the non-negotiable first step because we don’t want to wait until the last minute and then find out that you’ve got a problem.”

Lovejoy said Kyndryl businesses start that crypto census right away.

“We suggest that businesses set up a task force to start doing a crypto census and identify and inventory any public key cryptography so that you know what you have,” she said. “And if you must fix it, you could put the plan together. You’ve got a lot of time to plan your budget, but the worst thing that can happen is you wait till the last minute.”

With the introduction of Kyndryl’s Quantum Safe Assessment service, the company has a program in place to work with clients, Lovejoy said.

“There’s been a lot of vendors, quite honestly, that have been out there touting these quantum-resistant encryption solutions,” she said. “What we're suggesting is that organizations, from just a governance and management perspective, identify what it is that they need to fix before they spend a lot of money fixing it. We have an assessment service to help customers discover and create a crypto bill of materials, if you will, and then help them determine what the right path is. Unfortunately, in some cases, you can’t just swap a certificate. In some cases, you actually have to rewrite the application to allow for the extension of the algorithms. So in some cases, particularly with legacy applications running in a legacy environment, it could be a very painful process, and it can take many years to actually create the plan and get these applications rewritten. That’s why we're trying to get our customers out ahead of this.”

The first step, as mentioned, is to do a crypto inventory, followed by running tools to inventory all the public key cryptography, Lovejoy said. Next, she said, Kyndryl will assess the kinds of systems on which that cryptography is running, work with the business lines to understand what business services and data that that cryptography is supporting, and then help in creating a strategic plan for either upgrading or decommissioning those applications, she said.

While mainframes have traditionally been thought of as safe environments from a security point of view, that may not be the case, Lovejoy said.

“If you’re talking about a mainframe that is no longer being supported by the vendor, you may have a problem,” she said. “Unfortunately, that is the case more often than you would imagine.”

At the end of the day, this is a legacy debt issue, Lovejoy said.

“Keep in mind that this is also for those who may have unprotected datasets,” she said. “Going back to the ‘harvest now, decrypt later’ idea, it is important to carefully look at your protections today because it is quite possible that in 10 years you’re going to be disclosing an incident. You may want to consider that possibility as well. … Technology is evolving, and some of the legacy technology that we’ve got in place today is not resilient within the context of new attackers’ capabilities. We need to get ahead of this one. The scope here is pretty big. It’s not just because of the numbers, it's because there's a lot we just don’t know.”