We are delighted to share with you the launch and first episode of our new Podcast Shielded: The Last Line of Cyber Defense.
Hosted by our Global Business Development Director Johannes Lintzen, we dive into the world of post-quantum cryptography, examining how businesses and industries can prepare for the upcoming quantum revolution. From practical steps to real-world case studies and expert interviews, Shielded is an essential guide to navigating the future of cybersecurity.
Episode 1: Inside Cloudflare’s Post-Quantum Journey: Bas Westerbaan on Real-World Implementation
Johannes Lintzen sits down with Bas Westerbaan, Research Engineer at Cloudflare, to explore what it really takes to implement post-quantum cryptography (PQC) at scale.
Quantum computers could break today’s encryption sooner than you think.
Is your organization ready to protect its most sensitive data?
While many organizations are just waking up to the quantum threat, Cloudflare has been preparing since 2017. This conversation delivers practical insights, hidden challenges, and a step-by-step migration plan that organizations can follow before quantum computing disrupts traditional cryptographic security.
The Wake-Up Call: Why Post-Quantum Migration Can’t Wait
“If we all wait until the last moment, there will be more work than we expect.” – Bas Westerbaan
The transition to quantum-safe cryptography isn’t just an upgrade—it’s a fundamental shift in security infrastructure. Organizations that delay will face:
- A backlog of urgent security overhauls, causing disruptions to IT systems
- A scramble for compliance, as regulatory mandates push quantum-safe adoption
- Vendor dependencies, as enterprises wait for software providers to catch up
- Cloudflare’s journey offers a roadmap for companies at any stage of post-quantum readiness.
Here’s what we learned.
The Two-Phase Migration Reality
Traditional encryption and authentication mechanisms rely on cryptographic algorithms that quantum computers will eventually break. While organizations may be aware of the need to upgrade encryption, many overlook the need to transition authentication mechanisms as well.
If organizations only upgrade encryption, they remain vulnerable to quantum-based attacks on authentication—allowing adversaries to forge signatures, break TLS connections, and impersonate digital identities.
This dual migration approach addresses two distinct cryptographic threats:
Phase One: Encryption Upgrade (Start Now!)
This phase will prevent “Harvest Now, Decrypt Later” attacks, where attackers store encrypted data today, intending to decrypt it once quantum computers become powerful enough. It is therefor important to upgrade encryption protocols to post-quantum standards as delays could put long-term sensitive data at risk, including intellectual property, financial records, and national security communications.
Phase Two: Authentication & Digital Signatures
The use of authentication and digital signatures prevents adversaries from breaking authentication mechanisms, such as TLS certificates and digital signatures. The transition to quantum-resistant authentication standards ensures digital signatures and identity verification mechanisms remain secure. Even if an organization secures its encryption, an attacker could forge digital signatures or break TLS authentication, allowing them to impersonate legitimate users and systems.
The main take away here was that focusing only on encryption upgrades isn’t enough—organizations must prepare for authentication changes too or risk leaving critical security gaps.
Starting Your Quantum Journey: 3 Steps to Take Today
While a full PQC migration takes time, organizations can take immediate steps to begin their journey.
Step 1: Secure Executive Buy-In
PQC is not just a technical challenge—it’s a business risk. Without leadership support, migration efforts will stall.
- Make post-quantum readiness a board-level priority.
- Frame it as a security & compliance issue—delayed action could mean regulatory penalties and data breaches.
- Assign a dedicated PQC task force to drive adoption.
Step 2: Conduct a Cryptographic Inventory
Most organizations don’t know where their cryptography is used.
- Survey engineering teams to map existing cryptographic dependencies.
- Identify legacy systems that may break when upgrading encryption.
- Assess third-party vendor dependencies to avoid supply chain risks.
Step 3: Build Internal PQC Expertise
The lack of in-house PQC knowledge is one of the biggest migration roadblocks.
- Establish a Post-Quantum Center of Excellence to oversee implementation.
- Provide training on PQC protocols to IT & security teams.
- Stay updated with industry regulations & best practices.
A cryptographic inventory is the foundation of a successful migration—organizations must understand their existing infrastructure before making changes.
Real-World Implementation Challenges
“Experience matters – it’s not just if it’s fast when we’re sitting here with fiber internet. It’s also if you’re on the plain Wi-Fi.” – Bas Westerbaan
Performance Impact
- While PQC algorithms generally perform well, real-world conditions vary.
- Testing across different network environments is critical.
Compatibility Issues
- Some middleware fails when encountering larger post-quantum keys—even though it shouldn’t.
- Cloudflare discovered that 5% of connections broke due to improper TLS implementations.
- Organizations must test their infrastructure early to avoid unexpected failures.
The Compliance Catalyst: Why Regulation Is Accelerating Adoption
- Governments are not waiting for businesses to act.
- U.S. federal mandates now require quantum-safe cryptography in procurement decisions.
- Compliance is becoming a key driver behind PQC migration.
- Organizations that act now gain a competitive advantage in securing government and enterprise contracts.
The key takeaway here is that regulatory pressure is increasing—businesses that proactively adopt PQC will stay ahead of compliance deadlines and market shifts.
Practical Action Plan for Organizations
The best way to approach post-quantum migration is with a phased, strategic rollout. Organizations that try to overhaul everything at once will face unnecessary complexity and delays. Instead, teams should take a targeted approach that starts with small, manageable changes and scales over time.
1. Start Small, Start Now
- Begin with low-risk projects like internal applications, test environments, or non-critical systems.
- Focus on areas where you have direct control (e.g., in-house software, internal TLS connections).
- Use automated tools to streamline cryptographic upgrades.
2. Improve Key Management
- Audit current cryptographic key management practices to identify gaps.
- Implement automated key rotation to reduce risk.
- Gain visibility into cryptographic assets to track progress and ensure compliance.
3. Rethink Security Architecture
- Treat PQC migration as an opportunity to modernize security, rather than just a drop-in replacement.
- Reevaluate legacy cryptographic implementations—some may no longer be necessary.
- Explore higher-level architectural improvements, such as consolidating key management systems or adopting new cryptographic protocols.
Organizations that succeed in PQC migration won’t just swap encryption methods—they’ll rethink and strengthen their entire security infrastructure.
Looking Ahead: The Future of Cryptography
“All cryptography will be post-quantum cryptography in the future.” – Bas Westerbaan
The shift to post-quantum cryptography isn’t just about upgrading encryption—it’s about building resilience for a quantum-driven world. As quantum computing advances, traditional cryptographic systems will no longer be viable, forcing every industry to adapt or risk security failures.
Cloudflare’s experience proves that early adoption is possible, manageable, and essential. Organizations that begin their PQC journey today will:
- Future-proof their security against emerging threats.
- Avoid last-minute compliance and regulatory pressures.
- Stay ahead of competitors in securing digital assets.
Final Thoughts: The Time for Action Is Now
- The post-quantum transition is not a choice—it is an inevitability.
- Organizations that wait will fall behind.
- Those that act now will future-proof their security, build competitive advantages, and navigate the transition smoothly.
As Bas Westerbaan reminds us – “Just get started with some things. I think that’s important. Just get started.”
…………………………………………………………………….
Want exclusive insights on post-quantum security? Stay ahead of the curve—subscribe to Shielded: The Last Line of Cyber Defense on…
✔ Get insider knowledge from leading cybersecurity experts.
✔ Learn practical steps to future-proof your organization.
✔ Stay updated on regulatory changes and industry trends.
Need help subscribing? Click here for step-by-step instructions.