You Can’t Migrate What You Can’t See – IOT Security Services Association

You Can’t Migrate What You Can’t See

Last week I told you to send the HNDL post to your Tier 1 clients and ask one question: “Have you thought about this?”

When the answer comes back as ‘Yes’ or ‘Should we?’, where do you start?

You cannot migrate what you cannot see. Most organizations have no idea how many places they are using RSA or ECC. They know they have VPNs. They know they have email. They do not know the SFTP job that runs at 2 a.m., the code signing certificate on the internal app, or the API integration that a contractor set up four years ago and nobody has touched since.

Every one of those is an exposure. Every one needs to move before Q-Day.

A cryptographic inventory breaks into four surfaces. Do them in this order.

Layer 1 – Perimeter and transit. Fastest to assess. Pull firewall VPN configs, remote access gateways, and TLS certificates. Run testssl.sh or SSL Labs against every customer facing endpoint. Note cipher suites and key sizes.

Layer 2 – Identity and authentication. Code signing certificates, document signing, email S/MIME, internal PKI. Record issuers, key sizes, and expiry dates. Anything expiring after 2027 is a migration candidate.

Layer 3 – Data at rest. Encrypted backups, database encryption, file shares. Look for key wrapping under RSA-2048. This layer is where long retention data lives. Exactly the stuff adversaries are harvesting today.

Layer 4 – Applications and APIs. Hardest. Requires conversations with software vendors about key exchange and signature algorithms. Most of your exposure here will be gated on vendor roadmaps you do not control.

The deliverable is simple: one page showing red/yellow/green per layer plus a top five exposures list. That is the document you hand the client on Friday.

A 90 minute version for a 50 seat client runs three to five hours of professional services. Position it as discovery that scopes the real migration work ahead. Most of these turn into multi year engagements once the heat map comes back red and should be billed for accordingly.

This Is Not the Full Assessment or an Assessment at all

This is triage, not an audit. It will not satisfy a regulator or a board risk committee. It is fast, repeatable, and billable. A full defensible version develops from this initial Discovery process. Coming Soon…Our PQRA certification program equips you to deliver and execute this.

Monday Morning Move

Pick the Tier 1 client who responded to last week’s note.
Offer the 90 minute inventory at your flat rate.
Run it this week and deliver the one pager Friday.

That’s not a sales pitch. That’s a Tuesday.

Stay sharp.

The Quantum Guy

The information in this post is provided for general informational purposes only and does not constitute professional, legal, technical, or security advice. Readers act on this content at their own discretion and risk; IoTSSA assumes no liability for any loss or damage arising from its use.

Share This Story, Choose Your Platform!

Related Posts

Harvest Now, Decrypt Later: What Your Clients’ Data Is Worth in 2030

The Cryptographic Inventory: What You’ll Likely Find

Why Every MSP Conversation in 2026 Will Include Quantum

IoTSSA Is Evolving — Introducing Quantum Education for the IT Channel

Coming soon….IoTSSA is Restructuring & Re-Inventing

Leave A Comment Cancel reply