Data center-to-data center links are critical to enterprise and national infrastructure, and vulnerable to interception, man-in-the-middle, and Harvest Now Decrypt Later (HDNL) attacks. Because these links carry a high volume of highly sensitive data, they are highly targeted by nation-states and cybercriminals. Today’s encryption methods must be replaced as soon as possible to protect against advanced AI, quantum computing, and other sophisticated attacks. The most efficient and effective path to quantum-safe security is a layered approach.
A Layered Approach to Data Protection
The volume and sensitivity of data exchanged across different segments of an organization should directly inform which quantum-safe security technologies are deployed. A layered, risk-based approach to protection uses Post-Quantum Cryptography (PQC) and scales up to Quantum Secure Communications (QSC) as risk and data volumes increase.
PQC. Math-based algorithms that run on classical computers and are resistant to attacks from quantum computers.
QKD. A method of securely creating shared keys using quantum mechanics, ensuring that any eavesdropping / HNDL attempt is detectable.
QSC. A next-generation security approach using entangled photons to enable communication that is fundamentally unhackable due to the laws of quantum physics.
Zone 1: Endpoint Devices & Branch Offices
Smartphones, laptops, and tablets at the edges of a network communicate with clouds and data centers, but the volume and criticality of the data-in-transit is comparatively low. PQC offers sufficient protection for these endpoints. It replaces legacy encryption schemes like RSA and ECC with quantum-resistant alternatives. This should be considered the new default, base-line layer of encryption across the enterprise.
Branch offices and remote sites are more critical than end devices at the edges of the network. These locations often engage in daily operations that generate sensitive client, logistics, or financial data. The volume of information exchanged by dozens to hundreds of employees justifies the use of PQC, especially where QKD or QSC are not feasible.
Zone 2: Campuses and Headquarters
Larger, more centralized environments like corporate campuses or global HQs, handle critical financial records, personal identifiable information, and proprietary business data. These medium-risk zones should use a hybrid strategy: PQC is the baseline, augmented with QKD where feasible, integrating QSC wherever possible.
Zone 3: Cloud and Data Centers
The highest-risk links are cloud connections and data centers hosting workloads, data resources, and databases. Private, co-located, and hybrid cloud environments all carry massive volumes of high-value, highly sensitive data. This is where the risk of breaches is greatest, and where the strongest defenses are necessary. QSC should be the main security methodology for these areas.
These zones represent the sprawling architecture of enterprise communications. The complexity and heterogeneous nature of modern network topologies make for a threat surface that is both dynamic and variable. Adopting a concentric, defense-in-depth model addresses this complexity by implementing an increasing level of security as the volume and sensitivity of the data increases. In the visualization below, red lines indicating entanglement-based security and blue lines indicating PQC security measures.
Any topology used for classical networks can be used with the quantum dimension of the network. Zooming into core links, quantum networks often mirror classical topologies like the hub-and-spoke model pictured below, where a central hub distributes entangled photons to data centers, headquarters, and regional sites.
These sites could be geographically dispersed and could have various roles, such as disaster recovery. Any one of these sites could be co-located facilities that are being used as data centers. These sites could also be clouds from any one of the major cloud providers: AWS, Azure, Google, Oracle, etc. These are connected to a hub, and that hub is where the technology for entanglement generation is housed. Entanglement can then be distributed between the hub and the location, as shown, or it could be distributed between any two sites that are connected to one another directly.
A common misconception about implementing this layered approach is that it requires a complete infrastructure overhaul. In actuality, there is a high likelihood that no changes to that infrastructure will be required to implement Quantum Secure Communications: it can be deployed at data center interconnects with existing classical infrastructure and the quantum channel is integrated into this existing infrastructure.
Aliro recommends a three-step journey for organizations beginning their transition to quantum networking.
- Education. You're already educating yourself by reading this report! There is a lot of information and a wide range of resources available to you. Aliro’s website has free, accessible resources such as webinars, white papers, and blog posts.
- Design and Simulation. Using available software platforms, design and simulate a quantum network tailored to your data center architecture. This step is cost-effective, doesn't require any hardware purchase and can help identify the best components for securing your data ingress and egress.
- Pilot and Trial. Pilot the technology in a lab environment or between two physical sites — such as between buildings or campus segments. This allows your organization to validate performance and understand the orchestration layer before implementing a broader rollout.
These first steps are accessible, low-risk, and high-impact. By starting today, you lay the groundwork for a provably secure network that scales with your mission and adapts to emerging threats.
For more information, please see the on-demand webinar Quantum Networks for Secure Data Center Connectivity.
