If we’re being honest, Google has been bullying the internet into decisions for the better part of two decades (like Certificate Transparency Logs). Most recently, they announced that they’re mandating that all certificates need to be to be rotated every 90 days. This new policy has significant ramifications for identity engineers, and in this article, we will take a look into the implications of this mandate for everyday security practitioners.
Certificates - SSL/TLS certificates in particular - serve as proof of a website’s identity and encrypt the data transmitted between the website and its visitors. Over time, as cryptographic algorithms age and vulnerabilities are discovered, these certificates can become less secure. Google is requiring sites to automate rotation to ensure that, even if a certificate is compromised, it has a short shelf-life, making the window of opportunity for malicious actors incredibly narrow.
The major motivating factor behind the 90-day timeframe is security. Short-lived certificates reduce the risk of exposure if a certificate’s private key is compromised. They also encourage automation through ACME, as the more-frequent renewal process can be cumbersome if done manually.
However, there’s another, much more subtle, benefit… it encourages businesses to remain hyper-vigilant. Regularly updating certificates means that businesses must constantly ensure their systems are compatible and up-to-date. This sort of routine can bolster other security practices and bring attention to outdated or vulnerable systems.
Increased Automation: With the 90-day rotation, manual certificate renewals become impractical. This will push businesses to adopt automated certificate management solutions. Tools like Let’s Encrypt, which already offers free, automated SSL certificates, might see a surge in adoption. There are also amazing solutions like our own EZCA which allows for the seamless automation and integration of azure based certificates.
Enhanced Monitoring: More frequent rotations mean that monitoring solutions will need to be more robust. Security practitioners will need to ensure that certificate renewals are successful and that no service disruptions occur due to expired certificates. You’re also going to want full visibility into CRLs to ensure no naughty business is going on.
Budgetary Considerations: Depending on the certificate provider, frequent renewals might have cost implications. Practitioners will have to consider budgetary constraints when selecting providers or may shift towards free, automated solutions. Check out how much time and money you’ll save by automating the rotation of certificates!
Continuous Education: The IT and security teams will need to be up-to-date with best practices concerning certificate management, ensuring that rotations happen seamlessly without impacting user experience.
Vendor Relationships: Organizations that rely on third-party solutions will need to ensure their vendors adhere to these standards, adding another layer to vendor management practices. Most organizations are choosing to outsource PKI to 3rd parties like Keytos that are the experts in automation and compliance.
Operational Resilience: There’s always a risk associated with updates and changes. Organizations will need to build resilient operations that can quickly address any challenges or disruptions arising from the frequent certificate rotations.
Google’s 90-day certificate rotation mandate is a significant move towards enhancing web security. While it comes with its set of challenges, it encourages a proactive approach to security, which, in the long run, will benefit both businesses and their users. For the everyday security practitioner, this change means adapting to a more rigorous, automated, and continuous approach to certificate management. As with all changes, flexibility and adaptability will be the keys to navigating this new terrain successfully. Let us point you in the direction of some more useful reading. Check out the blog below for more insight into certs, management, and automation!