Hi everyone. So this is Derek from Broadcom. So today we are going to talk about the quantum resistant Kubernetes. So how to secure the cloud native infrastructure for the post quantum era. So basically we are preparing the distributor systems for the quantum computing revolution. So that will fundamentally change how we approach the. Cryptographic security and cloud native enrollments, the quantum thread landscape. So today, so the classical cryptography protects our systems. RSA and E-C-C-R-S-A-E-C remains secure against traditional computer computing attacks. But now we, in this quantum era, the quantum computers emerge with sufficient powers to break the RSA and ECC using shorts algorithm. So what next? So the post quantum era tradition, traditional encryption becomes obsolete. Organizations need quantum resistant alternatives. So how are you going to do that? Let's see. So first of all, let's analyze why Kubernetes exposed Kubernetes security is fundamentally built on public key infrastructure, PKI and transport layer. Security TLS. So every critical communication path relates on classical cryptography that quantum computers will break. Example, the A PA server, which clone cluster state communication protected by TLS advocate vulnerable to quantum attacks and the pod to pod communication, which is again a service mesh. So the mutual TLS connections between microservices rely on RSA and ECC key exchanges. Then the Ingres client traffic. So the external traffic that enters through the TLS terminated load balances using quantum vulnerable certificates. And the final is the registry cluster, which contains the image pulls and pushes authenticated through classical cryptographic signatures. So what's the impact on cloud native security? So when quantum computers break PKI, they enter Foundation of Kubernetes security collect. The consequences extend far beyond simple data breaches. So what are those? So it's basically, it is the compromise, TLS expose secrets, fake identities and vulnerable backups. So what is compromised TLS Man in the middle attacks become trivial or encrypted. Communication can be intercepted and decrypted in real time. And the exposed. Secrets. So what are those? Is the database passwords? API? Keys and the service tokens stored in Kubernetes. Secrets become readable by the attackers and the fake identities. Malicious parts can impersonate legitimate services. Service identity verification becomes impossible without quantum safe signatures. Then the vulnerable backups, historical data and backup systems encrypted with classical algorithm based. Future decryption threats. So Kubernetes without secure PKI is like a bank without one dose. Trust becomes impossible to establish or maintain. So now entering the post quantum cryptography, PQC, the National Institute of Standards and Technology, the NIST has completed its post quantum cryptography project providing standardized. Algorithms resistant to quantum attacks, so they are called the ber de lithium hybrid cryptography. So the key encapsulation mechanism for the secure key based on the lattice cryptography problems that remain hard even for quantum computers. Then the digital signature algorithm providing authentication and non creation. In the post quantum era, the transition strategy, combining classical and post quantum algorithms for backward compatibility and enter in security. So this standardization provides a clear path forward making transition from optimal to inevitable for organization serious about long-term security. So let's now see the PQC in Kubernetes. The post quantum cryptography must be itegrated at. Every layer where Kubernetes relates on classical encryption and dig and digital signature. So basically on the ingress controllers, service mesh, the ETCD, the container registries, so in the ingress controllers, the TLS termination points where external traffic enters the cluster. So ETCD is the encryption at rest and EAP communication for cluster stage storage and the servicers. It is the mutual TLS connections between the micros and sidecar proxy container registries, image signing, and verification for supply chain security. And now let's see how the quantum safe ingress works. So ingress controller serves as the primary entry point for external traffic, making them the most critical component to secure in the quantum resistant transition. The client which initiate the support hybrid TLS handshake with both classical and post quantum ALS ingress. The P replaces RSA and ECC while maintaining backward compatibility, the part which receive the quantum safe, secured intricate traffic from INGOs controller. Implementation support is already emerging in open SLPQ branches. NY proxy and engineers. Starting with ingress provides immediate protection for the most exposed attack surface. So how hardening the service mesh can happen. The service meshes like HTO and link. It relay heavily on mutual TLS for part to part communication. This makes them both critical and challenging for post migration. Step one. It is the NY proxy integration. So integrate pq enable crypto libraries into NY side cars for quantum safe MTLS connections. Then the certificate management update service certificate authorities to issue hybrid certificate supporting both algorithms. Then the backward ensure hybrid mode allows seamless communication between upgraded and legacy workloads during transition. Then the performance monitoring. Track latency and throughput impacts as PQU algorithms have different performance characteristics. Securing mesh MTLS is critical because it forms the foundation of part to part trust in zero trust architectures. Now the third place to secure it, so it's the secrets and E-T-C-E-T-C-D stores, all Kubernetes cluster state, including sensitive secrets. Protecting this data is essential, but post quantum certificates introduce new challenges to re challenge pq. Certificates are significantly larger than R-S-A-E-C-C impacting E C's performance and replication. KMS integration. So leverage pq safe key management services like Vault or a WS PQ km. Pilots for external encrypt rotation strategy. Implement automated rotation for. For long lived secrets to minimize exposure windows. Now let's see, the key challenges post cryptography adoption is indeed just a simple algorithm, swap or organism, face, significant technical and operational huddle. So it is 3.2 Yex handshake overhead. And 10 x the certificate size and 60% library maturity. Now coming to the handshake overhead. So performance penalty compared to the classical algorithms doing during tailless negotiation and the certificate sizes are really larger. Certificates, stress, ETCD, storage and replication value. And now coming to the library maturity, estimated readiness of production grade PQC limitation across. So now the algorithm, key size and handshake, time and compatibility. So the RSA 2048, the key size is two kb and handshake time is one x and the compatibility is universal. And the ECPP 2 56, key size is 0.5 kb handshake time 0.8 x, and the compat universal compatibility. And the 7, 6 8, the key says four kb. Handshake time, 3.2 x and it's limited. The challenge extends beyond technical merits, polyglot, microservices, enrollment, face inconsistent PQC support across programming, language, and frameworks, migration strategies. Successful post quantum migration request. Careful planning and phase implementation. Organization must balance security improvements into operational stability. Phase one, hybrid crypto. Implement dual algorithm handshakes supporting both classical and post quantum cryptography for maximum compatibility. Phase two ingress first begin with external facing ingress controllers where quantum resistance provides immediate value. Phase three service, miss extent to internal. Service to service communication through gradual proxy updates. Phase four core infrastructure. Secure ETCD and core Kubernetes CP communication. As the final step, always maintain rollback options, ca Canada deployments and feature flags, or essential for managing pq. Workload transition. Safety Kubernetes operator approach. Kubernetes operators provide the ideal mechanism for managing post. Quantum cryptography at scale treating security policy as code. Their custom resource definition define PQ policies declaratively using Kubernetes. Ensure PQ save certificate requirements automatically. Same charts. Simplify PQ deployment with templated configuration. So here is the sample. For your reference. Now let's see the observability. So monitoring cryptography health becomes a core observability requirement in post quantum enrollments. Organizations need visibility into algorithm adoption and performance impacts, handshake algorithms in use. So the track with DL handshake use classical wishes. Post Quantum as a hybrid versus the algorithms across your infrastructure. The PQ adoption rate monitors the percentage of connections successfully post quantum cryptography to measure the migration process and the performance metrics measure. Ance increases error rates, and throughput impacts from larger certificate sizes and competition overhead. You cannot secure what you can't see. Monitoring Cryptography Health is now core observability task for SRTs. So let's see. In some of the early adapter case studies, financial service, such organizations running on bks and GK are pioneering post quantum Kubernetes implementation, providing valuable lessons for broader adaption, high frequency trading, PQ MTLS implementation in microsecond sensitive trading systems, performance trade off, required, careful algorithm selection and hardware optimization, regulatory complaints. Hybrid cryptography helps meet emerging regulatory requirements while maintaining compatibility with existing systems and partners. Let's slice and ice to the steps. So first, test certificate distribution at scale. So large certificate sizes can overall system distribution mechanism in high no count clusters. Second, expect performance trade off. Budget for two to four x latency increases during handshakes and plan capacity accordingly, then the roadblock plans are critical in case something happens. Incompatibility issues can emerge unexpectedly, always maintain classical fallback options. And now the road map and open source, the post quantum transition is supported by a growing ecosystem of standards, open source projects and community initiative. In 2024, NIST PQC started, finalized early implementation in open and major crypto libraries in 20 25, 20 27. Production ready, PQ implementation. Major cloud providers offer PQ enabled services and the future from 2028 to 20 20 30. We are expecting to see widespread adoption. Classic algorithm deprecation in favor of quantum safe alternatives. The key projects are open quantum safe, O-Q-S-C-N-C-F Security, SIG Kubernetes Announcement Proposal. So these are the three key projects. Now, what is the call to action? The post quantum era is approaching faster than many. Ians realize the time to begin preparation is now. While quantum computers remain in development, so the inventory dependencies, experimenting, staging, adapt, hybrid crypto, so catalog all your cryptographic dependencies in your Kubernetes infrastructure. Identify all say ECG, usage patterns and certificate license, circuit, experimenting, staging, set up test environment in pq, enable ingress controller and service measures, measure performance impacts, and compatibility. Adopt hybrid crypto. Begin implementing hybrid cryptography for new deployment. This provide quantum assistance while maintaining backward compatibility. So the resources, so the NIST post quantum cryptographic standard open quantum safe project documentation, CN CF Security SIG PQ working group, Kubernetes PQ announcement proposal. The future is quantum safe, the cluster you run today. Maybe vulnerable tomorrow. So start small experiment with post quantum cryptography and prepare your infrastructure for the quantum computing revolution. Saying in, in cyber, in cybersecurity, being late to adapt this in just inefficient, it is catastrophic. The post quantum transition is not a question of if, but when. Begin your quantum in Germany today. Your future self will. Thank you for the ForSight. Thank you. Thanks for watching my session. Thank you. Thanks a lot.