Post-Quantum Cryptography (PQC)
Cryptographic algorithms resistant to attacks by quantum computers. NIST finalized first PQC standards in 2024: ML-KEM (key encapsulation), ML-DSA (digital signatures), SLH-DSA (hash-based signatures). TLS, SSH, and VPN implementations are migrating now to defend against "harvest now, decrypt later" attacks.
More from Cryptography
Hardware Security Module (HSM)
Physical device that generates, stores, and uses cryptographic keys in tamper-resistant hardware. Required for root CA signing keys, high-value TLS certificates, and financial services transaction signing. Major options: cloud HSMs (AWS CloudHSM, Azure Dedicated HSM), Thales / Gemalto, Utimaco.
Key Management Service (KMS)
Cloud-managed service for encryption key lifecycle. AWS KMS, Azure Key Vault, Google Cloud KMS. Supports customer-managed keys (CMK) for encryption-at-rest of cloud resources. Integrates with IAM for access control on encryption operations.
Bring Your Own Key (BYOK)
Model where customer provides their own encryption keys to a cloud service instead of using provider-managed keys. Higher control (customer can revoke access by destroying the key) and often required for regulated data. Contrast with customer-managed keys (CMK) which are cloud-held but customer-controlled.
Mutual TLS (mTLS)
TLS configuration where both client and server present certificates for mutual authentication. Common in service mesh (Istio, Linkerd) and for API authentication. Prevents common credential theft because stolen bearer tokens cannot be used without the corresponding private key.
Apply this to your environment
Our engagements address concepts like post-quantum cryptography (pqc) in practice — not just definitions, but how the attack patterns apply to your stack and how to remediate.