SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image

Venafi study warns of chaos with TLS changes & quantum risks

Fri, 2nd Aug 2024

New research from Venafi reveals that businesses globally face potential mass outages due to a lack of preparedness for new machine identity standards.

The study focuses on two key areas: the reduction of TLS certificate lifespans from 398 days to 90 days and the looming challenge of post-quantum cryptography (PQC).

The survey, which gathered insights from 800 security decision-makers across the USA, UK, Germany, and France, reveals widespread concern about these impending changes. The vast majority of respondents (94%) expressed concern over the impact of Google's proposed reduction in TLS certificate lifespans. A significant 73% believe this change will lead to chaos, with 77% predicting more outages as inevitable.

Addressing the challenge of shorter certificate lifespans, 81% of security leaders anticipate that the move to 90-day certificates will exacerbate current difficulties in certificate management. Nearly three-quarters (73%) fear that this shift could lead to increased chaos, while 75% are concerned it could even compromise their security further.

The survey also highlighted issues within the Certificate Authority (CA) landscape. Recently, Chrome announced that certificates from CA Entrust are no longer trustworthy. This is indicative of broader volatility in the CA market, with 88% of security leaders reporting that CA revocations have impacted their organisations. Among these, 45% had to allocate additional resources to find, revoke, and replace certificates, 38% experienced security incidents, and 31% faced certificate-related outages.

The findings also reveal significant apprehension around PQC. Sixty-four percent of security leaders dread being questioned about their PQC migration plans by their board. Despite this, 78% are adopting a wait-and-see approach, indicating they will act only when a quantum computer capable of breaking current encryption is developed. Additionally, 60% do not perceive quantum computing as an immediate or future risk, and 67% dismiss the issue altogether, describing it as a "hype-pocalypse".

Kevin Bocek, Venafi's chief innovation officer, commented on the survey results, noting the substantial risks security teams face as certificates expire. He stated, "Shifting to shorter certificate lifecycles significantly reduces these risks and is a necessary move. However, this can also bring more chaos for security teams." Bocek further highlighted the compounded challenge posed by Chrome's distrust of Entrust, adding that unreliable certificates affect systems widely, from cloud servers to virtual machines and Kubernetes clusters.

The survey underscores the difficulty of transitioning to 90-day certificates, with organisations needing to renew their certificates five times more frequently than at present. Only 8% of security leaders report that their organisation fully automates all aspects of TLS certificate management. Nearly one-third (29%) still use software and spreadsheets for this task, taking an average of 2-3 working days to deploy a certificate.

Additionally, the volume of TLS certificates has been rising due to increased technology adoption. Ninety-five percent of respondents say digital transformation initiatives have led to a 36% increase in their organisations' use of SSL/TLS certificates over the past year. The average enterprise now manages approximately 3,730 TLS certificates, a figure projected to grow by 39% by 2026, exceeding 5,000 certificates.

Similar challenges are anticipated with the shift to PQC. Sixty-seven percent of survey participants believe migrating to post-quantum cryptography will be difficult due to a lack of comprehensive knowledge about their keys and certificates. Survey respondents cited the speed of migration, scale and cost, and internal skills gaps as the primary concerns for this transition. However, 86% agree that effectively managing their keys and certificates is the best preparatory measure for future quantum risks.

Bocek concluded, "From 90-day certificates to replacing distrusted CAs to making the transition to post-quantum, security teams today have machine identity security capabilities they didn't have available just a few years ago." He emphasised the importance of automation in preparing for future challenges in machine identity security.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X