On a recent call with an enterprise customer who happens to be a Fortune 50 company, the conversation quickly turned to the many technology challenges a corporation like theirs faces.
This is an extremely large organization that employs more than 200,000 people worldwide. Not only that, the technology it relies on is older, which makes securing all of it tricky.
A portion of this pain is connected to the necessity to comply with certain rules and regulations. Some of these rules include adhering to what are essentially mandates from browsers such as Apple, Google, Microsoft and Mozilla.
There is no getting around the fact that in the last few years Apple and other browsers have essentially demanded that all certificate authorities, including GlobalSign, gradually reduce the lifecycle of digital certificates. All in the name, naturally, of increased security.
For example, in 2020 Apple unexpectedly announced at a February CA/Browser Forum meeting that – contrary to operating procedure of calling for a vote with other browsers and certificate authorities (CA’s) – it would be implementing 398-day certificate lifespans on its devices. Mozilla and Google soon followed suit. As a result, as of September 1, 2020, browsers and devices from Apple, Google, and Mozilla began showing errors for new TLS certificates that have a lifespan greater than 398 days.
Due to an Apple request in late December, the certificate authority industry had expected that Secure/Multipurpose internet Mail Extensions (S/MIME) certificates lifespans would be decreased to 825 days on April 1. However, on January 28, 2022, Apple reversed course, and decided to continue to allow three year certificates. It’s likely there will be another change down the road. But for now, it is status quo.
In truth the browsers also have a point about certificate lifecycles in that, the longer you have them, the more vulnerable they are. As a result, it could be much easier for them to be compromised. This could be due to someone simply forgetting to revoke them, or the person who issued the certificates left the company. After a multitude of incidents, the browsers pushed for moving to shorter validity periods.
Obviously this impacts CA’s, however, who is really hugely impacted are enterprises like our Fortune 50 customer who also must keep up with the never-ending rule changes they literally have no control over. Smaller, less complex organizations will no doubt be impacted as well. However, being smaller they may be more nimble and able to adapt more quickly to industry changes. Nevertheless, we’ve seen it can also be quite disruptive to even their business with even smaller staffs and less expertise certificate lifecycle management.
But for enterprises this is a huge task – and because of that, the pain will be significant. To be able to replace tens of, or even hundreds of thousands, of certificates in a compressed time frame, on a regular basis, is going to be nearly impossible. And if the browsers further reduce the life span of certificates it will be even more of a burden for large organizations to bear. Add the fact there is limited staff with deep knowledge of Public Key Infrastructure (PKI), the technology behind digital certificates.
My colleagues who are close to the “policy” around certificates tell me that the future will most likely bring us even shorter-lived certificates thus further exacerbating the challenges. Their view is we need to educated customers that the need to be “agile”. This is becoming a requirement not an option. Rotation of intermediate (ICA’s) key material for certain certificate types is now happening every three months for some of our solutions. As critical component of the trust chain, you’ll need to adapt to pushing these out to your infrastructure easily.
As the expression goes, “Houston, we have a problem.” The only real solution to manage this constant change to enable “crypto agility” is automation.
Accepting of the need for automation
We know that companies simply cannot scale enough to meet these requirements. Which is why numerous vendors offer automation solutions to help manage certificate lifecycles.
Unfortunately, all enterprises must accept the reality that these tools are an absolute necessity. Because without them, they will experience problems stemming from lifecycle issues such as certificate expirations – the results of which range from a reduction in trust, a decline in a company’s sales and revenue with increased shopping basket abandonments and corporate brand and reputation adversely affected, putting the business at risk.
For example, last year incidents occurred at Google Voice, Epic Games as well as Amex, when there was an expiration at Google Pay last summer. Going back further to 2018 – when the lifecycles were much longer than they are now – certificate expirations occurred at LinkedIn, Pokemon Go, the UK’s Conservative Party, and even The White House. So this is clearly a longstanding problem that not limited to one type of company or organization. It’s everywhere and that will not change unless a different approach is taken.