Why infrastructure-centric security models are failing to address the emerging quantum risk
Simon Pamplin – Certes CTO 03/06/2026
Executive Summary
Quantum computing is rapidly moving from theoretical risk to operational concern. For organisations that rely on digital trust, particularly financial institutions, the issue is no longer simply about cryptography becoming obsolete at some point in the future. The real challenge is how organisations can reduce risk quickly without embarking on decade-long infrastructure and application replacement programs. The “Quantum risk” is not an application problem, it’s not an infrastructure problem – it’s a Data problem. It’s also not a one-time thing – quantum algorithms will be released multiple times between today and when “Q Day” happens as shown by the recent release by NIST of nine new candidates for certificate authentication algorithms. Crypto-agility or the speed of response to change is a key requirement.
Data is most at risk from compromise whilst in transit. Data extracted from compromised devices is regularly redirected to remote Internet storage, and compromised network devices redirect traffic to remote locations. The security industry has relied on perimeter and identity protection in the assumption that data on the inside of that perimeter is safe. Unfortunately, we have seen traditional network perimeter security compromised through vulnerabilities / unpatched infrastructures, and identity compromised by a phone call through simple phishing exercises. Even data at rest protection, built into many applications, uses cryptography that will be rendered useless in the post quantum era.
Certes takes a fundamentally different approach to post-quantum security readiness. Instead of tying security controls to networks, applications, or infrastructure platforms, Certes abstracts security away from the infrastructure and applies policy and encryption directly to the data itself. Wherever the data (in transit) travels its security goes with it, keeping it safe and sovereign to the data owner, and making it valueless to anyone else who should not have access to it. This approach allows organisations to protect sensitive data today whilst creating the flexibility to adapt to future cryptographic standards without repeatedly rebuilding applications or replacing infrastructure stacks. The result is a practical path to crypto-agility that reduces operational risk, minimises disruption, and accelerates post-quantum readiness. For banks, insurance and critical infrastructure operators, the challenge is not simply technical. It is existential. The foundations of modern digital trust are built on cryptography. If trust in encryption fails, trust in transactions, identity and digital communications fails with it. The organisations that succeed in the post-quantum era will not necessarily be those that modernise everything first. They will be the organisations that reduce risk fastest whilst maintaining agility as standards continue to evolve.
The Problem with Traditional PQC Strategies
Most organisations are currently approaching post-quantum cryptography (PQC) through a traditional infrastructure-led model. The common advice from vendors is to: • Build a full cryptographic inventory across the estate • Upgrade infrastructure platforms to PQC-safe standards • Modify applications to support quantum-safe TLS and PKI frameworks • Replace or modernise legacy systems over time Whilst technically sound in principle, this approach creates major operational and commercial challenges. The applications carrying the highest levels of business and regulatory risk are often the hardest to modernise. Legacy systems typically run unsupported or deprecated TLS versions, have limited documentation, and frequently cannot support modern PQC frameworks. Infrastructure-led PQC transformation also creates a multi-year dependency chain where security teams become reliant on infrastructure vendors, cloud providers and application owners modernising in the correct order before meaningful risk reduction can occur.
Whilst waiting for these vendors to release an updated version, the data owner is at risk from data being harvested today to be decrypted at a later date – the Quantum threat is not some date in the future; it is a real and present business risk today. The challenge becomes even greater when organisations consider the pace of change. PQC is not a one-time migration event. Standards will continue evolving, algorithms will continue changing, and organisations risk entering a permanent cycle of technology refresh and remediation.
A Data-Centric Security Model
Certes approaches the problem differently. Instead of tying security to infrastructure or applications, Certes applies security directly to the data itself. Policy and encryption persist with the data wherever it moves across networks, clouds, applications and hybrid environments, protecting the entire data journey from application host to edge irrespective of infrastructure or application. This creates a true zero trust model because trust no longer depends on the underlying infrastructure. The infrastructure simply becomes transport. The Certes platform operates transparently across existing environments by encrypting data at Layer 4 without requiring changes to applications, routing, switching, firewalls, load balancers or cloud architectures. This enables organisations to: • Rapidly reduce PQC-related risk without waiting for full infrastructure transformation • Protect legacy applications that cannot easily be modernised • Maintain consistent data protection across hybrid and multi-cloud environments • Decouple data security from infrastructure refresh cycles • Simplify future transitions to new cryptographic standards One of the biggest misconceptions in the market is the belief that organisations must remediate everything simultaneously. In reality, 80% of risk typically sits across 20% of the estate. Organisations already know where their most sensitive data resides and which applications carry the greatest operational and regulatory risk. This allows organisations to materially reduce risk quickly without waiting years for complete infrastructure transformation. Instead of spending 18 months producing an inventory report before taking action, organisations can begin protecting their most critical data flows immediately.
Building True Crypto-Agility
The Certes approach fundamentally changes how organisations think about cryptographic transformation. Instead of repeatedly rebuilding applications and infrastructure every time standards evolve, organisations can centralise cryptographic control within the Certes security layer. This creates genuine crypto-agility.
When standards change: • Applications remain untouched • Infrastructure remains unchanged • Security policy remains centrally enforced • Algorithms can be updated independently Organisations update once and deploy everywhere. This dramatically reduces operational disruption, infrastructure dependency, vendor coordination complexity, and the cost of future cryptographic transitions. Most importantly, it provides organisations with a sustainable long-term operating model for quantum resilience.
Conclusion
Quantum risk is not simply a future cryptographic problem. It is a business trust problem. For financial institutions, governments, and critical infrastructure operators, the consequences of compromised digital trust could be existential. Identity systems, financial transactions, secure communications, and customer confidence all depend on the integrity of cryptographic trust models. Traditional remediation approaches are slow, expensive, and operationally disruptive. Certes provides a practical alternative. By applying security directly to the data and abstracting protection away from infrastructure and applications, organisations can materially reduce risk today whilst building a flexible foundation for future cryptographic change. The future of security will belong to organisations that can adapt quickly, reduce operational complexity, and maintain trust regardless of how technology evolves. Certes delivers that capability through a modern, data-centric approach to post-quantum security readiness.
