90-day certificates to drive spike in outages unless businesses act now
Last year, the Chromium Project -- a Google-backed open source browser project -- released its roadmap for building a safer, faster, and more stable Internet, containing recommendations to reduce the lifespan of Transport Layer Security (TLS) certificates from 398 days to 90. This was a starting gun to the industry. As the operator of Chrome, Google has the power to enforce shorter validity periods by making them a requirement -- which will likely become the de facto standard across all browsers soon after.
When these changes come into force, every business that uses TLS certificates -- i.e. every business that connects services with the internet -- will be impacted. TLS certificates are machine identities, they enable systems to talk to each other securely over the internet. If they are not reissued or replaced before they expire, the service they are connecting stops working. This results in hugely costly outages, disruption, and increased security risks -- and it’s something that everyone has experienced with their browser through a 'can’t connect to untrusted site- error.
As the volume of machine identities explodes and the speed at which they need to be replaced quickens, these changes threaten to expose organizations to outages and breaches. To avoid significant financial and reputational damage, organizations urgently need to build a high degree of automation into their machine identity strategies.
A growing digital burden
The direction of travel over the past several years has been for shorter TLS/SSL certificate lifespans. They shrank from five years to two in 2018, and then to 13 months in 2020. In general, shorter lifespans are good for cybersecurity, for several reasons. They mean that, if a threat actor manages to get hold of a stolen or compromised certificate, they’ll have a smaller window of opportunity in which to exploit it. Shorter lifespans also encourage more regular key rotation than would perhaps otherwise have been the case, and they simplify revocation management. They also mean less risk of organizations persisting with outdated crypto algorithms. And they encourage firms to reduce their dependency on a single certificate authority (CA).
However, a 90-day lifespan for machine identities threatens to place a significant extra burden on security teams. Given that best practices recommend renewing certificates 30 days prior to expiration, it would require rotation of TLS certs six times each year, rather than the current once. Fail to find and replace them all and it could cause major service/application outages.
The burden will be even greater as TLS/SSL certificate volumes continue to surge. As these continue to grow, so will the complexity associated with machine identity management. Meanwhile, increased reliance on cloud services and the cloud further complicates the issues surrounding 90 day certificates -- including knowing what will expire and how to change it.
Research reveals that the average number of machine identities per organization at the end of 2021 was nearly 250,000 -- and is estimated to increase by 42 percent annually. For organizations with more than 10,000 employees, the figure rises to 320,000 machine identities at the start of 2022 and could more than quadruple to 1.3 million by 2025. Multiply this volume with the extra burden that comes with managing shorter lifespans and you have a recipe for spiraling security risk and outage.
Shorter lives could increase business risk
What might this mean for organizations? If they are unable to effectively manage a large number of renewals each year, it could lead to major outages and security breaches. Expired certificates mean that web browsers, mobile apps, APIs, and other machines can’t authenticate them, taking applications offline. This can take out customer-facing websites and critical internal applications like email services and VPN connectivity. At the very least, it can lead to browser warnings on websites that scare off customers and expose web traffic to interception by cyber-criminals.
Organizations as diverse as the US government and Spotify have witnessed first hand the impact the former scenario can have. Research reveals that 83 percent of organizations have suffered a certificate-related outage during the past 12 months, with a quarter (26 percent) of these claiming it impacted business-critical systems. Consider the increase in such incidents if machine identity lifespans are shortened.
Lapsed certificates also put customers at risk, by making it easier for threat actors to run successful phishing campaigns and man-in-the-middle (MITM) attacks. More websites that can’t be authenticated and have expired certificates are a hackers dream to get users to accept errors and click right on through to their attack.
Automation is the answer
The only way to mitigate these challenges at scale is to build automation into machine identity management. In dynamic and ephemeral cloud-native environments, it’s essential to put in place a control plane to manage the entire lifecycle of machine identities and automate across the datacenter and multiple clouds. Whether the organization is a developer/publisher or a consumer of software, it needs automated controls to ensure all of its digital assets can connect, authenticate and communicate securely.
There has been hope the technologies like ACME and opensource software like certbot could make automation set-and-forget. But the challenge lies in the fact that these alone do not bring the assurance that changes have been made, and also don’t have the ability to command a fleet of automating bots. Automation performed by a bot or infrastructure-as-a-code with Ansible or Terraform must always have a feedback loop of successful/failure, and should always be confirmed, while having the ability to make changes.
But automation alone isn’t a silver bullet. Machine identity management solutions must be architected to deliver a unified and integrated set of capabilities. These include continuous discovery and inventory of TLS/SSL certificates, including who owns each, where it is installed and when it expires. They should also include an automated renewal feature to avoid the downtime caused by expired certificates. And continuous, real-time monitoring and reporting to ensure all certificates comply with 90-day lifespans and associated enterprise policies.
The best tools will not only cover these basics, but also integrate tightly with DevOps tools via APIs. This enables automated provisioning of certificates in developer environments, and ensures new and existing apps adhere strictly to shorter validity periods.
Getting cloud ready
The challenges of machine identity management aren’t limited only to the cloud, but they certainly multiply amidst the complexity and rapid development that characterize these environments. Research reveals that certificate mismanagement is already one of the top three causes of security issues in the cloud, cited by two-fifths (39 percent) of organizations. Delays and disruption to digital transformation, negative customer experiences and data breaches are just some of the potential impacts.
Organizations keen to drive competitive advantage through digital transformation clearly have a challenge already on their hands with machine identity management. And it will only grow as certificate lifespans shorten and certificate volumes grow. That’s why it’s best to put an automated control plane in place today, to provide the security and resilience businesses need to thrive tomorrow.
Image credit: karenr/depositphotos.com
Kevin Bocek is Chief Innovation Officer at Venafi.