Working at the speed of digital business is a constant challenge. But in today’s increasingly automated operational environment, crypto agility—i.e., an organization’s ability to (at the moment of compromise) switch rapidly and seamlessly between certificate authorities, encryption standards and keys and certificates with minimal disruption to one’s digital infrastructure—becomes essential to business.
Crypto agility is the foundation for digital trust. As more enterprises speed up app development and build networks connecting many functions (often in the cloud), they rely on encryption keys and digital certificates to secure communications channels between users, applications and other assets.
Both public trust certificates (TLS/SSL), which are issued by trusted Certificate Authorities (CAs), and private certificates issued by an internal CA within a company, enable an identity-first approach to security that protects all connected applications, services, including all the machine identities that do the automated grunt work of digital functions.
The impact of Google’s 90 day proposal on crypto agility
Transport layer security (TLS) certificates (and previously secure socket layer (SSL) certificates) were, until recently, almost an afterthought: keeping them updated was a bit of digital housekeeping that came around every few years.
Over the last decade, browser vendors and the certificate authorities (CAs) who comprise the CA/Browser Forum have increased the pressure by shortening the lifespan of public trust certificates to intentionally reduce their attack surface. In 2020, Apple reduced the lifespan certificates to a year, pushing others to match them, and in March 2023, Google announced a proposal to reduce TLS certificate validity to 90 days.
This shift poses a significant challenge to admins responsible for certificate lifecycle management (CLM). Even small-to-midsize organizations can have thousands or tens of thousands of certificates quietly operating in the background, and the number keeps growing as more apps, cloud-based services, IoT devices and others are adopted. Many of them depend on machine identities that themselves require certificates.
Crypto agility is no longer a luxury
Keeping up with certificates is not really a choice left up to admins; failing to effectively manage certificate expirations and upscaling encryption not only leaves the enterprise vulnerable to breaches but also to downtime caused by an expired certificate. This has recently plagued even major organizations with deep wells of tech support, such as Starlink and Microsoft.
With quantum computing threatening to break current encryption standards – including RSA and ECC – post-quantum cryptography (PQC) offers a quantum-resistant alternative, ensuring long-term security.
Integrating PQC into crypto agility strategies is crucial for organizations to safeguard against future attacks. This involves understanding the emerging standards, like those developed by NIST, and preparing for the seamless adoption of PQC algorithms.
Crypto agility best practices
To achieve crypto agility, consider these three strategies:
Embrace CLM: Establish a uniform PKI policy to take control of the certificate process, starting with improving visibility into the certificates in the network. Centralizing and automating management can help improve visibility into the expiration and encryption infrastructure of different certificates—a big challenge in CLM—and establish standards.
Many organizations have established a crypto center of excellence to streamline the management process and reduce human error. They have also deployed automation to handle provisioning of certificates and manage their lifecycle, to refresh those in use and revoke unused certificates that could become security blind spots. Establishing guidelines and procedures for effective certificate usage and management eliminates inconsistencies, minimizes security risks, and ensures compliance with industry regulations.
Liberate the certificate: Encryption standards are the foundation of CLM, ensuring the data is protected. But encryption standards vary by vendor and certificate authority (CA), so a holistic approach that does not rely on CA tools is key. A uniform PKI policy should establish cross-CA certificate discovery and renewal processes and standardize certificate formats.
CA-provided tools can reduce manual effort and improve efficiency by making it easier to discover and manage certificates issued by that specific CA. But these provider-specific tools leave out other public and private CAs and certificates deployed across multiple endpoints, such as servers, mobile devices and laptops that also must access the network.
These proprietary automation methods miss the last-mile certificate installation and end-point binding, and often can’t manage certificates across clouds and containers, which creates gaps in automation and leaves the staff provisioning certificates manually. A CLM practice that is CA-agnostic can avoid putting PKI and InfoSec teams in silos that force them to work with fragmented visibility and resorting to manual processes.
Get proactive: The looming threat of quantum decryption threatens to upend popular algorithms such as RSA and ECC, and the sheer volume of certificates—and their shortened life spans—makes keeping up with certificate expirations a growing challenge. These imperatives make proactive monitoring and rapid response to changing crypto requirements and emerging threats a must.
A CLM-forward organization must stay informed about industry trends, collaborate with experts in detection and remediation, and implement vulnerability management processes. Sharing information about looming threats and communicating about expired certificates found in commonly used services can help speed remediation and reduce the blast radius any certificate compromise may cause.
The bottom line
The CLM challenge is escalating. Now is the time for organizations to develop the management processes and approaches that will make effective CLM work for their infrastructure in a post-quantum world.