In a bold move, Apple has published a draft ballot for commentary to GitHub to shorten Transport Layer Security (TLS) certificates down from 398 days to just 45 days by 2027. The Apple proposal will likely go up for a vote among Certification Authority Browser Forum (CA/B Forum) members in the upcoming months.
Apple isn’t the first of the big players to suggest such a move. Last year, Google announced its intention to mandate 90-day certificates – something that it is expected to come into force any day now, which will mean any sites connecting to Chrome will need to renew their identities every 90 days.
By putting the issue up for a vote among CA/B Forum members and suggesting even shorter lifecycles – Apple is upping the ante even further, as the CA/B forum has significant influence over all major web browsers. But even if the ballot fails, these big players can force the community’s hand by updating their own browser rules – as they have done in the past.
Make no mistake, these changes are positive news. Reducing lifecycles reduces the chances that a certificate can be compromised by a bad actor and used for malicious purposes. But the changes could create short-term pain for those who are unprepared. Every business that connects to the internet uses TLS certificates. And each of these certificates is a potential single point of failure if not properly managed and secured. Therefore, the implications for businesses and governments are huge.
What are the changes and why do they matter?
TLS certificates are used to secure and authenticate machine-to-machine communication. They provide a machine – be that a server, application, cluster or workload – with an identity. It is this system that enables your browser to know the site you’re visiting really is your personal bank and not a phishing page, for instance.
Businesses use thousands of TLS machine identities across every part of their infrastructure, from the cloud to the datacenter. The average enterprise currently has 3,730 TLS certificates, but that is expected to grow to over 5,000 within two years – and this doesn’t even account for the massive number of TLS machine identities associated with containerized workloads, which are exponentially higher. If any one of these is left to expire it can lead to an outage – and herein lies the challenge. Shortening lifecycles means that identities need to be renewed or replaced much more frequently, increasing the burden on developer and security teams, while also increasing the risk of outages and man-in-the-middle attacks.
There may be trouble ahead…
When recently asked about their views on Google’s proposal to reduce certificate lifespans to 90 days, 81% of security leaders said they believe it will amplify existing challenges they have around managing certificates. And nearly three-quarters (73%) said it could cause “chaos”, with 75% saying it could even make them less secure. Worryingly, 77% think more outages are “inevitable”. With Apple planning to cut certificate lifespans in half, things could get even more chaotic.
As we’ve already seen this year with major outages like CrowdStrike, these incidents aren’t just inconvenient – they’re costly and devastating. Over a 72-hour period, the CrowdStrike outage caused a total of $5.4 billion in direct losses to Fortune 500 companies, with over 6,000 hospital appointments cancelled in the UK and approximately 16,896 flights cancelled worldwide.
As the number of machine identities such as TLS certificates increases and the renewal period for replacing them shortens, outages are likely to become the new normal – unless companies get ahead of the problem. To prevent reputational and financial damage, automation needs to be central to Machine Identity Security (MIS) strategies.
As the number of machine identities such as TLS certificates increases and the renewal period for replacing them shortens, outages are likely to become the new normal – unless companies get ahead of the problem. To prevent reputational and financial damage, automation needs to be central to Machine Identity Security (MIS) strategies.
An automated-first approach
The good news is there have been many advances in machine identity management and security that can enable a smooth transition. Mitigating these challenges will require automation to be built into machine identity management. By implementing a control plane, organizations can manage the entire lifecycle of machine identities and ensure all digital assets can effectively communicate with each other through secure connections.
Automated solutions to machine identity management must be designed with a unified and integrated set of abilities. Through visibility into certificate inventory, including key details such as who owns it, where it is installed, when it expires and most importantly, if identities are compliant to security policies, organizations can easily identify and resolve potential issues.
Furthermore, an automated renewal feature means IT teams don’t have to worry about updating certificates as it’s all done automatically. With real-time monitoring and reporting, all certificates can comply with 45-day lifespans, avoiding the downtime and disruption caused by expired certificates.
Staying ahead of the risks
With Apple’s recent proposal pushing for shorter certificate lifespans, the digital landscape is shifting faster than many businesses are prepared for. Organizations that don’t respond will face even greater risks as they become increasingly vulnerable to outages and security incidents.
Businesses must act now. By implementing automation and developing a robust machine identity security strategy, organizations can stay ahead of the curve and protect themselves from the outages and disruptions that are otherwise inevitable. This won’t likely be the last time certificate lifespans are shortened, so preparing now is vital. Businesses that priorities automation in their machine identity management will thrive in this new environment, ensuring operational stability and future growth.