Presenters

Source

🚀 Quantum-Proofing the Cloud: Securing Multi-Cloud APIs for the Post-Quantum Era

The digital landscape is shifting beneath our feet. While we build faster, more interconnected multi-cloud environments, a silent threat matures in the background: Quantum Computing.

At the recent Con 42 Cloud Native 2026 session, Rajasingh Gandhi Ramdas, Senior Technical Architect at IBM, delivered a wake-up call to the tech world. He specializes in turning high-level digital strategy into operational reality, and his message was clear: the encryption we trust today has an expiration date.

Here is how we must evolve to secure our APIs against the quantum storm. 👾

🛡️ The “Harvest Now, Decrypt Later” Phenomenon

Traditional encryption—the backbone of our digital lives—faces a terminal threat. We currently rely on RSA and Elliptic Curve Cryptography (ECC), both of which rest on mathematical complexities that Shor’s Algorithm can easily solve once cryptographically relevant quantum computers arrive.

The danger is not just a future problem; it is happening right now through the Harvest Now, Decrypt Later phenomenon. Attackers are currently capturing encrypted traffic, storing it in massive data silos, and waiting for the day they can decrypt it with quantum power.

If your data has a long confidentiality horizon—such as trade secrets, health records, or strategic government plans—that data is already at risk. While AES-256 symmetric encryption and hash functions can survive if we use larger key sizes, our public key infrastructure (PKI) requires a complete overhaul. 🔐

🏗️ Beyond the Front Door: Securing the Interior

Architects often focus on North-South traffic (gateways), but Rajasingh warns that a quantum-resistant perimeter creates a false sense of security if the interior remains weak. 🏰

  • East-West Traffic: Internal service-to-service communication is just as vulnerable to harvesting. If a hacker breaches the network, they can quietly collect internal secrets.
  • Hybrid Connectivity: Cloud-to-on-prem bridges often rely on legacy VPNs. These are frequently the most neglected and exposed parts of the infrastructure.
  • Certificate Infrastructure: If internal Certificate Authorities (CAs) and MTLS (Mutual TLS) do not migrate to quantum-resistant standards, the entire trust model collapses from the bottom up.

A quantum-proof front door is useless if the hallways inside are wide open. 🚪🔓

🛠️ The New Toolkit: NIST Post-Quantum Standards

The National Institute of Standards and Technology (NIST) has finalized the new rules for cryptography. We have moved past the era of uncertainty, and leaders now have a vetted framework to follow. 📚✨

The core NIST Post-Quantum Cryptography (PQC) portfolio includes:

  • ML-KEM (formerly Kyber): Replaces RSA and ECDH for handshakes. It is fast but requires larger keys.
  • ML-DSA (formerly Dilithium): The new standard for digital signatures.
  • SLH-DSA (formerly Sphincs+): A hash-based backup that provides a diversity of mathematical assumptions.
  • FND-DSA (formerly Falcon): Provides lattice-based signatures with a compact size.

⚖️ The Hybrid Approach and Performance Trade-offs

We cannot simply flip a switch. Rajasingh recommends a hybrid approach where we run classical and quantum algorithms in parallel. 🤝

In this model, session keys derive from a dual combination of ECDH and ML-KEM. An attacker must break both to succeed. If a flaw exists in the new PQC, classical encryption acts as a backstop; if quantum computers break classical encryption, PQC provides the shield.

⚠️ The Challenges

Post-quantum cryptography is not free. Larger keys mean:

  1. Increased handshake size.
  2. Potential delays on high-latency networks.

To offset these impacts, we must leverage technologies like session resumption, connection pooling, and HTTP/2 or HTTP/3 multiplexing. 🚀

📈 The Cryptographic Agility Maturity Model

To manage this transition, organizations should aim for Cryptographic Agility—the ability to update algorithms via configuration rather than rewriting code. ⚙️

Rajasingh outlines a 5-Level Maturity Model:

  • Level 1: Hard-coded algorithms.
  • Level 2: Library abstraction layers.
  • Level 3: Centralized certificate management.
  • Level 4: Algorithm choices as configuration.
  • Level 5: Automated agility with full observability.

🗺️ The 4-Phase Migration Roadmap

Migration is a multi-year program, not a one-off project. It touches everyone from Platform Engineering to Procurement. 🗓️

  1. Phase 1 (Foundation): Conduct an inventory, select frameworks, and choose libraries.
  2. Phase 2 (High-Priority): Implement hybrid DNS for sensitive external gateways and critical East-West service mesh traffic.
  3. Phase 3 (Rollout): Address low-priority APIs and partner integrations.
  4. Phase 4 (Hard Cases): Mitigate legacy architectural issues and handle long-tail client compliance.

🎯 Final Thoughts: The Time to Act is Now

The standards are ready (NIST FIPS 203-205), the libraries are maturing, and the threat is real. Waiting for quantum computers to arrive before acting is a recipe for disaster. 🕒

Rajasingh Gandhi Ramdas emphasizes that cleaning up your encryption today doesn’t just protect you from future quantum threats—it fixes old mistakes and makes your current infrastructure safer immediately.

Don’t wait until it’s too late. Start your quantum-resistant journey today! 🦾🌐🎯

Appendix