Contact us
Partner Portal
< Blog

Stop Boiling the Ocean: A CISO’s Shortcut to Fixing Data‑in‑Motion Risk, Now

Stop Boiling the Ocean: A CISO’s Shortcut to Fixing Data‑in‑Motion Risk, Now

If you’re responsible for thousands of apps, you won’t patch your way out of next quarter’s risk. Secure the pipes your attackers actually care about.

Executive Summary

CISOs face a visibility and velocity problem. Even at conservative counts, large organizations now operate hundreds to well over a thousand applications across SaaS, on‑prem, and custom portfolios. Which is why even large programs don’t fully know where and how cryptography is used within their organizations. That is more attack surface than any team can harden uniformly on short timelines.  

Your data is constantly in motion because your business is in the cloud. Most enterprises are also multi‑cloud, with cross‑cloud data integration rising year over year; they connect on‑prem to cloud over private linksAWS Direct Connect, Azure ExpressRoute, Google Cloud Interconnect. Result: DC↔cloud pipes are now among your most valuable—and attack‑prone—routes.

The standard playbook—inventory, classify, then remediate app‑by‑app—is necessary for governance but slow, costly, and brittle. Even mature organizations spend millions annually just on custom integration work to keep sprawling applications talking to each other. And routine software changes can and do take production down (see Crowdstrik,O2/SoftBank, Microsoft Teams, and Windows Server updates). Software sprawl + staff shortages = stalled remediation. Many CISOs end up knowing about weaknesses they can’t fix this quarter.

This post argues for a pipe‑first control you can deploy now: secure the few high‑value network links where your most important data‑in‑motion actually flows (DC↔DC, DC↔cloud, HQ↔DC, backbone). Do that, and you erect a blanket control that protects all applications that traverse those pipes—regardless of whether each app is perfectly configured today.

That control is Quantum Key Distribution (QKD) integrated with your existing MACsec/IPsec stack. It provides hardware‑rooted, tamper‑evident keying for the handful of links adversaries truly covet. The result: material risk reduction now, less operational fragility than mass software change, and—bonus—quantum‑safe readiness for tomorrow.

The CISO’s Blind Spot: You Can’t Fix What You Can’t See

Across hybrid estates, teams lack line‑of‑sight into which apps use which crypto, which versions, and which routes their traffic actually takes. Federal guidance itself acknowledges the inventory challenge: OMB M‑23‑02 requires agencies to maintain cryptographic inventories, and CISA’s ACDI strategy pushes automated discovery because manual approaches don’t scale. If the public sector struggles with visibility, the private sector is no better.1

Even “basic” controls are hard at scale. NIST’s SP 1800‑16 is an entire practice guide to avoid certificate outages and audit findings; and RFC 8996 formally deprecates TLS 1.0/1.1, yet legacy tails persist.

Meanwhile, staffing isn’t keeping up: ISC2’s 2024 Workforce Study puts the global gap near 4.8M. Visibility without capacity still leaves you exposed.

The Operational Trap: Upgrades Break Things

We’ve all lived it:

  • CrowdStrike (July 2024): a sensor content update crashed ~8.5M Windows devices, grounding flights and disrupting hospitals and banks. It was a routine update that went sideways.2
  • O2/SoftBank (2018): an expired software certificate in Ericsson gear took mobile data offline for tens of millions; O2 publicly pursued damages in the tens to ~£100M range.3
  • Microsoft Teams (2020): a forgotten certificate renewal knocked Teams offline for hours at the start of a workday.4
  • Windows Patch Tuesday (Jan 2022): security updates triggered domain controller boot loops and broke L2TP VPN until out‑of‑band fixes shipped—reminders that well‑intended changes can ricochet across estates.5

These weren’t exotic zero‑days; they were normal software hygiene tasks with production blast radius. A control that sits beside the data plane—rather than inside every application handshake—reduces that fragility.

The Software Sprawl Is Real (and Expensive)

If your instinct is, “We’ll inventory and remediate everything,” sense‑check the scale:

  • Average application counts: MuleSoft’s benchmark shows ~897–1,061 average apps, with 45% of enterprises reporting 1,000+.6
  • Large‑enterprise SaaS alone: Zylo’s 2025 Index shows ~660 SaaS apps in 10k+ employee orgs. (That’s before custom/on‑prem.)7
  • Integration cost: MuleSoft pegs custom integration labor at ~$4.7M per org per year.8
  • Waste: Zylo finds $21M/year in unused SaaS licenses on average.9

Add the governance reality: federal guidance mandates inventories because manual discovery is hard; even with tools, classification and remediation are multi‑year programs. Meanwhile, your most sensitive data keeps crossing a handful of big pipes every millisecond.10

Cloud Changed the Game: Everything Is in Motion

In 2025, “the database in the basement” isn’t the center of gravity. Most enterprises are multicloud, and crosscloud data integration is climbing (Flexera reports 45% of orgs now integrate data across clouds). That means your data is constantly moving: user↔SaaS, app↔cloud database, DC↔cloud, and cloud↔cloud (replication, analytics, DR).

Those flows often traverse private cloud onrampsAWS Direct Connect, Azure ExpressRoute, Google Cloud Interconnect—that carry your crown‑jewel payloads to and from the public cloud. These links are precisely the pipes adversaries would love to tap, and they deserve firstclass protection.

Yes, CISOs should (and do) invest in cloudnative posture—CSPM/CNAPP tools (think Wiz, etc.) catch misconfigurations inside cloud accounts. But you should not miss the network: all those secure cloud resources still move data to and from your estate and across regions. Protecting the cloud on‑ramps and interconnects now, gives you blanket coverage across every app that uses them.

Rethink the Threat Model: Data‑in‑Motion ≠ Data‑at‑Rest

Cybersecurity muscle memory was built on data‑at‑rest problems—assume the perimeter fails, then harden every app and database end‑to‑end. But data‑in‑motion attackers care about interception at scale. They target the backbone and interconnects where value concentrates (think DC↔DC, DC↔cloud). That’s where one tap or route mishap sees everything.

The practical takeaway: for data‑in‑motion, a pipe‑first strategy makes sense. Secure the few links adversaries covet; you immediately cover all apps that traverse them—without waiting to perfect each application’s crypto hygiene. NIST control families emphasize protecting transmission confidentiality & integrity for exactly this reason.11

QKD 101 (Two Minutes, No Hype)

  • What it is: Quantum Key Distribution (QKD) uses single photons over fiber to generate and deliver encryption keys between trusted endpoints. It is impervious to any eavesdropping attempt, and even more so, any eavesdropping attempt introduces observable errors, so you know if an attack is being attempted in real time. The assurance isn’t about math hardness; it’s about physics.
  • Where it fits: QKD boxes provide keys to your existing encryptors (MACsec/IPsec/TLS) via standardized APIs (e.g., ETSI GS QKD 014, SKIP). QKD runs beside the data plane; your traffic doesn’t ride through the QKD device.
  • What it is not: It’s not a data encryption algorithm; it’s a keying substrate. You still encrypt traffic (e.g., MACsec/IPsec); QKD supplies the keys.
  • Why operators like it: It’s hardware‑rooted and tamper‑evident, and it slots into existing network crypto via standard APIs—not a rip‑and‑replace of your data plane.

A Pipe‑First Control You Can Deploy Now

Modern gear already knows how to consume QKD‑delivered keys:

  • MACsec (L2) with QKD.
  • IPsec (L3) with QKD.
  • Standards: ITU‑T Y.3800 series and ETSI GS QKD 014 specify architectures and APIs for QKD networks and key delivery.12

You’re not swapping your routing, load balancers, or firewalls; you’re hardening key delivery underneath them on specific interconnects.

Umbrella coverage where it counts. One QKD‑enabled interconnect protects every flow that crosses it—legacy ERP with creaky TLS, bespoke internal services, third‑party tools not yet patched. Start with DC↔DC, DC↔cloud onramps, HQ↔DC, and backbone links.

Outofband = low blast radius. QKD feeds keys into what you already run (MACsec/IPsec). If a QKD appliance hiccups, you don’t blue‑screen endpoints. You strengthen confidentiality now and finish the messy app work on a sane cadence.

Operationally real, not a science project.

  • China runs a QKD network from Beijing to Shanghai with network links covering almost 10,000 miles.
  • Singapore has two operational national QKD networks.
  • S. Korea runs a national network connecting all their major government ministries and industrial centers.
  • EU testbeds and operational networks: There are dozens of QKD networks across the 27 EU member states, including, for example, a 1,770km network connecting 22 cities in Poland.

Cost & ROI: Quick Math, Real Numbers

You don’t need a detailed BoM to see the order of magnitude:

  • Scale reality: You’re already paying for sprawl—Zylo shows hundreds of SaaS apps in large enterprises (with attendant waste). A pipe‑first control reduces risk for all apps crossing a few links—without waiting for per‑app change windows.
  • Outage math: Certificate/patch errors have caused nation‑scale outages and multi‑hour productivity hits; minimizing change blast radius is its own ROI.
  • Where QKD helps: You protect all application flows across a handful of linkswithout touching each app. That produces an immediate drastic improved risk delta (and uptime benefit) relative to app‑by‑app remediation.

Where to Start (90 Days)

  1. Map the pipes: Identify DC↔DC, DC↔cloud ((Direct Connect / ExpressRoute / Interconnect), and HQ↔DC circuits carrying your crown‑jewel data (payments, trading, EMR, PII lakes).
  2. Pick the first two links: One internal backbone, one cloud on‑ramp for a pilot.
  3. Integrate QKD→MACsec/IPsec: Use existing platform support and ETSI API integrations. Validate throughput, failover, and monitoring.
  4. Operationalize: Feed key health and alarms into your NOC/SOC.
  5. Expand by business criticality: Roll outward from the pipes that matter most.

Result: in a quarter, you’ve materially reduced data‑in‑motion exposure for every app that uses those links—without waiting on per‑app patch cadence.

Common Pushbacks (and Simple Rebuttals)

  • “We don’t want to touch the data plane.”
     You aren’t. QKD hardens key delivery while your MACsec/IPsec continue to encrypt payloads. It’s an adjacent control with negligible risk compared to mass app changes.
  • “Who else is doing this?”
     More than you’d think. Most organizations shy away from publicizing their core network equipment suppliers for obvious reasons. But you can get a hint from the following list of leading organizations that have published trials and collaborations related to QKD: BT, DT, SK Telecom, KT, Telefonica, Orange, Verizon, HSBC, JPMC and many others.

Why a Physics‑Based Control Helps With Today’s (Not Future) Attacks

Modern interception risks involve misroutes, taps, and man‑in‑the‑middle on high‑value links. QKD’s value is ultimate security and tamper evidence during key exchange—if someone looks, you know. That’s complementary to your IDS/TLS stack and independent of which cipher an app uses today.

Remember that the TLS ecosystem itself evolves (e.g., TLS 1.0/1.1 deprecated; 1.3 required in federal profiles). That churn is healthy—but each change cascades through stacks and middleboxes. QKD stabilizes the keying substrate beneath those changes.  

Also, Internet routing itself can misdirect traffic (BGP leaks/hijacks). Even when payloads are encrypted, the risk concentration on your core links argues for defenseindepth at those pipes.

Bonus: You Get Quantum‑Safe Readiness “For Free”

Even if your near‑term driver is today’s data‑in‑motion risk and operational resilience, a QKD‑hardened backbone also advances quantum‑safe posture—on your timetable. When you’re ready for broader program work, read our post on sequencing pipe‑first (QKD) followed by app‑level PQC crypto modernization (link to prior blog).

Author: Nir Bar Lev, CEO, HEQA Security

  1. https://www.whitehouse.gov/wp-content/uploads/2022/11/M-23-02-M-Memo-on-Migrating-to-Post-Quantum-Cryptography.pdf ↩︎
  2. https://www.reuters.com/technology/microsoft-says-about-85-million-its-devices-affected-by-crowdstrike-related-2024-07-20/? ↩︎
  3. https://techcrunch.com/2018/12/07/heres-what-caused-yesterdays-o2-and-softbank-outages/? ↩︎
  4. https://www.theverge.com/2020/2/3/21120248/microsoft-teams-down-outage-certificate-issue-status?
    ↩︎
  5. https://www.bleepingcomputer.com/news/microsoft/new-windows-server-updates-cause-dc-boot-loops-break-hyper-v/? ↩︎
  6. https://www.mulesoft.com/lp/reports/connectivity-benchmark? ↩︎
  7. https://www.prweb.com/releases/2025-saas-management-index-reveals-first-increase-in-average-saas-spend-in-three-years-amid-rising-vendor-costs-and-rapid-ai-adoption-302351642.html ↩︎
  8. https://www.prweb.com/releases/2025-saas-management-index-reveals-first-increase-in-average-saas-spend-in-three-years-amid-rising-vendor-costs-and-rapid-ai-adoption-302351642.html ↩︎
  9. https://www.prweb.com/releases/2025-saas-management-index-reveals-first-increase-in-average-saas-spend-in-three-years-amid-rising-vendor-costs-and-rapid-ai-adoption-302351642.html
    ↩︎
  10. https://www.whitehouse.gov/wp-content/uploads/2022/11/M-23-02-M-Memo-on-Migrating-to-Post-Quantum-Cryptography.pdf? ↩︎
  11.  https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final? ↩︎
  12. https://www.itu.int/rec/T-REC-Y.3800? ↩︎