Photo credit: www.darkreading.com
Reducing the lifespan of Transport Layer Security (TLS) certificates could play a pivotal role in enhancing the security of websites and devices that depend on these certificates. Designed to establish secure connections between web servers and clients, TLS certificates are crucial for protecting sensitive information. Currently, the average lifespan of digital certificates is 398 days, composed of a 365-day validity period followed by a 33-day grace period. However, if the recent proposals from Google and Apple gain approval, this duration could be cut down to as little as 100 days (90 days with a grace period) or even 47 days (30 days plus grace).
In some DevOps settings, certificates can be as brief as 10 days, according to Jason Soroko, a senior fellow and CTO at Sectigo. The rationale behind shorter lifetimes stems from the increased risk of data breaches the longer a certificate is active. Expired certificates can obstruct browser connections, effectively thwarting potential breaches and preventing data theft.
Automated Updates Make Change Easier
Despite the impending changes in certificate renewal frequencies, operational processes for organizations that utilize security information and event management (SIEM) or security orchestration, automation, and response (SOAR) systems may experience minimal disruption. Soroko notes that certificate lifecycle management (CLM) logs integrate with SIEM and SOAR systems, enabling proactive updates before certificate expirations, thereby ensuring business continuity.
Many small to medium-sized businesses (SMBs) already benefit from automated certificate updates through CLM services provided by their network security service providers. These organizations should verify whether such automated renewal practices are in place to stay compliant and minimize risks. CLM systems manage the entire lifecycle of certificates, from issuance to renewal, which can significantly mitigate liability and enhance legal compliance.
The shift to a shorter certificate lifecycle may impact organizations that still rely on manual updates. Soroko points out that frequent manual updates introduce a higher chance of errors, especially when moving from annual to monthly renewal protocols. For instance, transitioning to a 30-day certificate could necessitate 12 updates each year, substantially increasing the potential for mistakes and associated risks.
Arvid Vermote, GlobalSign’s global CIO and CISO, emphasizes the urgency of adapting to these changes. He explains that the historical reluctance to implement automation stems from a lack of immediate necessity. However, with the shortening certificate lifespan, even smaller entities must embrace automated renewal to avoid potential disruptions.
As organizations grapple with the shift of certificate longevity, those depending on manual updates will quickly recognize the advantages of automation—not only for speed but also for reliability in certificate management.
According to Soroko, managing certificates manually can be a daunting technical challenge, prone to errors that could lead to significant downtime for websites. Most large enterprises transitioned to CLM years ago to avoid such pitfalls.
Regardless of a company’s size, automating certificate updates is vital. The technology offers broader visibility and automation features, ensuring organizations are aware of all digital certificates in their environment.
CLM Casts Light on Shadow IT
The increased frequency of certificate rotations allows CLM systems to regularly audit the IT environment for certificates due for updates. This ongoing monitoring can even uncover certificates for services that IT departments may not have previously documented. Often, department leaders may procure software-as-a-service or other digital tools to meet their operational requirements without relaying this information to IT, leading to potential blind spots.
With unauthorized applications running on various platforms, from virtual machines to web servers, uncovering all facets of shadow IT can be challenging. However, CLM systems can identify new hardware or cloud instances needing digital certificates that may have been overlooked before. Any certificates linked to these unknown devices could signal unauthorized access or security incidents currently in progress.
Vermote suggests that this evolution in certificate management will likely create the most significant challenges for SMBs. This situation may offer a strategic opportunity for CISOs to seek funding for automation solutions if they do not already possess them.
Vermote asserts that funding requests from the board are often reactive—triggered by security incidents or service downtimes. In the current context, however, a lack of investment in automation risks rendering websites and services inaccessible when certificate expirations occur.
Justin Lam, an analyst with 451 Research, recommends that enterprises adopt a proactive risk management approach towards digital certificates rather than merely complying with regulations reactively. Shorter certificate lifecycles can foster better oversight and improved management of digital assets, reducing exposure to unnoticed security vulnerabilities.
Lam highlights a disconnect wherein many security professionals may lack ownership over the environments these digital assets protect. Though CISOs are responsible for safeguarding their networks, they might not be fully aware of cloud-based sessions tied to digital certificates, making funding for comprehensive oversight and management a pressing necessity.
Source
www.darkreading.com