The cybersecurity industry is about to face two major changes in the machine identity world. Within the next 6–12 months, both Google and Apple will cut the lifespan of public TLS certificates to 90 days or less, with Apple proposing further reductions to 47 days by 2028.
In the longer-term, post-quantum cryptography (PQC) looms large. A generational change in the digital world that will takes years to play out and impact the most foundational parts of the digital world: it’s almost certain quantum computers will be able to break today’s cryptography and allow attackers to spoof machine identities, decrypt data and make ransomware run.
Given the scale of these challenges, security leaders are rightly concerned. Three quarters (74%) say that Google’s plans will cause chaos, whilst 67% dread the day their board asks them about PQC. But, without having exact timelines for either, these may seem like problems that can be kicked down the road.
Organizations should be preparing now, and while these two initiatives may seem disparate, they have more in common than meets the eye. In fact, preparing for shorter public certificate lifespans is a crucial first step in being quantum-ready.
The Good, the Bad and the Unprecedented
Positively, both of these developments will improve security. Google and Apple’s intended changes to certificate lifespans will help to lessen the amount of time an adversary has to take advantage of a compromised certificate. PQC will raise the bar, revolutionizing encryption so that machine identities remain secure once powerful quantum computers are in adversaries’ hands.
However, the transition to new standards of machine identity security could cause short-term pain for those who are unprepared. Every business with a website uses public TLS certificates and will be impacted by shorter lifespans. To adjust to Google’s 90-day certificates, organizations will need to replace TLS certificates five-times as often as they do now. Apple’s 47-day certificates will need to be replaced almost 10-times as often.
This presents a greater chance that a certificate will expire before being replaced – which could result in a costly outages. Although not certificate-related, the July 2024 CrowdStrike outage gave us a taste of how damaging these incidents can be, and if organizations aren’t prepared, similar scenarios could occur daily.
Failing to prepare for PQC could have an even more devastating impact. If a quantum computer capable of cracking encryption is created, then the world will be turned upside down – nothing will be secure. Organizations will be at the mercy of adversaries, who’ll be able to crack machines open in the blink of an eye. All data across the entirety of the internet will be at risk.
Worst of all, we do not know when this may happen, organizations may have the act very fast to migrate to new encryption standards.
There have been instances in the past – such as the infamous Heartbleed vulnerability in 2014 – where it’s been necessary for organizations to replace all their machine identities. But it’s never been on this scale. The emergence of cloud native solutions and technologies like AI mean organizations have many thousands more identities in use than ever.
Each and every identity, of which there are thousands or even hundreds of thousands in an enterprise’s system, will be a potential point of failure if they’re not managed and secured adequately.
Preparing for the Future Today with a Business Case
To avoid costly outages and devastating cyber-attacks, organizations need to know where all of their machine identities are, what they’re used for, when they’re set to expire and have the ability to swap them rapidly before they trigger an outage or cyber-attack. But, managing and securing all the machine identities across an organization manually is impossible, particularly if they’re expiring five-times faster or are infinitely more complex.
Not only is this laborious process time consuming and unreliable, but it runs the risk of human error. When the stakes are so high, it’s simply not acceptable to leave machine identity security to chance.
Therefore, organizations must use automation to solve this complex problem. This empowers security leaders to take control over their machine identities. In the short term, automation will be vital towards preparing organizations for reduced public certificate lifespans, ensuring no machine identities ever slip through the cracks, avoiding the ensuing outage.
In the long term, organizations will need to go through the exact same process of discovery and replacement of machine identities for PQC. Preparing for shorter public certificate lifespans today will future-proof organizations for what’s coming tomorrow.
Getting Ahead While We Can
The scale of the task posed by Google and Apple’s plans for shorter public certificate lifespans and PQC is unprecedented, and without automation, there’ll be chaos in the machine. While these challenges aren’t happening tomorrow, they are coming.
The good news is that now is the time for security leaders to make machine identity security urgent in order to protect their organizations and the customers they serve from emerging threats.
Those that do take the necessary steps to automating machine identity security will be well-placed to tackle 90-day certificates and PQC head on. Those that don’t could be left facing daily outages and will leave themselves powerless to repel cyber-attacks.