The Cryptographic Inventory: What You’ll Likely Find – IOT Security Services Association

The first time I ran one of these for a real client, we expected to find RSA in the firewall VPN and maybe a few certificates. We found that, plus three legacy APIs still negotiating TLS 1.0, a backup agent signing manifests with SHA-1, and a document management system nobody had patched in years. None of it was malicious. All of it was invisible until someone looked.

The inventory isn’t a compliance checkbox. It’s the first time most clients see their own cryptographic surface area and it will generate six months of billable work if you handle the conversation right.

Why it can’t wait. You cannot migrate what you cannot see. NIST standards are finalized. Vendors are shipping PQC capable products. Federal agencies are under directive to complete inventories now. Your healthcare, legal, and government contracting clients will face audit questions about this within 18 months. The MSPs who’ve already run the inventory will have a documented answer. The ones who haven’t will be learning the terminology while the auditor waits.

Four layers. Work through them in order.

Perimeter and transit is the fastest. Firewall VPN configs, remote access gateways, TLS certificates on public facing services. You’re looking for RSA or ECDH key exchange without a hybrid PQC fallback.

Identity and authentication covers code signing certificates, PDF document signing, S/MIME, and workstation PKI. These are the signature algorithms ML-DSA and SLH-DSA are designed to replace. Anything expiring after 2027 is a migration candidate.

Data at rest is where the ‘Harvest now’ threat lives. You’re not worried about AES. Symmetric encryption isn’t the problem. You’re looking at the key wrapping layer. An AES key wrapped under RSA-2048 for transport or escrow is vulnerable even if the vault itself isn’t.

Applications and APIs is the hardest layer and the one most MSPs skip. Custom line of business apps, EHR integrations, legal document APIs, anything calling an external service over a signed or encrypted channel. This requires a vendor conversation, not just a scan.

Where to start. Pick one client. Run the perimeter layer this week. You will find something. That finding becomes the opening of a conversation that turns into paid work.

Next week we talk about the client deliverable. What a migration roadmap actually looks like and how to turn this into a recurring service line.

Stay sharp.

The Quantum Guy

The information in this post is provided for general informational purposes only and does not constitute professional, legal, technical, or security advice. Readers act on this content at their own discretion and risk; IoTSSA Inc. assumes no liability for any loss or damage arising from its use.

Share This Story, Choose Your Platform!

Related Posts

Why Every MSP Conversation in 2026 Will Include Quantum

IoTSSA Is Evolving — Introducing Quantum Education for the IT Channel

Coming soon….IoTSSA is Restructuring & Re-Inventing

Coming soon….IoTSSA is Restructuring & Re-Inventing

Cyber Incident Planning – Part II

Leave A Comment Cancel reply