Majority of Security Leaders Believe Shorter Certificate Lifespans Will Leave Many Companies Blindsided, With More Outages “Inevitable”
Venafi, the leader in machine identity security, today released a new research report, Organizations Largely Unprepared for the Advent of 90-Day TLS Certificates. The report examines organizations’ current state of preparedness to transition to new machine identity standards, including shorter certificate lifecycles and post-quantum cryptography.
Also Read: Leveraging AI and Machine Learning for DataSecOps
“We recently lived through the world’s greatest IT outage – the CrowdStrike update outage was an error and unexpected. Security teams know they will be hit with major risks when new outages occur from what they love to hate: more expiring certificates”
A survey of 800 security decision-makers across the U.S., UK, Germany and France revealed that more than three-quarters (76%) of security leaders recognize the pressing need to move to shorter certificate lifespans to improve security. However, many feel unprepared to take action, with 77% saying the shift to 90-day certificates will mean more outages are inevitable.
Additional highlights from the survey findings include:
- 90-Day Certificate Challenges – Eighty-one percent of security leaders believe Google’s proposed plans to shorten TLS certificate lifespans from 398 days to 90 days will amplify existing challenges they have around managing certificates. An overwhelming 94% of survey respondents are concerned about the impact of the changes, with nearly three-quarters (73%) saying it could cause “chaos” and a further 75% saying it could even make them less secure.
- Volatile CA Landscape – The recent decree that certificates issued by Certificate Authority (CA) Entrust can no longer be trusted is just the latest example of disruption in the CA market. In fact, 88% of security leaders report their organization has been impacted by CA revocations. Of these, 45% had to deploy extra resources to find, revoke and replace certificates; 38% suffered a security incident; and 31% had a certificate-related outage.
- Quantum Denial – With momentum gathering around the need to migrate to new quantum-resistant encryption algorithms, 64% of security leaders say they “dread the day” the board asks about their migration plans. Seventy-eight percent say if a quantum computer capable of breaking encryption is built, they will “deal with it then,” with 60% believing that quantum computing doesn’t present a risk to their business today or in the future. Moreover, 67% dismiss the issue, stating it has become a “hype-pocalypse.”
“We recently lived through the world’s greatest IT outage – the CrowdStrike update outage was an error and unexpected. Security teams know they will be hit with major risks when new outages occur from what they love to hate: more expiring certificates,” said Kevin Bocek, chief innovation officer at Venafi. “Shifting to shorter certificate lifecycles significantly reduces these risks and is a necessary move. However, this can also bring more chaos for security teams – and it’s a double whammy with Entrust being distrusted in Chrome. There aren’t just canaries in the coal mine; there are groundhogs in every cloud, virtual machine and Kubernetes cluster. It’s not just one software update vendor; it’s the entire Internet as we know it.”
The introduction of 90-day certificates means organizations will need to renew their certificates five times more often than they do now – quintupling the effort needed. The survey reveals this will be a major challenge for businesses for two reasons:
- Delayed Deployment – Only 8% of security leaders fully automate all aspects of TLS certificate management across their entire enterprise, with almost a third (29%) still relying on their own software and spreadsheets to manage the problem. As a result, it takes an average of 2-3 working days (21.75 hours) to deploy a certificate.
- TLS Transformation – The volume of TLS certificates in use at organizations has been steadily rising, due to the growth in technology adoption in recent years. Ninety-five percent of security leaders say digital transformation initiatives have increased their organization’s use of SSL/TLS in the past year by an average of 36%. As a result, the average enterprise now manages 3,730 TLS certificates – a number that is expected to increase by 39% by 2026, taking the figure up to over 5,000.
Also Read: Top Misconceptions Around Data Operations and Breaking Down the Role of a VP of Data Ops
Similar challenges exist with quantum. Sixty-seven percent of survey respondents believe shifting to post-quantum cryptography will be a nightmare, as they don’t know where all their keys and certificates are. Looking at the specific challenges these shifts present, the potential speed of the migration, scale and cost, as well as lack of internal skills and knowledge were cited as the top three concerns. However, 86% say taking control of the management of keys and certificates is the best way to prepare for future quantum risks.
“There’s great news: from 90-day certificates to replacing distrusted CAs to making the transition to post-quantum, security teams today have machine identity security capabilities they didn’t have available just a few years ago. Security teams can get certificate lifecycle management (CLM), PKI-as-a-service and workload identity issuers all on one control plane now,” Bocek concludes. “The business case is simple for making sure 90-day certificate lifetimes don’t wreak havoc. We know the problem is coming, unlike the last major IT outage, and the automation we put in place with machine identity security gets us ready for the post-quantum future, the next CA distrust and running in whatever cloud our developers choose.”
Also Read: AMD MI300 Seen In The Wild: Liftr Insights Data
[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com]
