Businesses Must Prepare For 90-Day Certificates

Uploaded on 2023-05-12 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Google Chromium recently sent a shockwave among already-pressed IT professionals with its announcement that it would reduce TLS certificate lifespans from 398 to 90 days.

This move had long been on the horizon, and those of us who were conscious of Google Chromium’s influence already predicted it would show up in a future policy update or a Certificate Authority/Browser Forum Ballot Proposal.

This drop in maximum validity will mean major changes for the industry and businesses. 

In recent years the maximum term for a public TLS (or SSL) certificate has shrunk from three years to two, to one. Google Chromium intends to further shorten this lifespan to 90 days, a measure which will potentially come into effect by the end of 2024, though no date has been specified currently.

The reason for the proposed reduction in certificate lifetime is to encourage automation across the ecosystem.

These changes will lead to faster adoption of upcoming security capabilities and best practices, promoting the ecosystem to adapt and transition to quantum-resistant algorithms more quickly, while also reducing the reliance on ‘broken’ revocation-checking solutions that can not fail-closed and therefore, offers incomplete protection. Also, shorter-lived certificates will reduce the impact of unexpected certificate transparency log disqualifications. 

What is hidden in the subtext of Google Chromium’s ‘Moving Forward, Together’ roadmap is how it will go about the process. If the CA/B Forum chooses to align with Google Chromium and make this change through a balloting process, that’s one way to make this a requirement. However, if not, Google Chromium hints that it is prepared to unilaterally force this change through. The way it would do so is by making this change a requirement for the Chrome root program, meaning it would immediately become a de facto standard that every commercial public CA will need to follow. As browsers control their own root program requirements independently of CA/B Forum mandates, this change can take place whether the CA/B Forum endorses it or not.

Google is alerting the industry that they need to prepare for radically shorter digital certificate lifespans. This early announcement of its intended aims to give users time to deploy the transition to systems that can seamlessly support the reduction in validity timeframes, and the implications that come with it, and organisations are well advised to take advantage of this early warning.

The first and most obvious question CISOs will ask is how they are going to approach the management of digital certificates with shorter lifespans.

Already in enterprises, we see tens or hundreds of thousands of certificates deployed across any one IT environment, each with disparate renewal dates. For almost all organisations, the number of digital certificates they need to manage continues to climb rapidly. This alone has acutely increased risk levels and has become a pressing issue that demands automated solutions. 

Digital certificates enable enterprises to securely transact business within their own ecosystems and further afield. Digital certificates secure almost limitless systems and processes, from mobile phones to sophisticated IoT devices deployed in critical national infrastructure, and everything in between. 

Manual methods no longer an option as management becomes 4x harder
Organisations must understand the dangers that a manual approach to digital certificate management presents. No longer can or should one confidently work only with basic tools such as spreadsheets and siloed point-solutions. It hampers the visibility of all digital identities and leads to things being missed, which can lead to outages or worse create an opportunity for bad actors to exploit. The introduction of 90-day certifications will only serve to compound the issue, and continuing to manage these manually will only make a breach or outage a more likely reality. 

With the new lifespan change, work will increase for IT, they will need to handle the renewal and deployment of these server certificates more than four times per year. The increase in workload will greatly increase the potential for error. 

CISOs must already deal with existing hurdles such as rogue certificates, visibility over cryptographic decisions, and individual deployment, and this only compounds the problem. Manual management simply becomes unworkable and anyone still taking this approach will almost certainly pay the price.

Automate Or Risk Breaches & Outages

Threat actors have become increasingly sophisticated and efficient in their attacks. While businesses generally have become more sophisticated in identifying and stopping potential attacks, Google’s announced change means bad actors will be readying to take advantage of this. The organisations that will suffer most will be those that fail to best manage human and machine identities once digital certificate lifespans shrink to 90 days.

Organisations must automate the entire lifecycles of digital certificates, from renewal to revocation, at scale.

The most advanced option for automating their certificate management process is CA agnostic Certificate Lifecycle Management (CLM) platforms. These solutions can help with the discovery of certificates in enterprise environments, independently of which Certificate Authority originally issued them. These platforms make the task easier with notifications of impending expirations, and automatic provisioning and installation of renewal and replacement certificates. This way, enterprises can shield themselves from outages stemming from incorrect use or renewal of certificates and remain in control of their security.

Google’s 90-day certs are coming. With enough time to prepare and automation readily at their disposal, there is no excuse for businesses to be caught out. 

Tim Callan is Chief Experience Officer at Sectigo

You Might Also Read: 

Cybersecurity: Prepare For The Year Ahead:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Which Sectors Are Top Targets For Cyber Crime?
How Cybercriminals Profit From Your Personal Information »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

TBG Security

TBG Security

TBG provides a portfolio of services including cyber security, compliance and continuity solutions.

Concise Technologies

Concise Technologies

Concise Technologies provide specialist IT and telecoms solutions, support services, managed backup, disaster recovery, cyber security and consultancy to SME businesses across the UK and Europe.

Protenus

Protenus

Protenus provide a solution to proactively monitor and protect patient privacy in the electronic health record (EHR).

Managed Security Solutions (MSS)

Managed Security Solutions (MSS)

MSS deliver consultancy services and managed security services for IT departments who may lack the time, resources, or expertise themselves.

FoxGuard Solutions

FoxGuard Solutions

FoxGuard Solutions develops customized cyber security, compliance and industrial computing solutions for critical infrastructure entities and control system vendors.

AKATI Sekurity

AKATI Sekurity

AKATI Sekurity is a security-focused consulting firm providing services specializing in Information Security and Information Forensics.

Energia Ventures

Energia Ventures

Energia Ventures is a three-month intensive accelerator for entrepreneurs with an innovative business in the energy, smart grid, cleantech, and cybersecurity sectors.

Trust Stamp

Trust Stamp

Trust Stamp provide Identity and Trust as a Service to answer two fundamental questions: “Who are you?” and “Do I trust you?"

Gluu

Gluu

Modern Authentication for Digital Enterprise. Organizations around the world trust Gluu for large-scale, high-security identity & access management.

ThreatReady Resources

ThreatReady Resources

ThreatReady reduces an organization’s risk by delivering cyber security awareness training based on the latest, state-of-the-art learning science to effectively drive long-term cyber-safe behavior.

BridgingMinds Network

BridgingMinds Network

BridgingMinds Network is an industry leading best practices and IT security training provider in Singapore.

r00tz Asylum

r00tz Asylum

r00tz Asylum is a nonprofit dedicated to teaching kids around the world how to love being white-hat hackers.

3B Data Security

3B Data Security

3B Data Security offer a range of Penetration Testing, Digital Forensics, Incident Response and Data Breach Management Services.

Grant Thornton

Grant Thornton

Grant Thornton is one of the world’s leading networks of independent assurance, tax and advisory firms.

Purple Team

Purple Team

Purple Team is an expert cybersecurity and managed security service provider focused on arming your IT infrastructure with both red team and blue team services.

Troye Computer Systems

Troye Computer Systems

Troye provide a complete range of digital workspace solutions that empower people to do their very best work in a safe and secure manner anywhere, anytime, using any device.