In cybersecurity, we can prepare for a wide variety of risks and threat scenarios, but we would be hard pressed to anticipate every eventuality. Yet every so often, industry events arise that test how well we actually are prepared. Machine identity security is certainly no exception to that rule. Soon, organizations everywhere will be forced to evaluate how ready their certificate management solutions are to quickly adapt to a variety of industry-changing events.
The machine identity game changer for many organizations right now is the need to quickly find a solution for distrusted Entrust TLS certificates by the end of October. But looming in the near future is the industry-wide migration to an impending 90-day TLS certificate standard, as well as preparing for the ultimate transition to post-quantum cryptography. But there are many additional factors that impact machine identity security.
“We recently lived through the world’s greatest IT outage—the CrowdStrike update outage was an error and unexpected. Security teams know they will be hit with major risks when new outages occur from what they love to hate: more expiring certificates,” said Kevin Bocek, chief innovation officer at Venafi. “Shifting to shorter certificate lifecycles significantly reduces these risks and is a necessary move. However, this can also bring more chaos for security teams—and it’s a double whammy with Entrust being distrusted in Chrome. There aren’t just canaries in the coal mine; there are groundhogs in every cloud, virtual machine and Kubernetes cluster. It’s not just one software update vendor; it’s the entire Internet as we know it.”
Gauging 90-day TLS certificate readiness
For organizations using highly automated machine identity security solutions with a mature set of policies, these challenges will be a mere blip on the radar screen. But that would be no small feat for large organizations with hundreds of thousands of certificates spread across multiple business units and geographies. Especially for the move to 90-day certificates, which would effectively quintuple the number of times that an organization would touch a certificate in a single year (factoring in advanced renewal best practices).
The sheer scope of the 90-day certificate challenge leaves many organizations wondering how their certificate lifecycle management solutions will hold up. In the most extreme cases, some organizations are worried that the transition to 90-day certificates would “break their business.” That made us wonder here at Venafi how widespread was this concern about shorter certificate lifespans? And how well were organizations really prepared for this radical move?
To learn more about the state of the industry, we launched a survey of 800 security leaders across the U.S, U.K., Germany and France. And we learned that the majority of organizations do not feel entirely prepared for the impending 90-day certificate standard, as well as the other factors that concern them most when it comes to their crypto agility.
Request a free 90-day readiness assessment.
Widespread anxiety about lack of preparedness
From a high level, we learned that security leaders acknowledge shorter certificates are inevitable in the face of a rapidly evolving security threat landscape—the shorter the certificate lifespan, the less time cybercriminals have to exploit them. The survey revealed that 76% of security leaders recognize the pressing need to move to shorter certificate lifespans to improve security.
However, this awareness does not seem to translate into a corresponding confidence about the certificate management capabilities that will be required to support the migration to 90-day TLS certificates. Overall, security leaders were concerned about the amount of work that it would take to transition their approach enterprise-wide, as well as the risk that touching so many moving parts could create in everyday management—especially if they are still using manual management strategies. While security leaders acknowledge that automation is essential, many are simply not automating enough. Only 8% of security leaders fully automate all aspects of TLS certificate management across their entire enterprise.
Indeed, the impending mandate for 90-day certificates leaves many organizations feeling not only unprepared to take action but concerned about the consequences of that move. Eighty-one percent of security leaders say Google’s proposed plans to shorten TLS certificate lifespans from 398 days to 90 will amplify existing challenges they have around managing certificates and 94% are concerned about the impact of the changes in the following ways:
- 73% say it could cause “chaos” and create blind spots
- 75% say it could even make them less secure
- 77% say the shift to 90-day certificates will mean more outages are inevitable
To learn more data about these concerns, including contributing factors such as certificate growth, CA (Certificate Authority) revocations and post-quantum cryptography, read our new research report, Organizations Largely Unprepared for the Advent of 90-Day TLS Certificates.
Get a 30 Day Free Trial of TLS Protect Cloud, Automated Certificate Management.
Venafi can help you smooth your transition
As organizations brace for the transition to the 90-day TLS standard, Venafi’s certificate lifecycle management solution TLS Protect stands out as an essential tool for navigating this change. It offers unmatched visibility and control over TLS certificates across diverse environments and provides a platform for automating the renewal process to avoid costly outages and ensure continuous compliance.
This capability is necessary for maintaining the trust and integrity of digital communications in an increasingly stringent cybersecurity landscape. TLS Protect also enables businesses to respond swiftly to emerging threats and adapt to new regulatory demands with ease. Also, the integration capabilities of TLS Protect extend its utility beyond mere compliance, enabling a seamless and secure digital transformation journey for enterprises aiming to stay ahead in a rapidly evolving digital ecosystem.
The discovery capabilities of TLS Protect are essential for organizations preparing for the transition to the 90-day TLS standard. By thoroughly mapping out and identifying every TLS certificate across environments, Venafi TLS Protect ensures organizations have a clear inventory ahead of the tighter renewal schedules. This comprehensive visibility is important for preventing outages and maintaining continuous compliance under the new standard. As certificates require more frequent updates, Venafi’s discovery tool allows businesses to proactively manage their TLS certificates, ensuring a smooth transition to and maintenance of the 90-day lifecycle.