Adversaries are not waiting for the arrival of powerful quantum computers; they are actively exploiting encrypted data in “harvest now, decrypt later” (HNDL) attacks, intercepting information with the intention of breaking it in the future. To address this immediate and evolving threat, HCLTech and Zscaler have launched a joint offering designed to help organizations prepare for the post-quantum era. The partnership combines Zscaler’s security capabilities with HCLTech’s cryptographic modernization services, enabling visibility into and a transition toward quantum-resistant cryptography. As NIST nears the finalization of standards like ML-KEM and ML-DSA, this collaboration focuses on a complex transition period where hybrid PQC key exchange, combining classical and quantum-resistant methods, is essential, introducing new operational requirements for validation and reporting.
Zscaler Inline Inspection Supports Hybrid ML-KEM (FIPS 203)
Recognizing this immediate danger, Zscaler now supports hybrid Post-Quantum Cryptography (PQC) key exchange using ML-KEM, a key encapsulation mechanism nearing finalization as a NIST PQC standard alongside ML-DSA. This capability, integrated with Zscaler Internet Access (ZIA), allows for real-time deep inspection of PQC traffic utilizing the FIPS 203 standard, offering decryption, policy enforcement, and re-encryption at scale. Zscaler’s proxy architecture enables PQC usage between clients and its platform even when the destination server lacks PQC support, minimizing exposure on the critical “last mile” of communication. Existing security policies, including threat prevention and data loss prevention, are applied transparently to PQC sessions, eliminating the need for extensive redesign. Detailed logging of TLS versions and key exchange parameters provides teams with actionable data to identify clients not yet prepared for PQC and prioritize necessary upgrades.
Beyond TLS, Zscaler also supports IPsec with post-quantum pre-shared keys (PPK), adding an extra layer of security to key derivation and providing a practical upgrade path. HCLTech complements this visibility with service-led cryptographic discovery, creating a CryptoBOM, a comprehensive bill of materials for cryptography, by combining Zscaler’s telemetry with broader enterprise assessments. This partnership delivers a closed-loop system, translating inspection data into prioritized remediation plans and measurable progress toward quantum-ready cryptography, ultimately reducing HNDL exposure and strengthening future resilience. HCLTech highlights that this approach moves beyond theoretical inventories by incorporating Zscaler’s internet and SaaS telemetry into a practical, evidence-based CryptoBOM.
HCLTech CryptoBOM Creation from Zscaler Telemetry
Successfully navigating this complexity requires detailed knowledge of current cryptographic deployments, a task often hampered by incomplete inventories. HCLTech and Zscaler are addressing this challenge with a combined offering focused on creating a CryptoBOM, a cryptographic Bill of Materials, built from Zscaler’s real-time telemetry data. This inspection can occur even if the originating server doesn’t yet support PQC, reducing exposure on the final leg of communication. HCLTech then leverages this visibility to build a comprehensive CryptoBOM, identifying cryptographic dependencies across users, applications, and network paths. This assessment informs a prioritized remediation roadmap, enabling organizations to systematically strengthen their crypto agility and prepare for full PQC adoption.
Moves beyond theoretical inventories by incorporating Zscaler’s internet and SaaS telemetry into a practical, evidence-based CryptoBOM.
Mitigating “Harvest Now, Decrypt Later” with IPsec PPK
Organizations are already facing active exploitation through “harvest now, decrypt later” attacks, where data is intercepted and stored for future decryption, to the looming threat of quantum computers breaking current encryption. This isn’t a hypothetical concern; adversaries are currently stockpiling encrypted information, anticipating a time when sufficiently powerful quantum machines exist. Recognizing this immediate danger, security firms are focusing on practical mitigation strategies, including bolstering defenses for IPsec connections with post-quantum pre-shared keys (PPK). Zscaler supports IPsec with PPK, mixing an additional shared secret into IKE key derivation to keep derived keys secure even if Diffie-Hellman exchanges are later broken by a quantum computer, providing a near-term upgrade path without requiring a complete overhaul of existing infrastructure. The transition to post-quantum cryptography is not a simple switch; a complex period of hybrid key exchange, combining classical and quantum-resistant algorithms, will dominate for years.
This necessitates new operational procedures for validating and reporting on these hybrid connections. This capability is particularly valuable as organizations struggle with limited visibility into PQC usage within their networks, often unable to confidently determine which applications and users are negotiating quantum-resistant connections.
