Software-Defined Cryptography: A Design Feature of Cryptographic Agility
Jihoon Cho, Changhoon Lee, Eunkyung Kim, Jieun Lee, Beumjin Cho
TL;DR
The paper addresses the challenge of migrating enterprise cryptography to post-quantum standards, arguing that crypto-agility requires a software-defined approach to governance and automated enforcement. It analyzes Software-Defined Networking, Software-Defined Perimeter, and Zero Trust Architecture to show how abstraction and automation can centralize cryptographic policy management. A policy-as-code framework is proposed, with a software-defined cryptography architecture comprising C-PIP, C-PDP, and C-PEP that integrates into DevSecOps and service-mesh ecosystems to automate PQC migration. The work highlights abstraction layers (e.g., JCA) and IaC/PaC practices to decouple applications from cryptographic providers, enabling scalable, policy-driven PQC updates. Overall, the paper advocates for adopting software-defined cryptography to achieve timely, secure, and auditable PQC migrations in enterprise IT.
Abstract
Given the widespread use of cryptography in Enterprise IT, migration to post-quantum cryptography (PQC) is not drop-in replacement at all. Cryptographic agility, or crypto-agility, is a design feature that enables seamless updates to new cryptographic algorithms and standards without the need to modify or replace the surrounding infrastructure. This paper introduces a notion of software-defined cryptography as the desired design feature for crypto-agility, emphasizing the role of software in providing centralized governance for cryptography and automated enforcement of cryptographic policies, such as migration to PQC.