While AI makes headlines, metaverse capabilities develop, and cyber attacks proliferate (all trends that are expected to continue well into 2024), it becomes easier to take the tried-and-true tech that keeps businesses running securely for granted.
Nevertheless, change is on the horizon for one of the most foundational security systems in the CTO’s playbook: digital certificates. Validity and domain validation reuse periods are set to shorten, meaning IT teams will need to be open to automating if they’re to manage this alongside an already onerous workload.
Doug Beattie, vice president of product management at GlobalSign, argues that automating these basics is the way forward, allowing time and space for IT teams to brace for the big-ticket items on the 2024 tech agenda.
What shorter certificate lifecycles mean for businesses
Countless banks, ecommerce platforms and other enterprises use Transport Layer Security (TLS), the cryptographic protocol designed to secure data in communications between web applications and servers. When data is moved around online, a browser validates the TLS certificate (also referred to as SSL), ensuring that the information it contains is correct before establishing an encrypted connection with the server. This prevents credit card numbers, login details and other sensitive data from being stolen or modified in the transfer.
SSL/TLS certificates – and the public key infrastructure (PKI) behind them – are a basic requirement for digital security. However, managing these certificates is an increasing headache for CTOs and their teams, Beattie points out.
Ten years ago, an SSL/TLS certificate had a maximum validation lifespan of five years. Today, it’s 398 days – and if Google has its way, it will soon drop to just 90 days. Reducing validity lifespans is not a bad thing; the longer a certificate stays valid, the less reliable it becomes as organisations renew their details or certificate security strategies change. But manually renewing certificates four times a year is a hassle IT teams could do without.
From issuance by a certificate authority (CA) to installation on the correct servers, configuration, and setting expiration reminders, managing certificates can be time-consuming. Beattie notes that these processes are often managed manually through spreadsheets which can act as a hotbed for human error.
“Sometimes, when you renew a certificate, it may not get put on all servers you had intended, so there could still be one that’s expiring somewhere,” he says, adding that many organisations will be using expired certificates without their knowledge. This could prevent people, apps and other devices from connecting to the server, leading to outages of critical services, lost revenue and even brand damage.
Proactive CTOs will land on top
The number of certificates in use is growing, while validity lifespans are shrinking, making it harder to catch expired certificates by hand. But organisations can automate the management of digital certificates by adopting an Automated Certificate Management Environment (ACME) service, Beattie explains.
This provides a framework for a client to communicate directly with a CA to issue, install, revoke and replace SSL/TLS certificates, so time that was previously spent filling out certificate signing requests (CSRs), completing domain validations, or going from server to server installing new certificates can be reclaimed
Firms that have already automated their certificate management processes will be primed for Google’s shifting Ts&Cs. However, for those that have yet to make the leap, the proposed changes should act as a wake-up call. Beattie says: “If CTOs are dragging their feet when it comes to automating certificate management processes, they may well be increasing the risk of a service outage or security incident.”
Indeed, automation has become the direction of travel for any digital business. Apart from gains in accuracy and efficiency, freeing up highly trained staff to apply their skills to tomorrow’s big tech challenges fosters innovation and strong IT leadership while routine tasks run in the background.
What businesses end up with is a workforce that is ready to respond quickly to changing market conditions and is able to engage in business strategy.
Convincing IT to adopt new ways of working, however, is sometimes tricky. “They know how [their manual process] works and they’re comfortable doing that,” says Beattie. To gain buy-in, CTOs need to ensure that the automation of any process or workflow is geared towards threats and opportunities, underpinned by strategy. Simply responding to new regulations, technologies or competitor initiatives as they crop up will leave their teams on the back foot.
Preparing for a post-quantum world
If the last few years have taught business leaders anything, it’s that the importance of readiness cannot be understated. One big disruptor tech teams need to be prepared for is the rise of quantum computing.
Businesses that have automated their certificate lifecycle management may have one less thing to think about today, but the asymmetric cryptography, or public-key cryptography, that protects them now will need to move at warp speed in the quantum age, where the complex mathematical problems that currently secure encryption methods may be easily cracked.
There will no doubt come a day when organisations depend on automation for SSL/TLS certificates that are updated regularly. While GlobalSign is actively involved in research into post-quantum cryptography to bring businesses closer to quantum readiness, Beattie stresses that browsers must give their full support to industry efforts to use additional algorithms – including ones that may be resistant to quantum computing.
“There will be a lot of work involved in shifting to new post-quantum algorithms,” he says. “We need to be ready to make that shift when the time comes.” Although post-quantum computing is “one of the biggest things coming down the road”, as Beattie puts it, no one knows precisely when the shift will occur.
Right now, outdated certificate management processes are arguably more of a security threat than hackers equipped with quantum computing tools. But here’s the good news: by taking a proactive approach to automation, organisations can address this threat today while also ensuring they’re fully prepared for what’s to come.
Learn more at globalsign.com