Post-Quantum Roundup: IBM, Microsoft, Fortinet
The drumbeat around post-quantum resilience is getting louder. IBM and Microsoft discussed their post-quantum plans recently, describing plans that emphasize the multi-year process involved in making their own portfolios quantum-safe.
Both are tapping a theme that's become ubiquitous: A post-quantum transition is necessary and inevitable—and now is the time to start, because many enterprises are facing a years-long transition.
Post-quantum cryptography (PQC) algorithms have been available for a while. The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has finalized three PQC algorithms.
The more subtle challenge is the process of converting an organization's existing encryption keys. The first step might be the hardest: finding out what keys even exist and where they are. Security vendors are producing products for that discovery phase; Fortanix's PQC Central is one example, and we've previously noted how Keyfactor is priming itself for the opportunity.
Larger security vendors are making noise here as well, Fortinet being one example (more on that below).
Steering the Big Ship
It's noteworthy, though, to see large companies chiming in, especially those with deep research organizations that have been contributing to quantum technology for years. Moreover, Microsoft and IBM are large enterprises themselves, meaning they're good examples for showing what's involved in the post-quantum transition. They make good guinea pigs. Last week both companies explained how they're dealing with the post-quantum transition internally and how they can use their learnings to help customers.
IBM's CIO Office used itself as "client zero" for IBM Quantum Safe Explorer, a product that scans repositories and code for cryptographic artifacts. With nearly 6,000 repositories to worry about, IBM prioritized finding ways to avoid manually seeking out the places where cryptography needed updating.
Microsoft this month launched its Quantum Safe Program Strategy, aiming to make the company's own products quantum-safe. The goal is to beat government timelines, introducing quantum-safe capabilities for early adopters by 2029 and making the portfolio fully quantum-safe by 2033.
Fortifying FortiOS
On the security vendor front, Fortinet announced post-quantum capabilities in its FortiOS operating system earlier this month. They include quantum key distribution (a quantum-safe method for delivering security keys) and algorithm stacking, where multiple cycles of encryption can be used for stronger security.
On that latter point, Fortinet adds—and other vendors reiterate—that PQC algorithms themselves aren't infallible. Over time, flaws and vulnerabilities will emerge, meaning an enterprise's post-quantum transition will lead into an era of post-quantum agility, where it will be necessary to adapt as attacks evolve. That makes a long process sound even longer. All the more reason to get the basic steps done soon.
It's worth noting that in many cases, PQC-related products are not brand new. Fortanix, Fortinet, and others already offered PQC algorithms. Ciena, in blogging about post-quantum awareness this week, pointed out that it demonstrated quantum security in 2024 and has products in production.
The point is that post-quantum resilience is becoming a more tangible issue, and these otherwise esoteric products and initiatives are about to have their day. This sector is going to get a lot louder in the coming months, and post-quantum seems likely to be an even bigger topic heading into 2026.
