Majority of Security Leaders Believe Shorter Certificate Lifespans Will Leave Many Companies Blindsided, With More Outages “Inevitable”

Venafi, the leader in machine identity security, today released a new research report, Organizations Largely Unprepared for the Advent of 90-Day TLS Certificates. The report examines organizations’ current state of preparedness to transition to new machine identity standards, including shorter certificate lifecycles and post-quantum cryptography.

This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20240730471629/en/

New Venafi Research: Organizations Largely Unprepared for the Advent of 90-Day TLS Certificates (Graphic: Business Wire)

A survey of 800 security decision-makers across the U.S., UK, Germany and France revealed that more than three-quarters (76%) of security leaders recognize the pressing need to move to shorter certificate lifespans to improve security. However, many feel unprepared to take action, with 77% saying the shift to 90-day certificates will mean more outages are inevitable.

Additional highlights from the survey findings include:

  • 90-Day Certificate Challenges – Eighty-one percent of security leaders believe Google’s proposed plans to shorten TLS certificate lifespans from 398 days to 90 days will amplify existing challenges they have around managing certificates. An overwhelming 94% of survey respondents are concerned about the impact of the changes, with nearly three-quarters (73%) saying it could cause “chaos” and a further 75% saying it could even make them less secure.
  • Volatile CA Landscape – The recent decree that certificates issued by Certificate Authority (CA) Entrust can no longer be trusted is just the latest example of disruption in the CA market. In fact, 88% of security leaders report their organization has been impacted by CA revocations. Of these, 45% had to deploy extra resources to find, revoke and replace certificates; 38% suffered a security incident; and 31% had a certificate-related outage.
  • Quantum Denial – With momentum gathering around the need to migrate to new quantum-resistant encryption algorithms, 64% of security leaders say they “dread the day” the board asks about their migration plans. Seventy-eight percent say if a quantum computer capable of breaking encryption is built, they will “deal with it then,” with 60% believing that quantum computing doesn’t present a risk to their business today or in the future. Moreover, 67% dismiss the issue, stating it has become a “hype-pocalypse.”

“We recently lived through the world’s greatest IT outage – the CrowdStrike update outage was an error and unexpected. Security teams know they will be hit with major risks when new outages occur from what they love to hate: more expiring certificates,” said Kevin Bocek, chief innovation officer at Venafi. “Shifting to shorter certificate lifecycles significantly reduces these risks and is a necessary move. However, this can also bring more chaos for security teams – and it’s a double whammy with Entrust being distrusted in Chrome. There aren’t just canaries in the coal mine; there are groundhogs in every cloud, virtual machine and Kubernetes cluster. It’s not just one software update vendor; it’s the entire Internet as we know it.”

The introduction of 90-day certificates means organizations will need to renew their certificates five times more often than they do now – quintupling the effort needed. The survey reveals this will be a major challenge for businesses for two reasons:

  • Delayed Deployment – Only 8% of security leaders fully automate all aspects of TLS certificate management across their entire enterprise, with almost a third (29%) still relying on their own software and spreadsheets to manage the problem. As a result, it takes an average of 2-3 working days (21.75 hours) to deploy a certificate.
  • TLS Transformation – The volume of TLS certificates in use at organizations has been steadily rising, due to the growth in technology adoption in recent years. Ninety-five percent of security leaders say digital transformation initiatives have increased their organization’s use of SSL/TLS in the past year by an average of 36%. As a result, the average enterprise now manages 3,730 TLS certificates – a number that is expected to increase by 39% by 2026, taking the figure up to over 5,000.

Similar challenges exist with quantum. Sixty-seven percent of survey respondents believe shifting to post-quantum cryptography will be a nightmare, as they don’t know where all their keys and certificates are. Looking at the specific challenges these shifts present, the potential speed of the migration, scale and cost, as well as lack of internal skills and knowledge were cited as the top three concerns. However, 86% say taking control of the management of keys and certificates is the best way to prepare for future quantum risks.

“There’s great news: from 90-day certificates to replacing distrusted CAs to making the transition to post-quantum, security teams today have machine identity security capabilities they didn’t have available just a few years ago. Security teams can get certificate lifecycle management (CLM), PKI-as-a-service and workload identity issuers all on one control plane now,” Bocek concludes. “The business case is simple for making sure 90-day certificate lifetimes don’t wreak havoc. We know the problem is coming, unlike the last major IT outage, and the automation we put in place with machine identity security gets us ready for the post-quantum future, the next CA distrust and running in whatever cloud our developers choose.”

To read the full report, visit https://venafi.com/lp/organizations-largely-unprepared-for-the-advent-of-90-day-tls-certificates/.

Additional Resources:

  • Infographic
  • Blog post
  • 90-Day TLS Readiness Assessment

About Venafi

Venafi is the cybersecurity market leader in machine identity security. From the ground to the cloud, Venafi solutions manage and protect identities for all types of machines—from physical and IoT devices to software applications, APIs and containers. Venafi provides global visibility, lifecycle automation and actionable intelligence for all machine identity types and the security and reliability risks associated with them.

With more than 30 patents, Venafi delivers innovative machine identity security solutions for the world's most demanding, security-conscious organizations and government agencies, including the top five U.S. health insurers, top five U.S. airlines, top four payment card issuers and top four U.S. banks. As a leading provider of open source machine identity security solutions, Venafi is the creator of the open source cert-manager project, which is downloaded more than 1.5 million times a day. For more information, visit https://venafi.com/.

Pauline Louie pauline.louie@venafi.com (801) 676-6900