With digital transformation shifting into hyper-drive across the enterprise ecosystem, the use of SSL/TLS certificates is dynamically growing. While this trend steps up organizations’ data protection practices, it poses quite a few new challenges as organizations use increasing numbers of machine identities. As the task of managing certificates is on many companies’ agenda these days, let’s go over the biggest roadblocks along this route and the ways to tackle them.
The ubiquitous use of IoT devices, cloud-native applications and continuous development have become catalysts for the soaring adoption of SSL certificates throughout corporate environments. The caveat is that DevOps teams—who are focused on speed and agility—often deploy certificates hastily and without proper correlation with colleagues from IT and security departments.
This precipitates an adverse situation where organizations have insufficient oversight and control of digital certificates and the use of certificate authorities (CAs) that issue these machine identities. According to a recent study, a whopping 79% of companies aren’t aware how many private encryption keys and certificates they possess.
Such a lack of awareness hampers proper management and, more importantly, the protection of this important infrastructure. Another side effect of poor visibility is that organizations may suffer service downtime and application outages because their certificates expire and they are unprepared for these pitfalls.
One more trend making itself felt in this domain is that the lifespan of SSL certificates is becoming shorter over time. The global digital industry consortium called the Certification Authority Browser Forum (CA/B Forum) has reduced this period from 60 months down to roughly 27 months or even less since 2012. But some members of the CA/B Forum felt these lifespans were still too long.
In 2019, Google came up with an initiative to restrict the maximum certificate lifecycle to 12 months, to no avail. One year later, Apple set a 398-day threshold for certificates used in its digital territory. Google Chrome and Mozilla followed in the footsteps of the Cupertino company shortly afterward by implementing the same limitation. That said, the trend will likely continue down the line.
In light of the booming use of SSL certificates, IT teams’ workload has grown significantly while their budgets may not reflect this change. In addition to insufficient visibility, these inconsistencies have called forth the following problems:
The challenges of managing certificates aren’t isolated to service disruption due to organizational slip-ups. Your company should also be resilient to issues stemming from security imperfections of cryptographic algorithms, virus attacks, and breaches suffered by CAs.
These scenarios include large-scale revocation of certificates, crypto-algorithm deprecation, CA hacks, and cryptographic library flaws such as the notorious Heartbleed vulnerability in OpenSSL. With the rise of next-generation quantum technologies that may allow an adversary to crack strong cryptographic algorithms, IT teams should also create a roadmap for adopting quantum-safe cryptography.
The following tips will help your organization manage SSL certificates properly and avoid unexpected outages as well as security risks described above.
In August 2020, Spotify suffered a global outage that kept its engineers and customers on their toes for about an hour. It happened because the media services giant neglected to renew one of its wildcard certificates. This snafu demonstrated how impactful such a blunder can be. And in early 2021, we saw similar events with Google Voice and Microsoft Azure. To steer clear of predicaments like these, make sure your organization takes SSL certificate management seriously and adheres to the above recommendations.