Proposed Browser Security Guidelines Would Mean More Work for IT Teams

For years, Secure Sockets Layer (SSL) certificates — a digital tool used to allow secure web connections between a web server and web browser — has been a baseline for a business's digital trust. The padlock icon and https forward that appear in the address bar are an easy way for website visitors to gauge whether the site they're visiting is "trusted."

Behind the scenes, SSL certificates, issued by certification authorities and approved/rejected by the big browser manufacturers, are updated and replaced every two years to ensure the certificates remain secure. This cycling is a process designed to ensure certificate authenticity and keep certificates current. SSL certificates are just one of a number of public and private certificates that IT teams manage on behalf of their business — across websites, devices, and software.

At the enterprise level, certificate management can be overwhelming. Highly skilled public key infrastructure (PKI) staff spend considerable time locating, revoking, and reissuing rolling certificates. For most businesses, this effort is time consuming, expensive, and managed manually with scarce resources, making certificate management prone to errors. Our research shows that 71% of businesses don't even know how many certificates they have — leaving them ill-equipped to revoke and reissue at scale.

Founded in 2005, the CA/Browser Forum is a group of certification authorities and browser makers (such as Google, Safari, and Firefox) that work together to design processes that ultimately help make the Internet safer. In August, the Forum and its members announced a proposal to reduce the length of time that SSL/TLS certificates can be used to protect web servers. This has created considerable discussion about the benefits of shortened certificate lifetimes versus the additional management overhead required by users of these certificates to rotate them more frequently.

We know that many of the standards that govern IT, like those being recommended by the CA/Browser Forum, are often designed with good intentions; however, the operational effects can be considerable. If these new standards are adopted, organizations will be forced to rotate certificates every year rather than every two years (as is today's practice), resulting in higher labor costs required to manage certificates. Certificate management continues to be a manual process for most businesses; a shortened lifespan means IT teams will have to invest twice the amount of time to manage rolling certificates, which produces at least a 2X outage and configuration misstep risk.

Per the proposal, the new standards would be effective March 2020, which doesn't give businesses much time to pivot. Collectively, digitization means that most businesses today manage thousands of public and private certificates, across systems, software, and websites. Triple that estimate for larger enterprises. Manual management significantly raises the risks associated with outages and misconfigurations due to the implementation or replacement of expired certificates. The business and security risks produce greater likelihood of compromise, or a security event (such as the Equifax breach).

Regardless of the outcome around this proposal, IT teams should take the announcement as an opportunity to pause and evaluate their internal management processes to assess their crypto and certificate management capabilities across public and private certificates.

Leaders can start with four key areas to get ahead of future process changes and large-scale certification changes:

1. Run an inventory. Start by understanding your certificate landscape. Identify every certificate within the organization and use cryptographic parameters to understand where certs have been deployed and what assets they secure.

2. Develop a certificate life-cycle plan. Standardize certificates to ensure that common workflows are followed when certificates are deployed. Standardization addresses audit questions focused on asset custody and other downstream issues that could affect compliance.

3. Adopt IT automation technology. Traditional manual certificate management processes aren't equipped to revoke and reissue certificates at scale. Introducing a single, automated platform provides complete visibility to every certificate, simplifying identification and replacement. (Note: Keyfactor is one of a number of companies that does this.).

4. Embrace crypto agility. Build a certificate inventory and life-cycle workflows to establish your crypto strategy and framework.

Standards changes like these are intended to improve overall security hygiene while hardening every point of the IT infrastructure. Ultimately these types of changes will continue to emerge to match evolving cyber-risk. IT leaders can prepare by ensuring the adoption of a crypto-agile strategy. That strategy includes the adoption of automation tools and proper certificate management that secures foundational infrastructure components, providing teams with a PKI "easy button" that helps them reduce and manage their risks.

Foundationally, the CA/Browser Forum standards open the door to a larger discussion around PKI and digital identities, providing IT leaders and budget owners incentive to invest in automation tools that lessen the burden on their IT teams and, more importantly, their business's operational and security risk.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Security Pros' Painless Guide to Machine Intelligence, AI, ML & DL."