Workshops Cloud & Datacentres PQC Migration for Cloud-Native Apps
Cloud & Datacentres Full Day Workshop

PQC Migration for Cloud-Native Applications and Service Mesh Infrastructure

This workshop equips platform engineering and cloud security teams to migrate cloud-native applications and service meshes to post-quantum cryptography.

Full day (6 hours + Q&A)
In person or online
Max 30 delegates
Commission This Workshop View Agenda

Proud to recommend our expert members

Qrypto Cyber
Eclypses
Arqit
QuantBond
Krown
Applied Quantum
Quantum Bitcoin
Venari Security
QuStream
BHO Legal
Census
QSP
IDQ
Patero
Entopya
Belden
Atlant3D
Zenith Studio
Qudef
Aries Partners
GQI
Upperside Conferences
Austrade
Arrise Innovations
CyberRST
Triarii Research
QSysteme
WizzWang
DeepTech DAO
Xyberteq
Viavi
Entrust
Qsentinel
Nokia
Gopher Security
Quside
Qrypto Cyber
Eclypses
Arqit
QuantBond
Krown
Applied Quantum
Quantum Bitcoin
Venari Security
QuStream
BHO Legal
Census
QSP
IDQ
Patero
Entopya
Belden
Atlant3D
Zenith Studio
Qudef
Aries Partners
GQI
Upperside Conferences
Austrade
Arrise Innovations
CyberRST
Triarii Research
QSysteme
WizzWang
DeepTech DAO
Xyberteq
Viavi
Entrust
Qsentinel
Nokia
Gopher Security
Quside

Workshop Description

Cloud-native architectures create a distinctive PQC migration challenge. A typical Kubernetes cluster running Istio or Linkerd establishes thousands of mTLS connections per second between services. Every one of those connections relies on certificate-based authentication that will need to transition to post-quantum algorithms. The certificates are larger, the handshakes are slower, and the toolchain (cert-manager, SPIFFE/SPIRE, Sigstore) must support PQC end to end.

This workshop addresses the specific engineering challenges of that transition. Participants work through the migration path for service mesh mTLS (Istio Citadel and Linkerd identity controller), workload identity provisioning (SPIFFE SVIDs with hybrid PQC certificates), certificate lifecycle management (cert-manager with PQC issuers), and supply chain signing (Sigstore/Cosign with PQC algorithms). The session includes concrete performance data: ML-KEM-768 adds approximately 0.5ms per handshake versus ECDH P-256, and ML-DSA-65 certificates are roughly 8 times larger than ECDSA equivalents. At microservice scale, these numbers drive capacity planning decisions that must happen before migration begins.

What participants cover

  • Service mesh mTLS migration: PQC certificate issuance in Istio (Citadel) and Linkerd, Envoy proxy hybrid TLS 1.3 support, and sidecar performance implications
  • Workload identity: SPIFFE/SPIRE PQC SVID issuance, hybrid certificate attestation, and cross-trust-domain federation
  • Certificate management: cert-manager PQC Issuer configuration, integration with Vault and AWS PCA for PQC root CAs, and automated rotation for larger certificates
  • Supply chain security: Sigstore/Cosign PQC signature support, SLSA v1.0 attestation with post-quantum algorithms, and OCI registry compatibility
  • Performance engineering: handshake latency budgets, certificate bandwidth overhead, and Envoy sidecar memory scaling at 10,000+ connections per second
  • Migration sequencing: ingress gateway to east-west mTLS to supply chain signing, with rollback procedures for each phase

Preliminary Agenda

Full-day session structure with scheduled breaks. Content is configurable to your service mesh platform, Kubernetes distribution, and certificate management toolchain.

# Session Topics
1 The Quantum Threat to Cloud-Native Infrastructure Why service mesh mTLS and workload identity are early PQC migration targets
2 Service Mesh mTLS Migration PQC certificate provisioning for Istio and Linkerd
  • Istio mTLS: Citadel CA PQC certificate issuance, Envoy proxy TLS 1.3 hybrid mode support, and sidecar performance impact of ML-KEM handshakes
  • Linkerd mTLS: identity controller PQC integration and trust anchor rotation with hybrid certificates
  • Certificate size impact: ML-KEM-768 and ML-DSA-65 certificate sizes versus ECDSA P-256 and implications for proxy memory and handshake latency at scale
Break, after 50 min
3 Workload Identity and Certificate Management SPIFFE/SPIRE PQC integration and cert-manager provisioning
  • SPIFFE/SPIRE: PQC SVID issuance, workload attestation with hybrid certificates, and federation across trust domains
  • cert-manager: PQC certificate provisioning with Issuer and ClusterIssuer resources, integration with Vault and AWS PCA for PQC root CAs
  • Certificate lifecycle: automated rotation intervals for larger PQC certificates, OCSP and CRL scaling considerations
4 Supply Chain Security Under PQC Container image signing and software attestation with post-quantum algorithms
  • Sigstore/Cosign: PQC signature support for container image signing and verification in admission controllers
  • SLSA provenance: PQC signatures on build attestations and the SLSA v1.0 specification implications
  • OCI registry compatibility: handling larger PQC signatures in manifest layers and registry storage overhead
Break, after 40 min
5 Performance Engineering and Migration Sequencing Managing the performance cost of PQC in high-throughput microservice environments
  • Handshake latency budgets: ML-KEM-768 key encapsulation adds approximately 0.5ms per handshake versus ECDH P-256. At 10,000 inter-service connections per second, the aggregate impact requires capacity planning.
  • Certificate size and bandwidth: ML-DSA-65 certificates are approximately 2.5 KB versus 300 bytes for ECDSA. Impact on Envoy sidecar memory at scale.
  • Migration sequencing: ingress gateway first, then east-west mTLS, then supply chain signing. Rollback procedures for each phase.
6 Standards, Compliance, and Vendor Landscape Regulatory drivers and tooling readiness
  • NIST FIPS 203/204/205 finalisation and CNSA 2.0 compliance deadlines for cloud-native environments
  • NIST SP 800-204 series (microservices security) and PQC alignment considerations
  • Vendor readiness: Kubernetes distribution PQC support across managed (EKS, AKS, GKE) and self-managed clusters
7 Q&A and Migration Planning

Designed and Delivered By

Workshops are designed and delivered by QSECDEF in collaboration with sector specialists. All facilitators have direct experience in both quantum technologies and cloud-native infrastructure.

QD

Quantum Security Defence

Workshop design and delivery

QSECDEF brings world-leading expertise in post-quantum cryptography, quantum computing strategy, and defence-grade security assessment. Our advisory membership spans 600+ organisations and 1,200+ professionals working at the intersection of quantum technologies and critical infrastructure security.

CL

Cloud Infrastructure Partners

Domain expertise and operational validation

Cloud-native workshops are co-delivered with platform engineering specialists who bring direct operational experience in Kubernetes, service mesh, and container security at scale. This ensures workshop content reflects production realities across managed and self-managed clusters.

Commission This Workshop

Sessions are configured around your service mesh platform, Kubernetes distribution, certificate management toolchain, and inter-service traffic patterns. Get in touch to discuss requirements and schedule a date.

Contact Us
Cloud & Datacentres Workshops All Consulting Services All Workshops