Workshops Cloud & Datacentres Quantum Threats to Cloud Data at Rest
Cloud & Datacentres Full Day Workshop

Quantum Threats to Cloud Data at Rest: Encryption Architecture and Migration

This workshop equips cloud security architects with practical strategies to assess quantum exposure of stored data and migrate encryption architectures to post-quantum standards.

Full day (6 hours + Q&A)
In person or online
Max 30 delegates
Commission This Workshop View Agenda

Proud to recommend our expert members

Qrypto Cyber
Eclypses
Arqit
QuantBond
Krown
Applied Quantum
Quantum Bitcoin
Venari Security
QuStream
BHO Legal
Census
QSP
IDQ
Patero
Entopya
Belden
Atlant3D
Zenith Studio
Qudef
Aries Partners
GQI
Upperside Conferences
Austrade
Arrise Innovations
CyberRST
Triarii Research
QSysteme
WizzWang
DeepTech DAO
Xyberteq
Viavi
Entrust
Qsentinel
Nokia
Gopher Security
Quside
Qrypto Cyber
Eclypses
Arqit
QuantBond
Krown
Applied Quantum
Quantum Bitcoin
Venari Security
QuStream
BHO Legal
Census
QSP
IDQ
Patero
Entopya
Belden
Atlant3D
Zenith Studio
Qudef
Aries Partners
GQI
Upperside Conferences
Austrade
Arrise Innovations
CyberRST
Triarii Research
QSysteme
WizzWang
DeepTech DAO
Xyberteq
Viavi
Entrust
Qsentinel
Nokia
Gopher Security
Quside

Workshop Description

Cloud-stored data faces a specific quantum threat that differs from data in transit. Data at rest with long retention requirements is the primary target for harvest-now-decrypt-later attacks: an adversary who captures encrypted backups, database dumps, or object storage snapshots today can decrypt them once a cryptographically relevant quantum computer exists. The Mosca inequality makes this concrete: if the data must remain confidential for 15 years and migration will take 3 years, any data encrypted today with classical key agreement is already at risk if a quantum computer arrives within 18 years.

This workshop examines the encryption architecture of each cloud storage layer: object storage (S3 SSE-KMS, Azure Blob CMEK, GCS CMEK), database TDE (RDS, Cloud SQL, Azure SQL), and backup/archival encryption including tape and cold storage with regulatory retention holds of 7 to 25 years. The core vulnerability is not AES-256 itself (which remains quantum-resistant for symmetric encryption) but the key wrapping and key agreement operations that use RSA or ECDH to protect the key hierarchy. Participants build a cryptographic inventory of their stored data, score each data class using the Mosca inequality, and develop a migration roadmap that sequences re-encryption by risk priority. The session covers practical re-encryption strategies at petabyte scale, including background re-encryption with versioned objects, migration checkpointing, and cloud provider PQC roadmap alignment.

What participants cover

  • HNDL threat model for stored data: why long-retention encrypted data is the highest-priority quantum migration target and how the Mosca inequality quantifies exposure
  • Cloud storage encryption audit: object storage encryption modes (SSE-S3, SSE-KMS, SSE-C, Azure Blob, GCS CMEK), database TDE key hierarchies, and backup encryption dependencies
  • Data classification and risk scoring: mapping sensitivity levels against retention periods to produce a quantum risk score per data class
  • Key hierarchy vulnerability: identifying which key wrapping and key agreement operations use RSA or ECDH (quantum-vulnerable) versus AES (quantum-resistant)
  • Re-encryption at scale: strategies for migrating petabytes of stored data to PQC-protected key hierarchies without service disruption
  • Compliance drivers: NIST FIPS 203 (ML-KEM) for key encapsulation, CNSA 2.0 deadlines, and sector-specific retention rules (GDPR, financial services, healthcare)

Preliminary Agenda

Full-day session structure with scheduled breaks. Content is configurable to your cloud provider mix, data classification framework, and regulatory retention requirements.

# Session Topics
1 The HNDL Threat to Cloud Data at Rest Why encrypted stored data is the primary harvest-now-decrypt-later target
2 Object Storage and Database Encryption Exposure Assessing quantum risk across cloud storage layers
  • Object storage encryption: S3 SSE-S3, SSE-KMS, SSE-C, Azure Blob encryption, and GCS CMEK. Which modes use AES-256 key wrapping with RSA or ECDH key agreement vulnerable to quantum attack.
  • Database encryption: TDE (Transparent Data Encryption) in RDS, Cloud SQL, and Azure SQL. Key hierarchy exposure where data-encrypting keys are wrapped by master keys using classical asymmetric algorithms.
  • Backup and archival encryption: long-retention data (7-25 year regulatory holds) with the highest HNDL exposure. Tape encryption, cold storage, and disaster recovery replicas.
Break, after 50 min
3 Data Classification and Retention Risk Scoring Prioritising migration based on data sensitivity and retention period
  • Mosca inequality applied to stored data: if data retention period + migration time exceeds the timeline to cryptographically relevant quantum computers, the data is at risk today
  • Data classification framework: mapping sensitivity levels (public, internal, confidential, restricted) against retention periods to produce a quantum risk score per data class
  • Cloud provider default encryption versus customer-managed keys: understanding which encryption layers you control and which are the cloud provider's responsibility
4 Hands-On Exercise: Encryption Architecture Audit Mapping your cloud encryption dependencies
  • Cryptographic inventory for stored data: cataloguing encryption modes, key types, and key management dependencies across object storage, databases, and backups
  • Key hierarchy analysis: identifying which key wrapping and key agreement operations use classical asymmetric cryptography vulnerable to quantum attack
  • Risk prioritisation matrix: combining data classification scores with key hierarchy exposure to sequence migration
Break, after 60 min
5 Migration Architecture and Re-encryption Strategies Practical approaches to transitioning stored data to PQC-protected encryption
  • Key hierarchy migration: replacing RSA and ECDH key agreement in key wrapping with ML-KEM hybrid mode. Root key rotation versus full re-encryption trade-offs.
  • Re-encryption at scale: strategies for re-encrypting petabytes of object storage data without service disruption. Background re-encryption, versioned objects, and migration checkpointing.
  • Cloud provider PQC roadmap: current and announced PQC support for AWS KMS, Azure Key Vault, and GCP Cloud KMS key wrapping operations for data at rest.
6 Compliance and Migration Planning Regulatory requirements for data at rest encryption upgrades
  • NIST FIPS 203 (ML-KEM) for key encapsulation in key wrapping operations. CNSA 2.0 deadlines for data at rest encryption.
  • Sector-specific retention rules: GDPR data minimisation versus financial services 7-year retention versus healthcare 25-year records. Each creates different HNDL exposure windows.
  • Migration roadmap: sequencing by data classification risk score. Highest-sensitivity longest-retention data first. Rollback procedures for each storage layer.
7 Q&A and Migration Planning

Designed and Delivered By

Workshops are designed and delivered by QSECDEF in collaboration with sector specialists. All facilitators have direct experience in both quantum technologies and cloud data protection.

QD

Quantum Security Defence

Workshop design and delivery

QSECDEF brings world-leading expertise in post-quantum cryptography, quantum computing strategy, and defence-grade security assessment. Our advisory membership spans 600+ organisations and 1,200+ professionals working at the intersection of quantum technologies and critical infrastructure security.

CL

Cloud Data Protection Partners

Domain expertise and operational validation

Data at rest workshops are co-delivered with cloud data protection specialists who bring direct operational experience in enterprise encryption architecture, key management at scale, and regulatory compliance for data retention across multi-cloud environments.

Commission This Workshop

Sessions are configured around your cloud provider mix, data classification framework, encryption architecture, and regulatory retention requirements. Get in touch to discuss requirements and schedule a date.

Contact Us
Cloud & Datacentres Workshops All Consulting Services All Workshops