Post-quantum cryptography (PQC) encryption is a method of securing data with algorithms that cannot be easily broken by quantum computers. It’s meant to address the core weakness of current encryption standards, and makes encryption more complex and, therefore, much harder for quantum computers to break. As agencies prepare for a post-quantum world, many are looking at how zero trust – and its impact on their overall security posture – can play a role.

The reality is that zero trust and PQC go hand-in-glove. Here’s why: Our adversaries are amassing all sorts of secured data with a “harvest now, decrypt later” approach. Zero trust makes the “harvest” part harder, and PQC makes the “decrypt” part harder.

As agencies look at where, how and when to use PQC alongside their existing zero trust initiatives, there are a few important considerations to bear in mind.

Understand the Value of Your Data and How to Protect It

First, it’s incredibly important that agencies understand which data and systems are of the highest priority to protect and where they can begin applying PQC to do it. Agencies can begin by asking: What data is most critical to the organization and, if compromised, what would the ramifications be? What data and applications are the most critical, and how will we prioritize their security?

From there, agencies can look at how those systems can be best protected and examine whether PQC can be applied. For the data, applications, and tools that warrant and are suitable for PQC encryption, adding it should be an immediate priority. NIST recently released new PQC algorithms that serve as a guide for agencies looking to begin their PQC journey.

Assess Where PQC Makes Sense and Where It Doesn't

Not every application is ready for PQC encryption today. For starters, the additional layers of encryption can add latency, jitter or overhead – or a combination of all three – to an environment. Some applications were designed in the 1990s or earlier. Mainframe applications and other legacy systems exist today and will continue to exist. There’s an entire modernization effort that is needed to make PQC a possibility for some applications. It’s not a blunt force tool that you can just slap on.

That said, PQC isn’t just an additional tool in an agency’s cybersecurity arsenal – it’s the evolution of encryption that zero trust architectures depend on to remain resilient in a post-quantum era. Instead, by integrating PQC into existing zero trust frameworks, agencies can enhance their ability to protect data at rest and ensure that the encryption backbone evolves alongside other modernization efforts. For instance, zero trust already focuses on minimizing trust and controlling access. PQC strengthens this by fortifying encrypted channels and datasets that zero trust relies on, making them more resistant to emerging quantum threats.

Make a Plan Until You Can Modernize What Needs Modernizing

In a “harvest now, decrypt later” threat environment, PQC acts as a metaphorical fireproof safe – even if a bad actor can get to the safe, they can’t get to the data inside of it. But what about all the data and applications that aren’t PQC-protected? This is where the intertwined relationship between PQC and zero trust becomes critical: Zero trust provides the framework to limit access, while PQC enhances the encryption backbone that ensures data remains protected even if intercepted.

For example, agencies protecting classified data in transit – whether it’s shared between secure networks or used by remote systems – can use PQC to ensure the data remains secure, even if intercepted by an adversary employing quantum capabilities. Similarly, PQC supports critical infrastructure resilience by protecting sensitive operational data used in systems like energy grids or transportation networks, bolstering their security under a zero trust framework.

With zero trust on the harvest side of the equation, there are things agencies can do on the encryption side that aren’t PQC. As one example, there’s attribute-based encryption, which is similar to attribute-based access controls (ABAC). By tying the encryption of objects to attributes, an administrator can, effectively, destroy all the “keys” to the fireproof safe and make it much harder to access later. Think of this approach as encryption plus digital rights management plus an ABAC solution, all wrapped into one. This is a lot like bricking a mobile device that’s stolen or compromised.

Most organizations can leverage their zero trust progress on their PQC journey – the assessments, the prioritizations, and the modernizations underway can accelerate the PQC roadmap dramatically. By combining these two strategies, agencies can address both current and emerging threats with a more resilient security posture.