Businesses Must Prepare For 90-Day Certificates

Uploaded on 2023-05-12 in NEWS-News Analysis, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Google Chromium recently sent a shockwave among already-pressed IT professionals with its announcement that it would reduce TLS certificate lifespans from 398 to 90 days.

This move had long been on the horizon, and those of us who were conscious of Google Chromium’s influence already predicted it would show up in a future policy update or a Certificate Authority/Browser Forum Ballot Proposal.

This drop in maximum validity will mean major changes for the industry and businesses. 

In recent years the maximum term for a public TLS (or SSL) certificate has shrunk from three years to two, to one. Google Chromium intends to further shorten this lifespan to 90 days, a measure which will potentially come into effect by the end of 2024, though no date has been specified currently.

The reason for the proposed reduction in certificate lifetime is to encourage automation across the ecosystem.

These changes will lead to faster adoption of upcoming security capabilities and best practices, promoting the ecosystem to adapt and transition to quantum-resistant algorithms more quickly, while also reducing the reliance on ‘broken’ revocation-checking solutions that can not fail-closed and therefore, offers incomplete protection. Also, shorter-lived certificates will reduce the impact of unexpected certificate transparency log disqualifications. 

What is hidden in the subtext of Google Chromium’s ‘Moving Forward, Together’ roadmap is how it will go about the process. If the CA/B Forum chooses to align with Google Chromium and make this change through a balloting process, that’s one way to make this a requirement. However, if not, Google Chromium hints that it is prepared to unilaterally force this change through. The way it would do so is by making this change a requirement for the Chrome root program, meaning it would immediately become a de facto standard that every commercial public CA will need to follow. As browsers control their own root program requirements independently of CA/B Forum mandates, this change can take place whether the CA/B Forum endorses it or not.

Google is alerting the industry that they need to prepare for radically shorter digital certificate lifespans. This early announcement of its intended aims to give users time to deploy the transition to systems that can seamlessly support the reduction in validity timeframes, and the implications that come with it, and organisations are well advised to take advantage of this early warning.

The first and most obvious question CISOs will ask is how they are going to approach the management of digital certificates with shorter lifespans.

Already in enterprises, we see tens or hundreds of thousands of certificates deployed across any one IT environment, each with disparate renewal dates. For almost all organisations, the number of digital certificates they need to manage continues to climb rapidly. This alone has acutely increased risk levels and has become a pressing issue that demands automated solutions. 

Digital certificates enable enterprises to securely transact business within their own ecosystems and further afield. Digital certificates secure almost limitless systems and processes, from mobile phones to sophisticated IoT devices deployed in critical national infrastructure, and everything in between. 

Manual methods no longer an option as management becomes 4x harder
Organisations must understand the dangers that a manual approach to digital certificate management presents. No longer can or should one confidently work only with basic tools such as spreadsheets and siloed point-solutions. It hampers the visibility of all digital identities and leads to things being missed, which can lead to outages or worse create an opportunity for bad actors to exploit. The introduction of 90-day certifications will only serve to compound the issue, and continuing to manage these manually will only make a breach or outage a more likely reality. 

With the new lifespan change, work will increase for IT, they will need to handle the renewal and deployment of these server certificates more than four times per year. The increase in workload will greatly increase the potential for error. 

CISOs must already deal with existing hurdles such as rogue certificates, visibility over cryptographic decisions, and individual deployment, and this only compounds the problem. Manual management simply becomes unworkable and anyone still taking this approach will almost certainly pay the price.

Automate Or Risk Breaches & Outages

Threat actors have become increasingly sophisticated and efficient in their attacks. While businesses generally have become more sophisticated in identifying and stopping potential attacks, Google’s announced change means bad actors will be readying to take advantage of this. The organisations that will suffer most will be those that fail to best manage human and machine identities once digital certificate lifespans shrink to 90 days.

Organisations must automate the entire lifecycles of digital certificates, from renewal to revocation, at scale.

The most advanced option for automating their certificate management process is CA agnostic Certificate Lifecycle Management (CLM) platforms. These solutions can help with the discovery of certificates in enterprise environments, independently of which Certificate Authority originally issued them. These platforms make the task easier with notifications of impending expirations, and automatic provisioning and installation of renewal and replacement certificates. This way, enterprises can shield themselves from outages stemming from incorrect use or renewal of certificates and remain in control of their security.

Google’s 90-day certs are coming. With enough time to prepare and automation readily at their disposal, there is no excuse for businesses to be caught out. 

Tim Callan is Chief Experience Officer at Sectigo

You Might Also Read: 

Cybersecurity: Prepare For The Year Ahead:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Which Sectors Are Top Targets For Cyber Crime?
How Cybercriminals Profit From Your Personal Information »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

IntelliGO Networks

IntelliGO Networks

IntelliGO Networks is a cybersecurity company focused on Managed Detection and Response (MDR).

European Organisation for Security (EOS)

European Organisation for Security (EOS)

EOS represents all domains of security solutions and services.providers including ICT information and communications technologies.

RedLock

RedLock

The RedLock Cloud 360TM platform correlates disparate security data sets to provide a unified view of risks across fragmented cloud environments.

Plurilock Security Solutions

Plurilock Security Solutions

Plurilock is a real-time cybersecurity solution that uses artificial intelligence to identify, prevent, and eliminate insider threats.

National Initiative for Cybersecurity Education (NICE)

National Initiative for Cybersecurity Education (NICE)

NICE is a partnership between government, academia, and the private sector focused on cybersecurity education, training, and workforce development.

DFI

DFI

DFI is a global leading provider of high-performance computing technology across multiple embedded industries.

Kleiner Perkins

Kleiner Perkins

For five decades, Kleiner Perkins has made history by partnering with some of the most ingenious and forward-thinking founders in technology and life sciences.

Sequoia Capital

Sequoia Capital

Sequoia Capital is a venture capital firm focused mainly on technology. We partner both with young companies finding their stride and established ones looking for growth.

Maven Security Consulting

Maven Security Consulting

Maven Security Consulting helps companies secure their information assets and digital infrastructure by providing a wide range of customized consulting and training services.

Raonsecure

Raonsecure

Raonsecure is one of Korea’s leading ICT security software companies – providing a variety of PC and mobile security solutions to financial institutions, government, and enterprise.

Silent Sector

Silent Sector

Silent Sector is a cybersecurity services company that specializes in providing a wide range of managed security services.

Curity

Curity

The Curity Identity Server brings identity and API security together, enabling highly scalable and secure user access to digital services.

EdgeWatch

EdgeWatch

EdgeWatch is a platform that helps information accredited security practitioners discover, monitor, and analyze devices that are accessible from the Internet.

Cyderes

Cyderes

Cyderes (Cyber Defense and Response) is a global, pure-play, full life-cycle cyber security services provider formed from the merger of Herjavec Group and Fishtech Group in 2022.

Multidisciplinary Institute for Cybersecurity and Cyber Resilience (IMC2)

Multidisciplinary Institute for Cybersecurity and Cyber Resilience (IMC2)

IMC2 brings together resources to carry out ambitious, innovative and multidisciplinary projects in the field of cybersecurity and cyber resilience.

Coastline Cybersecurity

Coastline Cybersecurity

Coastline Cyber is a cybersecurity consulting firm dedicated to helping organizations strengthen their security posture by reducing risks, mitigating threats, and protecting against attacks.