For most security leaders, quantum computing has long existed in the realm of future technology, a concept akin to humans visiting Mars. But in 2025, the narrative has shifted. The arrival of cryptographically relevant quantum computers (CRQC) is no longer a theoretical possibility, but a scheduled milestone in the technology roadmap.
Adversaries, always a step ahead, have already adapted. They have become "digital prospectors," collecting network traffic and encrypted artifacts today with the expectation that upcoming quantum advances will uncover the riches lying within. The industry term for this is "harvest now, decrypt later" (HNDL). Malicious actors are stockpiling this data now, waiting for the moment quantum processing power becomes available to break the encryption keys.
The risk to your enterprise is straightforward: the encryption standards that currently secure the digital world—Rivest-Shamir-Adleman (RSA) and elliptic curve cryptography (ECC)—will eventually be vulnerable to quantum-computer decryption.
This reality creates a unique challenge. You aren't just defending a data center anymore; you are protecting a global, hybrid environment of remote users, SaaS apps and branch offices. Secure access service edge (SASE) is the connective fabric of your digital business. If your SASE architecture isn't quantum-ready, this massive web of distributed access points doesn't just expand your network—it expands your surface for data harvesting.
So, how do you secure a distributed environment against this emerging paradigm? You need a platform-centric, quantum-ready cybersecurity plan.
The Global Countdown: Compliance, Mandates and Zero Trust
The quantum era holds incredible promise, but it also demands a seismic shift in strategy, as the encryption protocols that enable zero trust are facing a modernization timeline.
Governments and standards bodies are not waiting for the first quantum attack to occur; they are moving now. NIST has successfully standardized new quantum-resistant algorithms, and compliance timelines are shrinking rapidly. The U.S. CNSA 2.0 mandate requires that migration to these algorithms begins as early as 2025, while the European Union is planning for operational quantum-safe communication networks by 2030.
Beyond national security, the regulatory landscape for private industry is shifting. The financial services and banking sectors are already feeling this pressure. As regulations such as DORA and NIS2 gain traction, organizations face increasing pressure to adopt quantum-safe standards. This isn't just about protecting assets from decryption; it is about demonstrating high-assurance compliance to maintain regulatory standing and customer trust in a post-quantum economy.
Making the Security Protocols We Rely on Quantum Ready
The protocols that power the internet are not going away. However, the mathematical "engine" inside them must be swapped out to survive the quantum era.
This is achieved through post-quantum cryptography (PQC). PQC refers to a new generation of cryptographic algorithms standardized by NIST that run efficiently on today’s classical computers but are mathematically resistant to quantum attacks. We don't need to replace our standard protocols; instead, SASE platforms must augment them by integrating PQC algorithms into the key exchange and authentication steps.
Here is how PQC upgrades these critical standards to immunize them against quantum threats.
Web Access: Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
Standard TLS handshakes rely on the current RSA and ECC encryption standards, meaning attackers can record traffic today to decrypt it later. To secure the web, SASE platforms must augment TLS by inserting PQC key encapsulation mechanisms (KEMs) directly into the handshake. This creates a hybrid exchange that protects the session keys, rendering captured traffic useless to a quantum attacker.
VPN: Remote Access & Site-to-Site VPN
Internet Protocol Security (IPsec) tunnels use the Diffie-Hellman key exchange, the agreed-upon method for securely generating shared encryption keys. If this exchange is compromised, the entire tunnel is compromised. By upgrading the Internet Key Exchange (IKE) protocol to support PQC algorithms, SASE ensures that the tunnel negotiation itself is quantum-safe, keeping branch and user data sealed against future decryption.
Authentication: Security Assertion Markup Language (SAML) and OpenID Connect (OIDC)
Modern identity relies on digital signatures. A quantum computer could eventually forge these signatures, allowing attackers to spoof valid users. SASE platforms must implement PQC digital signatures, such as the module-lattice digital signature algorithm (ML-DSA), for identity assertions to help ensure that the mathematical proof of a user’s identity cannot be faked during login.
Infrastructure Management: Secure Socket Shell (SSH)
SSH keys grant administrative control, and if the underlying key exchange is cracked, attackers gain root access to the infrastructure. SASE protects these management interfaces by enforcing quantum-safe key exchange for SSH sessions, ensuring that administrative access remains secure even against quantum decryption attempts.
Software Supply Chain: Code Signing
Attackers could forge software update signatures, disguising malware as legitimate patches. To prevent this, SASE platforms must validate quantum-resistant signatures for all software images and updates before execution, ensuring the software supply chain remains trustworthy.
The Path Forward: A 3-Step Strategy for a Quantum-Ready SASE
The threat is complex, but the path to readiness should be practical. Organizations need to look for SASE platforms that are building toward a quantum-safe future, with a focus on open standards and maximum interoperability.
We recommend a practical, three-step migration strategy: discover, deploy and protect.
Step 1: Discover Your Cryptographic Posture
You cannot protect what you cannot see. The essential first step for any organization is to identify every application, API endpoint and vendor using encryption. Future-proof SASE platforms must provide deep visibility into cryptographic inventory without requiring new sensors. Leaders should look for solutions that categorize SSL/TLS sessions and VPN tunnels as secure, weak or vulnerable, enabling teams to prioritize migration based on actual risk data.
Step 2: Deploy Quantum-Safe Technologies
Once risks are identified, the migration shifts to active deployment. A true quantum-ready strategy effectively wraps the entire network in a new layer of protection, starting where users spend most of their time: the browser. Since the majority of modern work is done through SaaS applications, organizations must prioritize browsers that support PQC. By updating the browser to "speak" PQC, you ensure that the connection between the user and the web is mathematically sealed against future threats.
However, securing the application is only part of the equation; we must also harden the connections leading to it. Today, SASE architectures effectively secure the "last mile" via zero trust network access (ZTNA) and unify branch connectivity through SD-WAN. Yet, the cryptographic keys underpinning these robust tunnels rely on classical algorithms vulnerable to data harvesting.
To maintain the integrity of these existing defenses, PQC support must extend to the endpoint agents and the SD-WAN fabric. By upgrading the cryptography within the ZTNA connection, organizations ensure that the secure tunnel protecting remote users remains impenetrable to quantum decryption. Similarly, the SD-WAN overlay connecting branch offices—whether running over multiprotocol label switching (MPLS) or broadband—must be upgraded to support PQC key exchange. This guarantees that the foundational pipes of the enterprise remain immune to eavesdropping, preserving the security value that SASE delivers, even in a post-quantum world.
Step 3: Protect Your Entire Infrastructure
Deploying new algorithms to modern laptops is the easy part. The real challenge is the long tail of infrastructure—IoT sensors, manufacturing robots and legacy servers—that lack the power to run PQC. To secure these unmanaged devices without a costly hardware refresh, organizations need a SASE platform capable of cipher translation.
Cipher translation acts as a cryptographic bridge. It accepts standard encryption from a legacy device and instantly translates the session into a secure PQC tunnel for its journey to the cloud. This allows you to wrap your entire infrastructure in a quantum-safe layer today. Crucially, this upgrade cannot compromise security; the platform must retain the ability to decrypt and inspect this quantum-safe traffic, ensuring that malware cannot hide inside the new encryption.
However, protecting the transit tunnels is only half the battle; the security service edge (SSE) infrastructure that processes your data must also be hardened. A comprehensive SASE strategy extends quantum-resistant protections deep into the service backend itself. This means applying post-quantum cryptography to internal data flows—both at rest and in motion—while simultaneously hardening code-signing and key-management workflows to ensure software images remain trustworthy. Finally, this protection must cover telemetry and logs, securing model artifacts so that attackers cannot gain long-term value from captured operational data.
Your Quantum-Ready Future Starts Now
By following this practical discover-deploy-protect process, organizations can mitigate immediate HNDL risks while preparing for long-term compliance.
Palo Alto Networks transforms this strategy into reality with its latest innovations, including the Quantum Readiness Dashboard for complete visibility and Cipher Translation to instantly secure legacy applications. We provide the comprehensive platform needed to execute this migration today.
The quantum clock is ticking. Now is the time to align with a strategy that puts the power of protection exactly where it's needed most—at the edge.
If you want to learn how Prisma® SASE can ensure your organization is quantum-ready, reach out to your sales representative today.