Quantum Trust Hub: Configuration Scan

A Configuration Scan is the process of analyzing the cryptographic settings and parameters configured across systems, applications, and network infrastructure within an organization. In the context of post-quantum cryptography (PQC) implementation, a configuration scan helps build a comprehensive view of cryptographic configurations that may be vulnerable to quantum-based attacks.

The goal of a PQC configuration scan is to identify and assess systems that are using classical algorithms (such as RSA or ECC), outdated protocol versions, or insecure cipher suites, which may not provide adequate protection in a post-quantum world.

The results of the scan support identifying, classifying, and scoring systems based on their cryptographic posture and PQ-readiness. This enables informed planning and prioritization of remediation activities, such as protocol upgrades, algorithm replacements, or configuration hardening.

For each system or application analyzed in a configuration scan, the following parameters are typically evaluated:
  • Enabled cryptographic algorithms and protocols (for example, RSA, ECC, TLS 1.2, TLS 1.3, IPsec, SSH)
  • Cipher suites (e.g., inclusion of PQC-safe or hybrid suites, use of deprecated ciphers like RC4 or 3DES)
  • Key sizes and cryptographic parameters (e.g., RSA-2048, ECDSA P-256)
  • Protocol versions and fallback behavior (e.g., support for only secure versions like TLS 1.3)
  • Support for PQC or hybrid cryptography mechanisms, where available.
Benefits of the PQC Configuration Scan
  • Helps identify cryptographic configurations that rely on quantum vulnerable algorithms and protocols.
  • Reveals misconfigurations or weak parameter settings that may increase security risks.
  • Assists in prioritizing updates to cryptographic settings in alignment with NIST guidelines (e.g., NIST SP 800-131A, SP 800-52r2).
  • Supports cryptographic agility and prepares systems for a seamless transition to PQC-safe algorithms.

The Configuration Scan dashboard is a collection of widgets that display a multi-faceted view of the PQC risk and quantum readiness data for the results of a PQC-focused configuration scan. The data displayed on the dashboard is a quantifiable measure of your organization’s risk and readiness for the PQC adoption.

Prerequisite: Verify that your user role has the required ACF permission to view configuration scan reports. To enable ACF permission, click here.

To view the Configuration Scan dashboard:
  1. Go to Menu > Quantum Trust Hub > Dashboard.

    The Quantum Trust Hub : Organization View page is displayed.

  2. From the menu bar, select Configuration.

    The Quantum Trust Hub : Configuration Scan page is displayed.

The dashboard widgets are explained in the subsequent sections.

Quantum Readiness Score

The Configuration Scan Quantum Readiness Score widget displays the cumulative PQC score for a scan, aggregated from the PQC scores of all configurations.
  • Each Configuration Scan is assigned a PQC score based on its quantum resistance.
  • Quantum Resistant Categories (1 point each) = 5
  • Total Categories Assessed: 10
  • Quantum Vulnerable = 0 Point

The Configuration Scan Quantum Readiness score, displayed using this widget, is then calculated as:

Your Total PQC Score = (Number of Quantum Resistant Crypto Categories Identified) /
(Total Number of Crypto Categories Identified)
The threat level interpretation is therefore categorized as:The threat level is displayed on the widget below the Gauge chart.
To read more on what the displayed threat level means and the recommended next steps, click Know more from the widget.

Configuration Count

The Configuration Count widget provides a high-level summary of your environment’s cryptographic configuration scan results. It helps users quickly understand the scope and coverage of scanned assets, enabling better assessment of cryptographic risk and quantum readiness.
Table 1. Displayed Metrics
Metric Description
Total Endpoints Scanned Displays the total number of individual endpoints (e.g., servers, devices, network assets) that were scanned during the configuration assessment. This reflects the breadth of your cryptographic visibility across the infrastructure.
Total Applications Detected Indicates the number of distinct applications discovered and analyzed across the scanned endpoints. These applications are using cryptographic configurations that were evaluated for vulnerabilities and quantum readiness.
To view the details list of the configuration scan under these categories, click the corresponding block on the metric card.

A Configuration Inventory pop-up, filtered for the selected configuration type block, is displayed, with the complete details of each configuration type.

For example, to view the Total Endpoints Scanned, click the Total Endpoints Scanned block from the metric card. The corresponding Configuration Inventory is displayed.

In this configuration inventory, you can:
  • View a detailed list of individual endpoints that were scanned during the configuration scan.
  • Navigate to the main Configuration Inventory by clicking Configuration Scan Inventory.
  • Export the Configuration Scan Inventory from the Quantum Trust Hub.
    To do this:
    1. Select the checkboxes corresponding to the records you want to export.
    2. From the toolbar, by clicking Export.
    3. From the How would you like to download the data? dialog box, select the file format for the exported configuration data.
    4. Click Submit.

Quantum Readiness by Crypto Library

The Quantum Readiness by Crypto Library widget provides insight into the quantum security posture of the cryptographic libraries used across your environment. Cryptographic libraries implement the algorithms that protect your data and communications, so understanding their quantum readiness is essential for safeguarding against future quantum attacks.

The donut chart in this widget shows all the crypto libraries discovered in the scan and interactive legend lists the number of instances of usage of each library.

Use the interactive legends to update the visualization to see the usage distribution for only specific libraries.

Use the dropdown menu in the top-right corner of the widget to update the visualization for their quantum readiness status, from the following values:
Option Description
All Displays all cryptographic libraries detected, regardless of their quantum readiness status, giving a complete overview of your cryptographic landscape.
Quantum Resistant Shows only cryptographic libraries that implement post-quantum cryptographic algorithms, ensuring strong resistance against quantum computing threats.
Quantum Vulnerable Lists cryptographic libraries that rely on classical cryptographic algorithms vulnerable to quantum attacks, highlighting areas requiring immediate attention.
  1. Select a filter from the dropdown menu to view cryptographic libraries by their quantum readiness status.
  2. Identify vulnerable libraries and prioritize updates or replacements with quantum resistant versions.

Quantum Readiness by Protocols

The Quantum Readiness by Protocols widget gives you an overview of the quantum security status of cryptographic protocols in use within your environment. Protocols such as TLS, SSH, and others play a key role in securing communications, so assessing their readiness against quantum threats is crucial.

The donut shows the total number of protocols discovered by the scan and the usage distribution for the protocols. The interactive legend lists the protocols discovered along with the number of usage instances for each protocol.

Use the interactive legends to update the visualization to see the usage distribution for only specific protocols.

Use the dropdown menu in the top-right corner of the widget to update the visualization for protocols based on their quantum readiness, from the following values:
Option Description
All Displays all cryptographic protocols detected, regardless of their quantum readiness status, for a complete picture of your security posture.
Quantum Resistant Shows only protocols that use quantum-safe algorithms or configurations designed to resist attacks from quantum computers.
Quantum Vulnerable Lists protocols that rely on classical cryptographic methods vulnerable to quantum attacks and should be prioritized for upgrade or replacement.
  1. Select the required filter from the dropdown to focus on all protocols, only quantum resistant ones, or those that are quantum vulnerable.
  2. Identify vulnerable protocols and understand which protocols in your environment are at risk from quantum attacks.

Risk Levels

The Risk Levels widget provides an at-a-glance summary of the quantum risk associated with different cryptographic components in your environment. It helps you understand where vulnerabilities exist and prioritize your remediation efforts.

The donut chart in this widget shows the total number of cryptographic components (protocols, libraries, and certificates) detected. It also shows the risk level distribution across these components. The chart legend lists the risk level of the detected components and also indicates the number of components mapping to each risk level.

Use the interactive legends to filter the risk data for a specific risk level(s).

Use the dropdown menu to filter risk data by component type, from the following options:
Option Description
All Displays risk levels for all cryptographic components combined, including protocols, libraries, and certificates. Use this for a holistic view of your quantum risk exposure.
Protocol Shows risk levels specifically related to cryptographic protocols (e.g., TLS versions, SSH), highlighting protocols that may be vulnerable to quantum attacks.
Library Filters the view to show risk levels in cryptographic libraries or algorithms implemented within your systems, helping identify weak or deprecated crypto code.
Certificate Focuses on the quantum risk posed by digital certificates, based on their encryption algorithms and PQC readiness. This helps spot certificates needing urgent replacement or upgrade.
  1. Use the dropdown to select a category based on your focus area: protocols, libraries, certificates, or all combined.
  2. Review the distribution of risk levels (e.g., Critical, High, Medium, Low, Unknown) displayed in the widget.

Quantum Readiness by Key Exchange Usage in Cipher Suites

The Quantum Readiness by Key Exchange Usage in Cipher Suites widget displays an analysis of the key exchange algorithms used within your cipher suites, focusing on their resilience against quantum computing threats.

Key exchange is a critical part of establishing secure communications, and this widget helps you understand how prepared your cryptographic configurations are for post-quantum security.

The donut chart on the widget shows the total number of key exchanges observed across all cipher suites. The legend lists all key exchange instances along with the individual count of occurrence.

Use the interactive legend to filter the visualization for specific key exchange instances.

Use the dropdown menu to filter key exchange algorithms based on their quantum readiness status, for the following values:
Option Description
All Shows all key exchange algorithms detected in your cipher suites, regardless of their quantum readiness. Use this view to get a complete picture of your cryptographic posture.
Quantum Resistant Displays only key exchange algorithms that are considered secure against quantum attacks, such as lattice-based or other post-quantum algorithms.
Quantum Vulnerable Lists key exchange algorithms that rely on classical cryptography (e.g., Diffie-Hellman, ECDH) which can be broken by quantum computers and therefore require urgent upgrade.
Hybrid Shows key exchange methods that combine classical and post-quantum algorithms, providing enhanced security during the transition to quantum-safe cryptography.
  1. Select a filter from the dropdown menu to focus on specific key exchange algorithm types.
  2. Identify vulnerable key exchange algorithms that should be prioritized for upgrade or replacement.

Quantum Readiness by Authentication in Cipher Suites

The Quantum Readiness by Authentication in Cipher Suites widget provides an overview of the cryptographic strength of your cipher suites based on their authentication mechanisms. This helps you understand how prepared your network communications are against quantum computing threats.

The widget shows the cryptographic algorithms/cipher suites used for authentication across your environment, as well as the total and individual count of usage. Use the interactive legend to filter the visualization for a specific cryptographic algorithm/cipher suite.

Use the dropdown menu to filter cipher suites according to their quantum readiness status:
Option Description
All Displays all cipher suites detected across your environment, regardless of their quantum resistance status. Use this for a comprehensive view.
Quantum Resistant Shows only cipher suites that use quantum-safe authentication algorithms, offering strong protection against both classical and quantum attacks.
Quantum Vulnerable Lists cipher suites that rely on classical authentication methods vulnerable to quantum attacks (e.g., RSA, ECDSA). These require prompt remediation.
Hybrid Displays cipher suites that implement a combination of classical and post-quantum algorithms to enhance security during the transition to quantum-safe cryptography.
  1. Use the dropdown to filter cipher suites by quantum readiness status.
  2. Identify vulnerable cipher suites that require upgrading to post-quantum or hybrid authentication methods.

Applications Usage Summary

The Applications Usage Summary widget provides a quick visual summary of the cryptographic posture of your applications based on their usage of cryptographic configurations and certificates. This helps you assess how well your application environment is protected against quantum computing threats.

The widget shows the total number of applications detected in your environment. The legend lists these applications and also includes a count which indicates the number of cryptographic usages detected for that application. Use the interactive legend to filter the chart visualization for specific applications.

Use the dropdown menu to filter chart data based on the quantum readiness of the applications, from the following values:
Option Description
All Displays all applications in your environment, regardless of their cryptographic posture. Use this view to get a full inventory snapshot and identify areas for improvement.
Quantum Resistant Shows only applications that are currently using quantum-safe cryptographic configurations and/or certificates. These applications are considered prepared to withstand future quantum attacks.
Quantum Vulnerable Displays applications using legacy or quantum vulnerable encryption (e.g., RSA, ECC, SHA-1, TLS 1.0/1.1). These applications require remediation to avoid exposure to potential quantum threats.
  1. Use the dropdown filter to switch between views (All, Quantum Resistant, Quantum Vulnerable) based on your focus area.
  2. Identify and prioritize vulnerable applications for cryptographic upgrades.

Quantum-Readiness Posture

The Quantum-Readiness Posture chart displays a holistic view of your organization’s readiness for a PQC transition for a selected period of duration.

It is essentially the configuration count data represented graphically. The widget offers the additional ability to view trends for specific applications over a specific duration by selecting the required values from the dropdown lists in the top-right corner of the widget.

The chart legends are interactive. Select/clear the checkbox for a risk severity level to show/hide, respectively, the corresponding data on the chart.

Configuration Scan Inventory

To access the configuration scan inventory:

Prerequisite: Verify that your user role has the required ACF permission to view configuration scan inventory. To enable ACF permission, click here.

  1. To view the Configuration Scan inventory, go to Menu > Quantum Trust Hub > Inventory > Configuration Scan.

    You will be redirected to the Configuration Scan Inventory.

    The Configuration Scan Inventory provides a comprehensive, category-wise view of all cryptographic configurations across your organization’s IT infrastructure - including protocols, cipher suites, encryption algorithms, and security settings used across applications, servers, and network devices.

    This inventory is critical for evaluating your system’s quantum readiness from a configuration perspective, ensuring that all components adhere to evolving post-quantum cryptographic standards.