
Building on its recent launch of a quantum-safe Software-Defined Wide Area Network (SD-WAN) powered by Cisco, AT&T Business has expanded its secure portfolio through a new collaboration with Palo Alto Networks. The partnership integrates Palo Alto Networks’ Prisma SD-WAN technology with AT&T’s global fiber and cellular networks to deliver a native Quantum-Resilient SASE (Secure Access Service Edge) Fabric.
The combined architecture is designed to safeguard distributed enterprise perimeters against “Harvest Now, Decrypt Later” (HNDL) threats without introducing network latency or requiring a complete hardware replacement at remote branch locations.
Hybrid Cryptography and Control Plane Hardening
To neutralize quantum decryption risks, the SASE fabric separates the management, control, and data planes to implement targeted security protocols:
- Universal Control Plane Hardening: All routing configurations and policy distributions are secured using TLS 1.3 (Transport Layer Security), protecting the network’s administrative “brain” from identity spoofing and credential interception.
- Hybrid Data Plane Key Exchanges: Adopting official Internet Engineering Task Force (IETF) standards—specifically RFC 9370, 9242, and 8784—the data plane utilizes hybrid key exchanges. This wraps transit data in both classical mathematical algorithms (for legacy compatibility) and quantum-resistant keys simultaneously, preventing packet fragmentation.
- Geofenced Telemetry: Operational metadata and system logs are encrypted via TLS 1.3 and geofenced to the client’s designated region to comply with global data residency mandates (such as NIS2 and DORA).
- Crypto-Agility by Design: The fabric is natively software-defined. As the National Institute of Standards and Technology (NIST) continues to update its post-quantum cryptography (PQC) ciphersuite guidelines, edge systems can be updated automatically via the cloud without requiring physical hardware overhauls.
Securing the Distributed Branch Edge
In today’s decentralized enterprise landscape, retail storefronts, remote clinics, and regional offices represent the primary gateways where sensitive data enters a corporate network. To defend these edge points, the platform utilizes Hybrid Public Key Infrastructure (PKI), issuing dual security credentials (one classical, one quantum-resistant) to every connected device.
At the branch level, Palo Alto Networks’ Prisma SD-WAN ION hardware appliances establish a hardware-level root of trust. Featuring Secure Boot and integrated Trusted Platform Module (TPM 2.0) chips, these appliances verify that only cryptographically signed firmware, kernels, and operating systems can execute during startup.
Furthermore, the integration leverages Service Provider Interconnect (SPI) to connect business branch traffic directly to AT&T’s private network core. By establishing a direct quantum-safe on-ramp that bypasses slow, public internet software tunnels, the architecture eliminates the traditional encryption “performance tax,” preserving high-throughput and low-latency metrics.
Review the official collaborative announcement via the AT&T Business Blog here.
July 16, 2026