Quantum computing exposes Active Directory to urgent new risks

Organisations using Microsoft Active Directory as their primary identity management system face a significant cybersecurity risk as the advent of quantum computing begins to challenge established cryptographic protections, according to Certes.

Certes has released a technical analysis outlining how the introduction of post-quantum cryptography (PQC), designed to resist powerful quantum computing attacks, reveals vulnerabilities in legacy systems such as Active Directory. The report indicates organisations could be exposed to attacks if underlying identity infrastructure does not evolve alongside cryptographic standards.

The analysis warns that most businesses still rely on authentication systems originally built for classical computing environments. These systems employ protocols and structures including Kerberos authentication, domain trusts, and key distribution mechanisms, all of which may be unsuitable as the threat landscape evolves with quantum technology.

Expert warning

This isn't a hypothetical risk anymore," said Simon Pamplin, CTO at Certes. "The cryptographic standards being pushed out today are being fast-tracked to combat real and present quantum risks. But the problem is that most organisations still depend on Active Directory; a system never designed to survive this level of cryptographic upheaval.

Quantum computers are predicted to eventually possess the capacity to break the cryptographic algorithms that underpin many of today's security solutions. In anticipation, new PQC algorithms are being developed and deployed. While these are expected to provide a more secure foundation for future digital infrastructure, Certes warns that existing directory services such as Active Directory were not created with quantum resilience in mind.

Certes' technical team notes that, despite advances in other areas of cybersecurity, the core identity and access management systems within many enterprises remain based on decades-old technology. This dependence could create opportunities for attackers to exploit the gap between new cryptographic protections and legacy identity protocols.

The firm contends that even organisations investing in modern security features such as multi-factor authentication or cloud-based platforms may remain at risk if their identity backbone is not upgraded to keep pace with cryptographic developments.

What's most alarming is the false sense of security," added Simon. "Many CISOs are focused on perimeter security modernisation, MFA here, a cloud migration there, but underneath, the enterprise's digital identity is still built on sand.

Industry recommendations

Certes is calling on senior decision-makers, including Chief Information Security Officers (CISOs) and IT strategists, to closely review and update their security models. The company advises organisations to assess the specific vulnerabilities associated with integrating PQC into Active Directory environments, map out all current cryptographic dependencies ahead of any PQC-related implementation, and re-evaluate their digital identity strategies to look beyond legacy directory services.

The organisation is actively providing guidance to clients in sectors such as finance, healthcare, defence, and government. Certes states that solutions exist today to support data protection in the face of quantum threats, and that its current focus is helping customers establish robust, future-proof strategies to secure critical assets before new attack methods become widespread.

The analysis concludes that the intersection of post-quantum algorithms and enterprise authentication, particularly where Active Directory is concerned, poses an urgent and complex challenge for organisations dependent on traditional security architectures.