Introduction

From vendors, the message on post-quantum cryptography is often simple and absolute: update every application, component and platform to support quantum-resistant algorithms. In an ideal world, this would be the right approach. In the real world of enterprise IT, it is rarely that straightforward.

Almost every organisation carries a degree of legacy technology. CTOs and IT leaders are well accustomed to managing the risk and technical debt associated with business-critical systems that cannot easily — or sometimes simply cannot — be upgraded. These systems may be running older operating environments, relying on proprietary interfaces, or embedded within operational processes where any change introduces significant risk.

The question, therefore, is not whether legacy exists. It is how legacy technology can be addressed responsibly and proportionately against the backdrop of the quantum computing threat. Ignoring legacy systems in your PQC planning is not an option, but neither is pretending they can all be replaced overnight.

The Reality of Legacy Technology in Enterprise Environments

Legacy technology persists in enterprise environments for a range of legitimate reasons. In many cases, systems were designed and deployed at a time when their current longevity was not anticipated. They have become deeply embedded in business processes, integrated with other systems and relied upon for functions that are difficult to replicate or replace.

In sectors such as defence, transport, healthcare, nuclear and critical national infrastructure, this challenge is amplified. Operational technology and embedded systems often have service lives measured in decades. Industrial control systems, medical devices, signalling equipment and building management systems may run for 15, 20 or even 30 years. Upgrading or replacing these systems is not simply a technology project — it involves safety certification, regulatory approval, supply chain coordination and significant capital investment.

Even in more commercially focused environments, legacy persists. Custom-built line-of-business applications, on-premise middleware, mainframe systems and proprietary integrations all contribute to a technology estate where comprehensive, simultaneous modernisation is neither practical nor affordable.

The PQC transition must account for this reality. Any strategy that assumes universal upgrade capability will fail at the point of contact with the actual technology estate.

What Are Architectural Wrappers?

One practical approach to managing legacy technology within a PQC transition is the use of architectural wrappers. A wrapper creates a quantum-resistant boundary around a legacy system, allowing it to interoperate securely with applications and services that have been upgraded to PQC-resistant algorithms, while the legacy system itself continues to operate using its existing, non-PQC-resistant cryptography within a tightly controlled system boundary or network segment.

In essence, the wrapper handles the cryptographic translation between the quantum-resistant external environment and the legacy internal environment. Traffic entering and leaving the wrapped system is protected by PQC-resistant algorithms. Within the wrapper boundary, the legacy system continues to function as it always has.

This is not a new concept. Similar architectural patterns have been successfully applied during previous shifts in security standards. When organisations needed to maintain connectivity with systems that could not support modern TLS versions, or when legacy protocols needed to coexist with updated security requirements, wrapper and gateway approaches provided a practical bridge. It is expected that vendors will increasingly deliver purpose-built gateways and enabling components to support this model in the context of PQC.

What This Approach Achieves

It is important to be clear about what architectural wrappers do and do not deliver. This approach does not make legacy applications quantum-resistant. The cryptography operating within the wrapped boundary remains vulnerable to quantum attack. What wrappers achieve is a meaningful reduction in risk while allowing essential business operations to continue.

Specifically, a well-designed wrapper strategy enables several important outcomes. It allows a phased transition of applications and services over an extended timeframe, rather than demanding a disruptive, all-at-once upgrade. It creates a more predictable and manageable investment profile for the PQC transformation, spreading cost across multiple budget cycles rather than concentrating it in a single programme. It provides a viable mitigation path for platforms that genuinely cannot be upgraded, either because the technology does not support it or because the operational risk of change is unacceptable. And it reduces risk to within tolerance when combined with appropriate compensating controls — an important distinction from eliminating risk entirely.

This last point is critical. Wrappers are a risk management tool, not a risk elimination tool. They are appropriate where the residual risk, after compensating controls are applied, falls within the organisation’s accepted risk tolerance. They are not appropriate as a long-term substitute for genuine modernisation where that is feasible.

Critical Risk Considerations

The risk management dimension of wrapper-based solutions requires careful and thorough consideration. Several key questions must be addressed during both the design and implementation phases.

First, what additional security controls are required to further reduce the attack surface of the wrapped system? While attention often focuses on user-facing interfaces, equal consideration must be given to backup data flows, management interfaces and operational tooling integrations. These secondary pathways are frequently overlooked but can provide routes for data exfiltration or unauthorised access. Detection capabilities should also be assessed — both in terms of coverage and whether enhanced monitoring would materially improve visibility of anomalous behaviour within and around the wrapped boundary.

Second, how does the wrapped application, service or platform fit into end-to-end business processes? In modern environments, systems are rarely standalone. They form part of interconnected value chains that access, process and transmit data across multiple services. Any mitigation applied to one component must therefore be evaluated for its upstream and downstream impact across both technical and business workflows. A wrapper that secures one system but creates a gap in the protection of the data flowing to or from it has limited value.

Third, organisations must plan for failure. If a compromise occurs within a wrapped environment, is there a clear business impact assessment and an actionable response playbook? This includes understanding who is responsible for containment, what access is required to execute the response and how quickly actions can be taken. Modelling should explicitly consider the blast radius — the systems, networks and data that could be affected — and how to prevent rapid lateral spread beyond the wrapper boundary.

Fourth, what is the longer-term remediation strategy? Wrappers should not be treated as a permanent solution. They are a bridge — a means of managing risk while the organisation plans and executes a more comprehensive modernisation programme. Maintaining risk within acceptable tolerance carries an ongoing cost in terms of monitoring, governance and compensating controls. Long-term investment decisions should be informed by a clear comparison of the cost of sustaining that risk versus the cost of eliminating it through system replacement or upgrade.

Communicating Wrapper Strategies at Board Level

One of the challenges with wrapper-based approaches is communicating them effectively to senior stakeholders. The technical complexity of PQC can make executive engagement difficult, and the nuance of a risk-managed mitigation — as opposed to a complete solution — requires careful framing.

Boards need to understand that wrappers represent a deliberate, governed approach to managing legacy risk within the PQC transition. They are not a shortcut or a deferral of action. They are a recognition that enterprise IT transformation is necessarily phased, and that a structured approach to risk management is preferable to an unplanned scramble to upgrade everything simultaneously.

Organisations should consider how wrapper-related risks will be reported — whether as part of existing cyber and technology risk reporting, or as a distinct entry reflecting the strategic and systemic nature of the quantum challenge. Clear metrics, defined risk ownership and regular review cycles will help ensure that board-level visibility is maintained and that wrappers do not quietly become a permanent fixture without ongoing governance.

Aligning Wrappers with Application Portfolio Management

Wrapper strategies work most effectively when aligned with recognised frameworks for application portfolio management. Frameworks such as the Gartner TIME Model provide a practical way to categorise applications based on technical fitness and business value, enabling organisations to determine which systems should be tolerated, invested in, migrated or eliminated.

Within this framework, PQC wrappers should be defined as one of the available treatment options — specifically for systems categorised as tolerate or migrate, where immediate upgrade is either not feasible or not cost-effective. By integrating wrapper decisions into existing portfolio governance, organisations ensure that PQC-related mitigation is managed consistently alongside broader technology lifecycle decisions, rather than treated as a separate, disconnected workstream.

This alignment also helps with investment planning. Understanding which legacy systems will be retired within natural refresh cycles, and which will require sustained wrapper-based mitigation, provides the data needed to build a realistic, multi-year investment profile for the PQC transition.

How Unsung Can Help

Unsung helps organisations develop practical, risk-managed strategies for addressing legacy technology within a PQC transition. We work with CTOs, CISOs and security leaders to assess legacy dependencies, design appropriate wrapper architectures and ensure that compensating controls are proportionate, well-governed and aligned to your accepted risk tolerance.

We also support the broader planning context — helping organisations align wrapper strategies with application portfolio management, develop board-level reporting frameworks and build realistic investment profiles that reflect the phased nature of the transition.

Our vendor-neutral approach ensures that recommendations are driven by your specific risk profile and business requirements, not by any vendor’s product roadmap. If your organisation is grappling with how to address legacy technology in the context of PQC, we would welcome the opportunity to discuss a practical path forward.

‍

Want to explore this topic further?

This blog is part of a series drawn from our strategic whitepaper, Post-Quantum Cryptography: A Strategic Whitepaper for the C-Suite. It provides vendor-neutral, business-focused guidance on navigating the quantum era — covering the threats already in play, lessons from previous hype cycles, and practical steps your organisation can take today. Download your copy here: https://2f4v3l.share-eu1.hsforms.com/20qJjHSynQkuJKhI_xq9Msg