Skip to main content

Declutter your crypto: Machine identity security for a post-quantum world

Published Date
Author Kevin Bocek

Futuristic data center with glowing blue server racks and a central modular unit featuring illuminated capsules, symbolizing advanced technology, data security, and quantum computing readiness.

In a bad dream, you open the closet.

You think you know exactly what’s in there: a few SSH keys, a bunch of TLS certificates, and some secrets like API keys locked in what you believe to be a safe place. But pull it all out and suddenly you find yourself face-to-face with stacks of forgotten ciphers, drawers stuffed with expired certificates, and algorithms in use you thought teams had left behind in 2011. And that’s just for one application.

You don’t even remember owning half of these credentials. Some don’t fit anymore. Others were meant to be temporary but somehow became permanent fixtures.

This is cryptographic clutter—and cryptographic clutter equals risk. And not just in your bad dreams, as quantum computing will soon make the mess feel like a waking nightmare.

When quantum computers finally mature, the algorithms underpinning our digital economy—RSA, ECC, your enterprise PKI—could collapse, practically overnight. And the worst time to figure out what you own is when attackers are already exploiting it.

It’s time to declutter your crypto—and in doing so, tidy up your machine identities.

The importance of identity awareness over algorithms

Many organizations might think their post-quantum cryptography (PQC) preparation begins with algorithms: Which ones will win? How do we know they’re secure? What has NIST—and others—already standardized?

I’m here to tell you quantum readiness starts with awareness, not math. Specifically, awareness of machine identities.

You can’t migrate what you can’t find. You can’t secure what you can’t see. And you can’t prepare for a future threat if you’re still tripping over yesterday’s cryptographic debt. The best place to start is where you can build an immediate business case, like with TLS certificates.

Nation-state attackers already understand the risks. They’re likely actively practicing harvest now, decrypt later attacks (HNDL), collecting encrypted traffic today, storing it, and waiting for quantum systems powerful enough to decrypt it tomorrow. For example, governments have been caught tapping telecom backbones, and intelligence communities like CISA, the NSA, and NIST don’t issue warnings about HNDL attacks for the fun of it. They issue them because they see the problem before the rest of us.

That’s just one of the reasons why these same agencies are already urging procurement teams to factor quantum readiness into buying decisions. The message is clear: the quantum clock is already ticking.

Pull quote reading: 'Quantum readiness starts with awareness, not math,' emphasizing the importance of preparation and machine identity awareness in a post-quantum world.

How cryptographic clutter brings down the digital economy in a quantum world

While much well-placed concern is focused on quantum computers decrypting sensitive data, the greater risk is the dissolution of identity. Think about this: What could happen if an attacker could become you? They could spoof your cloud. Forge transactions. Push fake code commits. Hijack payment terminals. Even impersonate your workloads in production.

That’s not just a breach. That’s a body snatcher scenario—with you as the skeleton in an attacker’s closet. Clutter makes their job even easier, with every unmanaged certificate, overlooked secret, and outdated PKI standing as an open doorway.

Just as a messy house makes it easy to lose valuables, cryptographic clutter makes it easy to lose sight of what’s good or bad, friend or foe. Once authentication fails, everything topples over, including business availability.

It doesn’t have to be that way, though, as long as we all take our PQC chores seriously.

Decluttering for post-quantum readiness: A three-step security framework

I learned from colleagues that a “simple but effective” organizing framework, popularized by Marie Kondo, can be used to clean up your machine identity security posture before quantum computers can crack public-key encryption.

Step 1: See it all—discover machine identities for quantum readiness

The technique begins with gathering all your clothing from every room in your house and piling it in one place. Quantum readiness demands the same of your ever-evolving machine identities.

Certificates, keys, secrets, access tokens—“touch” them all. Make sure you know where they live, who owns them, when they expire, and what systems they underpin. Be thorough, and consider commonly overlooked blind spots in your enterprise, like your public key infrastructure (PKI).

It likely runs on a 10-year lifecycle, so if you’re rebuilding or refreshing yours today, it will live in a world of quantum attacks. Yet most teams don’t consider their PKI part of the quantum issue because they still view it as a strictly “crypto problem.”

But it’s an identity problem.

Machine identity visibility is the first pillar of quantum readiness. Without it, you’ll stumble instead of declutter.

Step 2: Sort with intent—evaluate machine identities for confidence and PQC compatibility

Next comes the evaluation of those machine identities. Through Kondo’s framework, we ask: Does it spark joy?

In security terms, we instead ask: Does it spark confidence? Or risk?

As you take stock of your machine identities, you want to ask, every time:

  • Is this hybrid-ready for PQC migration?
  • Can it become PQC-ready?
  • Who does it depend on to make a change?
  • Will applications be ready for a change?
  • Is this governed, monitored, and serving an active purpose?

If a machine identity like a TLS certificate or SSH key doesn’t spark confidence, it’s time to “thank it for its service” and let it go.

This need for risk-based evaluation is why machine identity context matters. No two identities behave the same, but treating them all alike is like trying to store clothes in the crisper and carrots in the coat closet. It doesn’t work. Context shapes care. Care shapes consistency.

Machine identity intelligence is the second pillar. Just knowing an identity exists isn’t enough. You need to know what it does, how it behaves, and whether it can withstand a post-quantum world.

Step 3: Secure what stays—automate machine identity lifecycles for quantum resilience

Finally, decluttering only works if you build systems that keep your enterprise that way. For machine identities, that system is lifecycle automation. Look at TLS certificate lifespans, for example. These are mandated to shrink fast—200 days in 2026, 100 in 2027, and 47 in 2029—with an eight- to twelvefold expected increase in renewals. Manual approaches to that aren’t sustainable.

Automation is how you “fold” your identities neatly, “stack” them sustainably, and rotate them out at machine speed—turning clutter into choreography.

Along with automation comes increased agility. If you need to replace RSA-2048 with RSA-4096 or want to shift from classic to hybrid PQC certificates, automated solutions can do it in bulk without impacting uptime or requiring re-architecture.

With this newfound agility, expiration dates themselves become a feature, not a flaw. Certificates naturally cycle out, and that turnover becomes a security superpower, reducing your risk of identity exploit or oversight.

Automation is the third pillar. Without it, agility is impossible, but with it, quantum readiness becomes routine.

Make machine identity hygiene a continuous practice

Here’s the fundamental shift: machine identity decluttering isn’t one-and-done.

As Marie Kondo reminds us, tidying is a marathon, not a sprint. Quantum readiness works the same way. You don’t do it once and walk away. You build habits. You create systems. You fold, automate, and repeat. It’s what gets and keeps your cryptographic house in order.

Over time, clutter stops creeping back in. Risk reduction becomes intentional. And when quantum attacks finally arrive, you won’t panic over what’s in your closet.

You’ll already know, because everything will be carefully labeled, contextualized, and managed.

Decluttering crypto for post-quantum security

Quantum readiness isn’t just about picking algorithms. It’s about awareness, being intentional with what you keep, and letting go of what no longer serves.

Decluttering is the first step. It transforms complexity into clarity and risk into resilience. It also helps ensure that your organization is prepared when quantum rewrites the rules.

So, open the closet. Touch every machine identity. Ask: Does this spark confidence?

If the answer is no, let it go. Quantum won’t wait for you to clean house later.

Kevin Bocek is senior vice president of innovation at CyberArk.

Editor’s note: Marie Kondo is the creator of the KonMari Method™ of organization, as described in her bestselling books and television programs. This blog is inspired by her publicly shared approach. CyberArk Software, Inc. is not affiliated with or endorsed by Marie Kondo or KonMari Media, Inc.