Compliance Deadlines, Customer Reality, and the Case for (embedded) TLS1.3

Post-quantum cryptography often enters organizations as a headline problem, then quickly turns into an operational one. In this episode of Shielded: The Last Line of Cyber Defense, Jan Schaumann, Chief Information Security Architect at Akamai Technologies, approaches PQC from the perspective of someone who has spent decades operating real systems at internet scale. From his view, the challenge is not quantum theory, but sequencing change safely across infrastructure that cannot all move at once. Jan walks through how Akamai approached PQC over several years, starting before standards fully settled and aligning progress with customer demand, compliance timelines, and platform resilience. He explains why TLS 1.3 migration remains the most common blocker, especially on the origin side, where legacy stacks, embedded clients, and IoT devices stretch upgrade timelines far beyond expectations. Rather than pushing PQC everywhere at once, Akamai split the problem into distinct traffic paths: client-to-edge, edge-to-origin, and internal connections. Each path carries a different threat model and operational risk. This framing enabled opt-in deployment, staged rollouts, and safer change, while still delivering meaningful protection against harvest-now-decrypt-later threats. Throughout the conversation, Jan returns to a single idea: PQC is not the finish line. It is a forcing function that exposes how well an organization understands its cryptography, how quickly it can upgrade, and whether it can repeat the process when the next cryptographic shift arrives.

What You’ll Learn

Jan Schaumann is Chief Information Security Architect at Akamai Technologies, where he guides cryptographic strategy, infrastructure security, and safe-change practices across one of the internet’s most critical platforms. He previously served as Principal Architect at Akamai and has held senior security roles at companies including Yahoo, Twitter, and Etsy. Jan is also an Adjunct Professor of Computer Science at Stevens Institute of Technology, where he has taught graduate-level systems and Unix programming since 2001. He is a long-time developer with the NetBSD Foundation and describes himself, accurately, as an actual human on the internet who refuses to grow up.

Jan pushes back on the idea that post-quantum cryptography requires quantum expertise or radical architectural change. In practice, he explains, PQC shows up as new key exchange mechanisms and ciphers layered into systems teams already operate. He points out that migrations like TLS 1.2 to TLS 1.3 were far more disruptive than enabling post-quantum key exchange inside TLS 1.3. The “quantum” label can help unlock executive attention, but it also intimidates engineers and customers who assume the work is experimental or fragile. Jan’s advice is to strip away the mystique early, frame PQC as disciplined crypto upgrade work, and focus teams on execution rather than theory.

Key Question: Are teams slowing themselves down by treating PQC as exotic instead of operational?

Jan is clear that PQC adoption stalls long before post-quantum algorithms become the issue. TLS-based PQC requires TLS 1.3, and many organizations are still running TLS 1.2 deep in their environments. While Akamai’s edge has supported TLS 1.3 for years, origin systems often lag. Jan describes why. Customers rely on legacy stacks, external vendors, embedded clients, and IoT devices that were never designed for frequent updates. In regulated industries, upgrade fear compounds the delay. Teams assume PQC is a simple cipher switch, then discover they must modernize entire origin environments first.

Key Question: Do you have full visibility into where TLS 1.2 still runs and why it has not moved?

Rather than treating PQC as a single migration, Jan explains how Akamai split the work into three distinct paths: client-to-edge, edge-to-origin, and internal traffic. Each path carries a different threat model, upgrade cost, and urgency. Client-to-edge protects the largest volume of traffic and addresses harvest-now-decrypt-later risks. Edge-to-origin depends heavily on customer readiness. Internal traffic faces a different attacker model altogether. By separating these paths, Akamai avoided all-or-nothing decisions and made progress measurable. This framing also helped customers understand where PQC delivered immediate value versus where it required longer-term planning.

Key Question: Are you prioritizing PQC by actual risk paths or treating everything as equally urgent?

Jan describes why Akamai chose opt-in deployment instead of flipping PQC on globally. Many customers operate in financial, healthcare, and government environments where untested change carries serious consequences. Akamai’s rollout relied on staged percentages, canary networks, and gradual expansion to validate behavior before wider exposure. While this pace can feel frustrating to engineers eager to ship, Jan notes it avoided outages and preserved customer trust. Moving slower also allowed Akamai to adapt as standards evolved, rather than locking in early assumptions. For Jan, resilience and safe change matter more than being first.

Key Question: Does your deployment model reward caution and validation or speed at any cost?

Jan explains how tracking standards activity closely prevented significant rework. Akamai began preparing for Kyber before NIST finalized selections, then watched the industry pivot quickly to standardized ML-KEM. Because the rollout was staged, Akamai avoided shipping Kyber only to replace it weeks later. Jan also discusses FIPS considerations and how early uncertainty around hybrid compliance nearly forced support for multiple key exchanges. When NIST clarified that hybrid ML-KEM with classical exchange met FIPS requirements, entire branches of planned work became unnecessary. Waiting just long enough reduced complexity without delaying progress.

Key Question: Are you building flexibility so standards changes remove work instead of creating it?

Jan closes with a broader lesson. PQC is not the last cryptographic transition organizations will face. Whether the trigger is quantum, regulation, or vulnerability discovery, change will come again. Teams that treat PQC as a one-off compliance task miss the opportunity. Jan urges organizations to invest in inventory, visibility, and repeatable upgrade processes so future transitions hurt less. Knowing where cryptography lives, how it is negotiated, and how to replace it safely becomes the real security win. PQC simply exposes whether those foundations already exist.

Key Question: Will this migration leave you better prepared for the next cryptographic shift?

Want exclusive insights on quantum migration?  Stay ahead of the curve. Subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, or YouTube Podcasts.

✔ Get insider knowledge from leading cybersecurity experts.

✔ Learn practical steps to future-proof your organization.

✔ Stay updated on regulatory changes and industry trends.


Need help subscribing? Click here for step-by-step instructions.

Shielded: The Last Line of Cyber Defense is handcrafted by our friends over at: fame.so