How Google’s 90-day TLS certificate validity proposal will affect enterprises

Announced last year, Google’s proposal to reduce the lifespan of TLS (transport layer security) certificates from 13 months to 90 days could be implemented in the near future. It will certainly improve security and shrink the window of opportunity for bad actors to exploit compromised or stolen certificates and private keys. Unfortunately, it will also dramatically increase the time and energy required to manage TLS certificates.

For organizations with only a handful of certificates, this may not be a big problem. But most larger enterprise organizations must deal with literally thousands of TLS certificates for critical internet facing applications and websites. For these organizations, getting the process of managing them right is crucial if they are to avoid customer-facing warnings that a URL is not secure, not to mention costly outages from expired certificates.

As a result, the new 90-day TLS certificate lifespan proposed by Google will have far-reaching impacts on three areas of corporate IT: DevOps, security and operations.

DevOps: Another reason to shift left

Containerized Kubernetes environments are fast becoming the norm in DevOps, with TLS certificates playing an important role in securing these environments. They provide trust and encrypted transactions so that applications can be securely delivered and always available. If a TLS certificate expires, a critical internet application could become unavailable and untrusted.

When it comes to managing these certificates, the shift left approach makes sense. Developers should incorporate certificate renewal alerts within their development workflows. They should also have self-service certificate management capabilities in accordance with PKI policies to automate certificate issuance and renewal.

With 90-day lifespans, the task of renewing and deploying certificates at scale will not be possible using manual processes. Automation will be necessary to support the speed and agility of DevOps teams as they continually deliver new applications and features.

Security teams: Quadrupled work

It’s the responsibility of security teams to ensure the encryption and security of private data used in public-facing applications and web transactions. This will require the creation of new policies to comply with the 90-day lifespan for the TLS certificates central to this authentication process. Security must also assign the responsibility of enforcing these policies across development and operational activities, and ensure compliance through regular audits.

To prepare for the transition, the security team must make sure the IT organization is aware of what needs to happen, when, and what potential vulnerabilities exist. This will require training and ongoing risk assessments related to certificate management.

Working with limited resources, many security teams are already challenged renewing TLS certificates under the old 13 month lifespan, particularly if they lack tools to provide visibility and automation. The new 90-day TLS certificate lifespan will effectively quadruple their workload, as certificates will need to be renewed and deployed four times a year instead of just once.

Operations: Availability is crucial

Operations will now face tremendous pressure to ensure that TLS certificates don’t expire. If they do, the resultant outages will impact productivity, revenue and the corporate reputation.

To avoid these consequences, the existing infrastructure must be able to handle the accelerated renewal cycle consistently and flawlessly. This means minimizing the need for human intervention and coming as close as possible to a zero-touch TLS certificate renewal and deployment process.

The central role of automation

The common theme among all three of these groups is the need for automation, which delivers several important benefits. The first is efficiency. The Google proposal to reduce TLS validity will create an enormous amount of repetitive work, and valuable IT resources are better used elsewhere.

The second is scalability, which will be necessary as the number of certificates grows, as it certainly will.

The third is accuracy, with the elimination of misconfigurations and human error. Along with accuracy comes the organization-wide consistency that only policy-driven automation can ensure.

Finally, automated solutions that provide visibility and tracking of certificates improve security and reduce risk by eliminating gaps and blind spots.

Best practices

To prepare for the new accelerated TLS certificate renewal lifecycle, consider these best practices:

• Adopt a centralized certificate lifecycle management infrastructure to streamline renewals and minimize downtime.
• Create cross-functional teams including representatives from DevOps, security and operations to ensure a common understanding of Google’s 90-day TLS certificate lifespan proposal and its implications.
• Specify how each group can contribute to and benefit from shared insights to enhance the overall security posture.
• Organize joint strategy sessions and set up regular review meetings to monitor progress, share insights, and adjust strategies as needed.
• Assign a rotating responsibility for leading these sessions to ensure engagement and accountability from all sides.
• Establish feedback mechanisms for continuous learning and improvement in the certificate lifecycle management process.

By forcing the more frequent renewal of TLS certificates the Google 90-day proposal will help organizations reduce their exposure to exploits and improve overall security posture. The price is an increased management workload that’s well worth paying but will require new processes and procedures that promote automation strategies across DevOps, security and operations teams.

Preparing for the transition sooner than later may be the most important best practice to implement.