How Can Hybrid Clouds Secure Post-Quantum Migration?

How Can Hybrid Clouds Secure Post-Quantum Migration?

I’m thrilled to sit down with Rupert Marais, our in-house security specialist with deep expertise in endpoint and device security, cybersecurity strategies, and network management. With the looming threat of quantum computing reshaping the landscape of data protection, Rupert offers invaluable insights into the complex journey of post-quantum cryptography (PQC) migration, the role of hybrid-cloud environments in this transition, and the practical steps organizations can take to secure their communications. In this conversation, we’ll explore how PQC is becoming a critical focus for industries, the significance of securing protocols like TLS, and the tools and strategies that can help organizations stay ahead of emerging threats.

Can you break down what post-quantum cryptography is and why it’s such a pressing concern for organizations right now?

Absolutely. Post-quantum cryptography, or PQC, refers to cryptographic algorithms designed to be secure against the potential threats posed by quantum computers. Unlike today’s classical computers, quantum machines could, in theory, break widely used encryption methods like RSA or ECC by solving complex mathematical problems much faster. This is a big deal because so much of our digital infrastructure—banking, healthcare, government communications—relies on these encryption standards. With quantum advancements on the horizon, organizations need to start transitioning to PQC to protect sensitive data from future decryption risks. It’s not just a tech issue; it’s about safeguarding trust and compliance in an era where data breaches could have catastrophic consequences.

What are some of the key factors that make migrating to PQC such a long and challenging process for most companies?

The migration to PQC is a massive undertaking primarily because of the sheer scale and complexity of modern IT environments. Most organizations have thousands of systems, applications, and devices that rely on cryptographic assets—think keys, certificates, and protocols. First, you’ve got to inventory everything, which is a daunting task in itself. Then, you need to upgrade protocols, replace outdated libraries, and ensure all integrations still work seamlessly. This isn’t a quick patch; it often involves years of planning and execution, especially for regulated industries where compliance adds another layer of scrutiny. Plus, there’s a shortage of expertise and standardized solutions, so companies are often navigating uncharted territory.

How do hybrid-cloud environments play a role in helping organizations begin their journey toward PQC adoption?

Hybrid-cloud setups are a practical starting point because they bridge on-premises systems with cloud services, creating a manageable scope for testing and deploying PQC solutions. Many organizations already use hybrid clouds to handle sensitive workloads, and these environments often rely on standardized protocols like TLS for secure communication. By focusing on securing these communication channels first, companies can address a critical vulnerability without overhauling their entire infrastructure. Hybrid clouds also offer flexibility—cloud providers are often quicker to adopt new technologies like PQC, so organizations can leverage vendor support on one side while upgrading their on-premises systems at their own pace. It’s a way to dip your toes into PQC without diving in headfirst.

Speaking of TLS, how does this protocol fit into securing data in hybrid-cloud setups, and what challenges does it face with quantum threats?

TLS, or Transport Layer Security, is the backbone of secure communication in hybrid-cloud environments. It encrypts data moving between on-premises systems and cloud services, ensuring things like web traffic, database connections, and API calls stay private. However, the cryptographic algorithms currently underpinning TLS—like those based on asymmetric key exchanges—are vulnerable to quantum attacks. A sufficiently powerful quantum computer could crack these keys, exposing all that encrypted data. That’s why there’s an urgent push to update TLS with post-quantum algorithms. The challenge is ensuring both ends of the communication channel support these new algorithms, which isn’t always straightforward given the diversity of systems and vendors involved.

Can you explain how both sides of a communication channel need to adapt to make TLS resistant to quantum threats?

Sure. For TLS to be quantum-resistant, both the client and the server in a communication channel must support post-quantum cryptographic algorithms. This means upgrading the software or libraries they use for TLS—often something like OpenSSL—to versions that include PQC support. On the client side, whether it’s a web browser or an application, it needs to propose and negotiate post-quantum key exchange methods during the TLS handshake. Similarly, the server—whether it’s in the cloud or on-premises—must be configured to accept and use these methods. If either side lacks support, the connection falls back to older, vulnerable algorithms. It’s a bit like a dance; both partners need to know the new steps, or you’re stuck with the old routine.

With the introduction of OpenSSL 3.5, how significant is its support for PQC in TLS key exchanges for organizations looking to secure their systems?

OpenSSL 3.5 is a game-changer for many organizations, especially those running on-premises systems. It introduces support for post-quantum algorithms in TLS key exchanges, which means you can achieve quantum-safe communication without rewriting applications or redesigning your architecture. For companies using popular web servers like Nginx or Apache, which rely on OpenSSL for TLS encryption, upgrading to version 3.5 is often a straightforward way to start protecting data in transit. It lowers the barrier to entry for PQC adoption, making it accessible even for organizations with limited resources or expertise. It’s not a complete solution for all cryptographic needs, but it’s a critical first step for securing communication channels.

What practical steps can organizations take right now to start hardening TLS in their hybrid-cloud environments?

The first thing to do is identify workloads in your hybrid-cloud setup that handle sensitive data—think web servers, databases, or backup agents transmitting to the cloud. Once you’ve got that list, check if those on-premises systems use OpenSSL for TLS encryption, which many do. If so, plan an upgrade to OpenSSL 3.5 or later to get PQC support. Next, reach out to your cloud provider to see if they support post-quantum TLS algorithms or allow you to deploy a proxy for it. Finally, use tools like Wireshark to inspect TLS handshakes and confirm that post-quantum algorithms are actually in use. These steps are relatively low-effort compared to a full cryptographic overhaul and can significantly reduce your exposure to future quantum decryption risks.

Looking ahead, what is your forecast for the adoption of post-quantum cryptography across different industries in the coming years?

I think the adoption of PQC will vary widely across industries, largely driven by regulation and risk exposure. Financial services and government sectors are likely to move faster due to strict compliance requirements and the high stakes of data breaches—they might aim for significant progress within the next 5 to 10 years. Healthcare could lag a bit because of budget constraints and legacy systems, though pressure to protect patient data will push them forward eventually. Overall, I expect a gradual but accelerating adoption as standards solidify, vendor support grows, and the threat of quantum computing becomes more tangible. Organizations that start now, even with small steps like TLS hardening, will be in a much stronger position when the broader transition picks up speed.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later