www.darkreading.com Open in urlscan Pro
2606:4700::6810:e0ab  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Dark Reading is part of the Informa TechTarget Division of Informa PLC
Informa PLC|ABOUT US|INVESTOR RELATIONS|TALENT
This site is operated by a business or businesses owned by Informa PLC and all
copyright resides with them. Informa PLC's registered office is 5 Howick Place,
London SW1P 1WG. Registered in England and Wales and Scotlan. Number 8860726.

Black Hat NewsOmdia CybersecurityAdvertise

Newsletter Sign-Up

Newsletter Sign-Up

Cybersecurity Topics

RELATED TOPICS

 * Application Security
 * Cybersecurity Careers
 * Cloud Security
 * Cyber Risk
 * Cyberattacks & Data Breaches
 * Cybersecurity Analytics
 * Cybersecurity Operations
 * Data Privacy
 * Endpoint Security
 * ICS/OT Security

 * Identity & Access Mgmt Security
 * Insider Threats
 * IoT
 * Mobile Security
 * Perimeter
 * Physical Security
 * Remote Workforce
 * Threat Intelligence
 * Vulnerabilities & Threats


World

RELATED TOPICS

 * DR Global
 * Middle East & Africa

 * Asia Pacific

See All
The Edge
DR Technology
Events

RELATED TOPICS

 * Upcoming Events
 * Podcasts

 * Webinars

SEE ALL
Resources

RELATED TOPICS

 * Library
 * Newsletters
 * Podcasts
 * Reports
 * Videos
 * Webinars

 * Whitepapers
 * 
 * 
 * 
 * 
 * Partner Perspectives

SEE ALL


 * Vulnerabilities & Threats
 * Endpoint Security
 * Cybersecurity Operations

Cybersecurity In-Depth: Feature articles on security strategy, latest trends,
and people to know.




DIGITAL CERTIFICATES WITH SHORTER LIFESPANS REDUCE SECURITY
VULNERABILITIESDIGITAL CERTIFICATES WITH SHORTER LIFESPANS REDUCE SECURITY
VULNERABILITIES

Proposals from Google and Apple drastically reduce the life cycle of
certificates, which should mean more oversight — and hopefully better control.

Stephen Lawton, Contributing Writer

December 4, 2024

5 Min Read
Source: ArtemisDiana via Alamy Stock Photo


Shortening the life cycle of Transport Layer Security (TLS) certificates can
significantly reduce the vulnerability of websites and hardware devices that
require these certificates. TLS certificates are exchanged between Web server
and Web client (or server to server) to establish a secure connection and
safeguard sensitive data. The majority of today's digital certificates have a
time-to-live of 398 days — that's a 365-day certificate with a 33-day grace
period, equaling 398 actual days before the certificate expires. If the
proposals from Google and Apple are approved, however, that life cycle could
drop to 100 days (90 days plus a grace period) or even 47 days (30 days plus a
grace period).



It is not unusual to find certificates as short as 10 days or less in DevOps
environments, says Jason Soroko, a senior fellow and CTO at Sectigo. Shorter
lives are set because the number of days a certificate is live increases the
possibility that data will be lost if the certificate is compromised. An expired
certificate can lead to denying a browser connection, effectively interrupting
the breach and stopping data exfiltration.




AUTOMATED UPDATES MAKE CHANGE EASIER

Despite the marked change in how often digital certificates will renew, not much
will change operationally for organizations that currently rely on security
information and event management (SIEM); security orchestration, automation, and
response (SOAR); or some other method for automating the renewal of such
certificates, a common setup. In fact, Soroko says, certificate life cycle
management (CLM) logs feed into the organization's SIEM and SOAR systems to
ensure that the certificates are updated before they expire, which creates
business continuity.




Many small to midsize businesses (SMBs) that employ a service provider to manage
their networks and network security might already be getting automated
certificate updates through CLM services. Organizations using managed service
providers or managed security service providers should ask them whether such
updates are in place. CLM manages contracts from initiation through renewal.
Using CLM software to automate processes can help limit organizational liability
and improve compliance with legal requirements.



The only groups that could be significantly affected operationally are those
that still manually update certificates. Each time a certificate needs manual
updating, errors could be introduced, Soroko says. Instead of the annual updates
done today, a 30-day certificate (plus its proposed 17-day grace period) would
require 12 updates annually, a multiplier of 12 in introducing errors and
increasing risk.

"For smaller companies that don't have unlimited resources to manage their
infrastructure, it's going to be quite a wake-up call," says Arvid Vermote,
GlobalSign's worldwide CIO and CISO, a Brussels-based certificate and
identification authority. "In the past, [certificate authorities] have been
advocating automation. They have been providing the tools. But why change if
it's not needed?"

As the certificates' time to live gradually shrinks, companies doing a manual
process will soon realize that automation is not only a quicker way but also a
more reliable way to renew certificates.

Updating certificates manually is not easy, Soroko notes.

"It's a very technical task, and it's not difficult to fat-finger it and make an
error that takes a website down," he says, adding that most larger enterprises
could not afford to have downtime on their Web assets, so they started to deploy
CLM rather than manual updates years ago.



Regardless of the size of the company, Soroko says, the organization should
automate updates. The technology is "ideally suited for everyone, and not just
handing you a cert, but handing you visibility, automation, and discovery of
[digital] certificates you don't even know you have," he says.


CLM CASTS LIGHT ON SHADOW IT

The frequent rotation of certificates means the CLM system will be scanning your
environment often for certificates to update — possibly even finding digital
certificates the IT department did not have on record, Soroko adds. This happens
sometimes when enterprise department heads with signing authority to purchase
services acquire software-as-a-service applications and Web services to address
operational needs but do not report these services to the IT team.

With rogue applications running on virtual machines, Web servers, load
balancers, and other hardware, it can be difficult to identify all elements of
shadow IT. However, having the CLM systems constantly monitoring certificates
can help identify new hardware, virtual servers, and cloud instances requiring
digital certificates that might have been overlooked in the past. A certificate
on an unknown device or virtual machine might be identified as an unauthorized
connection or breach in progress.

The change in certificate life cycles likely will affect SMBs the most, Vermote
says. In fact, this could be a good time for the CISO to go to the board and
request funding for automation if they do not already have it.

"[The] CISO only gets money from the board if there is an incident," Vermote
notes. "CIOs only get money from the board when systems are unavailable. In this
case, it's both, because if the board doesn't give them the funding to properly
automate and inventories of certificates expire, websites [and] legitimate
services provided to customers, internal or external, will become unavailable."

Justin Lam, an analyst with 451 Research, says enterprises need to look at
digital certificates from a proactive risk management perspective rather than a
reactive compliance perspective. While certificates with a longer life always
could be revoked in the case of a breach or incident, shorter life cycles mean
there is more oversight — and hopefully better control — of certificates that IT
might not have been made aware of.



"Many security professionals do not actually own the environments where these
things are protected," Lam says.

And while managing all of the tools for cloud security posture management, zero
trust, cloud-native application protection, and other security tools falls under
the auspices of the CISO, many CISOs do not know when cloud sessions that
require digital certificates are spun up. They have the responsibility to defend
their networks but not necessarily the visibility into those networks — or the
funding to protect everything.




ABOUT THE AUTHOR

Stephen Lawton

Contributing Writer

Stephen Lawton is a veteran journalist and cybersecurity subject matter expert
who has been covering cybersecurity and business continuity for more than 30
years. He was named a Global Top 25 Data Expert for 2023 and a Global Top 20
Cybersecurity Expert for 2022. Stephen spent more than a decade with SC
Magazine/SC Media/CyberRisk Alliance, where he served as editorial director of
the content lab. Earlier he was chief editor for several national and regional
award-winning publications, including MicroTimes and Digital News & Review.
Stephen is the founder and senior consultant of the media and technology firm
AFAB Consulting LLC. You can reach him at slawton@afab.com.

See more from Stephen Lawton
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities,
data breach information, and emerging trends. Delivered daily or weekly right to
your email inbox.

Subscribe

You May Also Like

--------------------------------------------------------------------------------

Vulnerabilities & Threats

Zero-Click MediaTek Bug Opens Phones, Wi-Fi to Takeover
Vulnerabilities & Threats

FBI Leads Takedown of Chinese Botnet Impacting 200K Devices
Vulnerabilities & Threats

Preparing for the Future of Post-Quantum Cryptography
Vulnerabilities & Threats

The Fall of the National Vulnerability Database
More Insights
Events

 * Cybersecurity Outlook 2025
   
   Dec 5, 2024

More Events

Latest Articles in The Edge

 * Digital Certificates With Shorter Lifespans Reduce Security Vulnerabilities
   
   Dec 4, 2024
   |
   5 Min Read

 * Name That Edge Toon: Shackled!
   
   Dec 2, 2024
   |
   1 Min Read

 * Does Your Company Need a Virtual CISO?
   
   Dec 2, 2024
   |
   5 Min Read

 * How AI Is Enhancing Security in Ridesharing
   
   Nov 29, 2024
   |
   5 Min Read

Read More The Edge





DISCOVER MORE WITH INFORMA TECH

Black HatOmdia

WORKING WITH US

About UsAdvertiseReprints

JOIN US


Newsletter Sign-Up

FOLLOW US



Copyright © 2024. This website is owned and operated by Informa TechTarget, part
of a global network that informs, influences and connects the world’s technology
buyers and sellers. All copyright resides with them. Informa PLC’s registered
office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales.
TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.

Home|Cookie Policy|Privacy|Terms of Use
Cookies Button


ABOUT COOKIES ON THIS SITE

We and our partners use cookies to enhance your website experience, learn how
our site is used, offer personalised features, measure the effectiveness of our
services, and tailor content and ads to your interests while you navigate on the
web or interact with us across devices. By clicking "Continue" or continuing to
browse our site you are agreeing to our and our partners use of cookies. For
more information seePrivacy Policy
CONTINUE




COOKIE POLICY

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All


MANAGE CONSENT PREFERENCES

STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms.    You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.

PERFORMANCE COOKIES

Always Active

These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site.    All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.

FUNCTIONAL COOKIES

Always Active

These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages.    If you do not allow these cookies then
some or all of these services may not function properly.

TARGETING COOKIES

Always Active

These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites.    They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

Back Button


COOKIE LIST



Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Confirm My Choices