Streamlined security: the future of digital certificates and IT automation

Digital identities are a vital part of our increasingly online world. Much like a passport, they typically include verified information about the identity of the holder. Without them, employees, customers, apps and machines would struggle to securely access digital resources or carry out many online tasks.

A digital identity can encompass multiple accounts, credentials, entitlements, rights and privileges – and businesses may need to manage tens or even hundreds of thousands of them. This can be a significant headache for IT teams. 

“A constant flow of new hires, departing employees and temporary workers necessitates continuous updates to access rights,” says Marcel Wendt, chief technology officer and founder at Digidentity, an online identity verification company. “This fluid environment can create security vulnerabilities and headaches during audits.”

Indeed, just one compromised identity could ultimately threaten other accounts across the organisation, or be used to access sensitive data. “Managing digital identities has become nothing short of crucial for maintaining cybersecurity's integrity,” says Dan Smale, senior service owner at Fasthosts ProActive, which provides managed cloud services. “And with the emergence of AI-driven cybersecurity threats, there's never been a more pressing time to tighten up on robust digital identity management practices.”

“These AI-powered menaces can sift through data at breakneck speed,” he explains, “spotting vulnerabilities and exploiting them with an ease that's downright scary. Consequently, safeguarding the integrity and security of digital identities has catapulted to the top of the priority list.” 

Other threats that exploit digital identities include supply chain, IoT, man in the middle (MitM) and phishing attacks, some of which also use AI to carry out sophisticated social engineering techniques. Deepfakes, for instance, are increasingly used to impersonate employees. In one well-documented case, a finance worker at a multinational firm was tricked into paying out $25m to fraudsters, who used deepfake technology to pose as the company’s chief financial officer during a video conference call.

“Businesses need to invest in employee training on how to spot deepfakes,” says Mike Kiser, director of strategy and standards at SailPoint, a provider of identity governance solutions, “and they should also review and reinforce digital access rights, so employees, partners, contractors, and so on, only receive as much access to important data as their roles and responsibilities require.”

Managing the burden

The shift to home and hybrid working has undoubtedly exposed gaps in both employee cybersecurity awareness and access controls, as well as increasing the number of devices connected to company networks. According to IoT Analytics, there could also be more than 29 billion IoT connections by 2027 – all of which will have a digital identity.

“The expanding attack surface for identity-based security introduces new and evolving threats targeting digital identities, which often serve as a primary entry point for attackers,” says Libero Marconi, senior director, Europe & Middle East cyber risk services, at consultancy Alvarez & Marsal. “With more entry points for malicious actors, the risk of identity data theft and privilege escalation increases.”

This proliferation of endpoints only adds to the digital identity burden facing IT teams, many of which are already battling tight budgets and talent shortages. Manually provisioning and de-provisioning access for users, for instance, or updating their privileges after a promotion or role change, is a tiresome task for overstretched personnel. Many IT administrators are also bombarded with password reset requests and account unlocks related to digital identities.

Identity and access management (IAM) systems – or broader identity governance and administration (IGA) systems that encompass governance and policy enforcement – can help organisations properly organise, verify and protect digital identities, and control user access to resources. But they are particularly powerful when combined with automation. 

When a new employee joins and their details are entered into the HR system, for instance, it can automatically trigger the creation of their user account across various applications. When that employee leaves, their access can be automatically revoked system-wide, so there’s no chance of a disgruntled former staff member or cybercriminal using an old identity to access company data. 

Allowing employees to request access to specific resources through a self-service portal can further reduce the burden on IT teams, along with automating the collection, analysis and reporting of access-related data for compliance purposes.

“Automation represents a significant shift in the digital identity landscape. It allows organisations to move beyond reactive security measures and towards a proactive approach,” says Wendt. “Streamlined verification, tamper-proof records, and efficient access management – these are the hallmarks of a secure and efficient digital identity ecosystem.”

Once freed from the manual burden of managing digital identities, IT professionals can also dedicate more time to initiatives and innovation that will improve the company’s broader security posture. 

“By handing over the reins of routine and intricate tasks to automation, IT teams can channel their focus into strategic endeavours rather than drowning in admin work,” says Smale. “This shift paves the way for better job satisfaction, reduced burnout and an overall uplift in wellbeing among IT professionals.”

SSL/TLS certificates are used to secure network communications and verify the identity of websites using public and private cryptographic keys. Essentially, they ensure that data is transmitted between a browser and website without modification, loss or theft. In short, they are the bedrock of trust in ecommerce, digital banking services and many other online interactions.

For years, the validity lifespan of these certificates has been dropping – and now the online landscape is about to undergo a major shift with the arrival of 90-day certificates. 

This change is down to Google's desire to improve security and trust in the online world. Further shortening the lifespan of public SSL/TLS certificates should reduce many of the risks associated with longer validity periods, which encourage a “set and forget” approach, according to Libero Marconi, senior director, Europe & Middle East cyber risk services, at consultancy Alvarez & Marsal. “This increases the risk of vulnerabilities and potential data breaches,” he says.

“If a certificate is compromised, the extended lifespan allows attackers more time to exploit it for unauthorised access or malicious activities. Shorter lifespans limit the time frame during which a compromised certificate can be exploited by attackers.”

However, the shift from today’s 398-day lifespans to just 90 could cause problems for those businesses that currently manage their SSL/TLS certificates manually. “They necessitate more frequent updates, promoting agility and responsiveness to evolving threats,” says Peter Tahmizian, CTO at Intelliworx, a managed IT services provider. “However, this agility comes with increased administrative overheads, challenging traditional management practices.”

An accelerated expiration rate could also create significant security risks for businesses that are still using spreadsheets to manage their certificate inventory. “Expiring certificates are easily overlooked, potentially leading to service outages or data breaches,” Marconi explains. 

“Moreover, the transition from traditional data centres to distributed IT environments has stimulated a significant increase in the demand for SSL/TLS certificates required to secure various digital assets.”

In this hybrid IT world, the concept of ‘machine identity’ has expanded to encompass a wide range of entities, from traditional servers to mobile devices, cloud instances and beyond. “Each machine necessitates a unique identity for secure communication, placing an increasing burden on network administrators tasked with managing these digital identities,” says Marconi.

The drop to 90-day certificate lifespans could also introduce additional costs. “While many certificates have become more wallet-friendly, frequent renewals can still mean a thicker slice of the budget pie for companies, especially for those requiring the higher echelons of validation,” says Dan Smale, senior service owner at Fasthosts ProActive, which provides managed cloud services.

As well as enabling IT teams to manage digital identities more efficiently and securely, automation can also help them navigate ongoing changes in the public key infrastructure (PKI) industry, such as the introduction of 90-day certificate lifespans. 

Indeed, the looming need to renew certificates on a more frequent basis should urge “organisations to implement robust certificate management practices and certificate lifecycle management (CLM) solutions,” says Marconi. “This includes maintaining an up-to-date inventory of certificates, automating certificate issuance and renewal processes, and ensuring timely revocation of compromised or expired certificates.”

Furthermore, as Gunnar Braun, a security engineer at the Synopsys Software Integrity Group, points out: “Shorter certificate lifespans do not make our online ecosystem more secure by themselves, but only if frequent changes go along with a secure and trusted certificate renewal processes, or, more generally, a secure certificate management system.”

Google clearly hopes that reduced certificate lifespans will kick-start the shift toward these improved, automated management processes in organisations that are lagging behind. But is it really the best approach to improving online security? 

“For now, it seems shorter lifespans are a step in the right direction,” says Smale. “Slightly inconvenient perhaps, but a small price to pay for a safer internet.”

We live in a world of fakes. In such a world, where almost any email, website or device can potentially be fraudulent, digital certificates provide essential protection from malicious actors. That’s because these small data files contain identity credentials that allow websites, organisations, people, machines and devices to prove their authentic identity. 

They are issued by a certificate authority (CA), a trusted third party that verifies the identity of the certificate holder. But despite the vital role certificates play in maintaining online trust and securing digital identities, many organisations struggle to manage them effectively. 

The various stages of the certificate lifecycle, from issuance to renewal or revocation, may be handled manually, with spreadsheets used to maintain certificate inventories and monitor their expiry dates – an approach that is fraught with risks.

If a certificate expires without anyone’s knowledge, for example, it could cause a website to go down. Misplaced certificates or a forgotten renewal can expose servers and domains to vulnerabilities that malicious actors could exploit. If a digital certificate’s private key is compromised, it also needs to be revoked immediately.

“Digital certificate management is so important because you need to stay ahead of those scenarios, which are a major business disruptor,” says Julie Olson, associate product manager at GlobalSign, a certificate authority and provider of internet identity and security products.

A growing challenge

This might be achievable for a small organisation that only handles a handful of certificates. “But if you go any higher than that, up into 20, 30, hundreds or even thousands of certificates, it quickly becomes a nightmare,” says Olson. Indeed, global enterprises may have thousands of endpoints spanning multiple companies and departments.

IT teams must ensure that all these certificates are provisioned at the right time for the right user, machine or device, without overburdening IT resources. Often, they have to grapple with the management of extensive certificate requests across diverse domains and time zones, resulting in delays in validation checks and the provisioning of certificates.

Traditionally, many organisations have managed and issued their certificates with the help of an on-premises Microsoft Certificate Authority (CA). But these on-premises solutions are often expensive to set up and maintain due to hardware, staff, maintenance and support requirements, and may not offer the same level of security as a third-party trusted CA. Furthermore, they are not a fully automated solution.

All the inherent complexities of certificate management will further increase once SSL/TLS certificate lifespans drop to 90 days. As Olson says, that means: “It’s really important that everyone, everywhere, starts to think about how best to remove those manual processes and automate them.”

The automated approach

Certificate scanning tools are a good place to start. These can reveal all the certificates that are installed across various endpoints in an organisation's network, as well as their type and the time left until they expire. Once an organisation has a proper map of its certificate inventory, it can start to think about how to improve its management processes through automation.

The Automated Certificate Management Environment (ACME) protocol, for example, allows organisations to automate SSL/TLS certificate issuance, revocation and renewal by enabling communication between CAs and an open-source agent that runs on a user’s servers. “It’s very secure, it's very easy to use and it’s very flexible,” says Olson.

GlobalSign’s ACME service is powered by the Atlas digital identity platform. This allows organisations to manage the full lifecycle of digital certificates – including discovery, monitoring and reporting – from one centralised location. So no matter whether certificates are scattered across multiple public and private networks, or sourced and installed by different users, there’s little chance of them falling through the cracks. 

GlobalSign’s Certificate Automation Manager solution, meanwhile, acts as a proxy between the Atlas platform and Microsoft Active Directory or Microsoft Entra ID. It therefore allows for the fast, efficient and secure deployment, provisioning and management of global certificates across today’s hybrid and multi-cloud environments. IT can also set up enrolment policies for endpoints throughout their organisation, for example, and apply them across a variety of use cases. This does away with delays in provisioning certificates and helps to alleviate the pressure on IT teams.

Certificate Automation Manager also covers the full spectrum of certificate needs, from network security and digital signatures, to email security (S/MIME) and SSL/TLS certificates. They can be issued from a dedicated private CA hosted by GlobalSign, and/or from GlobalSign’s public CA for security applications that require public trust.

Deploying the solution can also free up IT teams to focus on more strategic work. “You can pivot to other more important things, like looking at security threats and being more forward-thinking in terms of what you can do to protect yourself and your customers,” says Olson.

Of course, people still need to be trained in core PKI concepts, digital certificate types and best practices for their secure deployment. It’s also crucial that IT teams stay up-to-date on industry standards and regularly review guidelines from the Certification Authority Browser Forum (CA/Browser Forum) so that their approach to digital certificate management is aligned with current security ideals. Regular audits are also advisable to identify additional areas for improvement.

Finally, it’s important to work with partners who are experts in digital certificate management – particularly if you’re shifting from manual processes to automated ones. “It helps to have a vendor who will take care of you and guide you,” says Olson. “GlobalSign provides that level of expertise, helping to shape your digital certificate management solutions so that they match your business.”

Digital certificates are one of the most robust means of verifying identities that IT teams have in their arsenal. But as the number of network endpoints expands, it can become increasingly difficult to manage them efficiently and securely.

“Keeping track of inventory, and the renewal process, is manual, time-intensive and becomes increasingly complex as the number of domains and sub-domains grows,” says John Parlee, CISO at Park Place Technologies, a data centre and networking optimisation firm. “If you overlook a certificate renewal, the consequences can be severe: customer trust may waver, and your online reputation might suffer, affecting your overall ‘trust’ score in applications that track third-party risk management.”

Greg Notch, CISO at Expel, a managed detection and response provider, says that certificate-based security is essential for his organisation and customers. “We use them to identify and authenticate users, devices, services and software components thousands of times a minute,” he explains. “Keeping on top of the certificates we have and their expiration dates, and continuing to protect our digital landscape in the process, is an ongoing battle for most security operations teams.”

He adds that with the rise of infrastructure automation technologies such as AWS and Kubernetes, “the sheer volume of necessary certificates has also greatly increased – leaving our operations team to constantly adapt to manage lifecycles. And the risk of failure is high. An expired certificate can lead to service outages, browser warnings for our customers and other undesirable outcomes.”

Eli Fégaly, chief security officer at broadcast technology company Vizrt, says the complexities of his company’s technology – and the range of technologies it uses – means there are many digital certificates to monitor, manage and renew within its inventory. “Expiring certificates can lead to service disruptions and, naturally, we must avoid this,” he says. “Therefore one of the greatest challenges is implementing a streamlined renewal process, and making sure this is built on top of a comprehensive inventory management structure.”

Why automation is essential

These challenges can place a significant burden on IT leaders and their teams. So what steps have they taken to address them?

“Managing digital certificates does place a significant burden on our team, primarily due to the manual tracking and updating processes involved,” says Erik Gaston, a CIO and VP of global executive engagement at Tanium, a cybersecurity and systems management company. “To address this, Tanium has implemented advanced automated tools that integrate into our endpoint management platform. 

“These tools not only provide real-time visibility into the certificate lifecycle but also alert our security teams ahead of expirations, ensuring proactive renewals. This automation has considerably reduced the administrative overhead and minimised risks associated with human error.”

Notch says that managing digital certificate lifecycles would be a burden for his team if they didn't take a proactive approach to how they are deployed. “The consistent cycle of identifying certificates that are up for renewal, and subsequently renewing them, can be an onerous task,” he explains. “Implementing automated processes helps alleviate this burden, which is something that we at Expel have done for the vast majority of the certificates we manage.”

This is largely thanks to the ACME protocol and tooling like cert-manager automatically rotating certificates as they approach expiration. “With this automation in place, we also configured alerting/monitoring to notify team members in the event something went wrong and a certificate was not updated correctly,” he explains. 

Fégaly says that his company has also implemented a robust inventory management system. “At the core of this system, we have a range of automated certificate workflows that keep on top of our certificate inventory, flagging items soon due for renewal with adequate lead times.”

Indeed, the system has increased his team’s visibility over the entire certificate inventory, facilitating compliance with internal security policies and industry standards. “Our goal was to reduce the manual effort of certificate renewal, automating as much as possible to ensure the team can place greater focus on strategic security and IT initiatives,” he explains.

Shifting to 90-day lifespans

We’ve now heard about the burden inherent in managing digital certificates and the automated tools that IT leaders are using to meet this challenge. But how do they feel about the introduction of 90-day SSL certificate lifespans?

“Although I recognise the advantages, I worry about the administrative burden it will inevitably introduce, along with service interruptions and potential for inadvertent security failures,” says Jaya Baloo, chief security officer at Rapid7, which offers data security and analytics solutions.

Gaston agrees that the shift towards shorter certificate lifespans presents both challenges and opportunities. “While it increases the frequency of renewal tasks, necessitating more robust management systems, it also enhances security by reducing the window of exposure for potential misuse of expired certificates.” He therefore views the change as a positive step towards more dynamic and secure IT environments, “if organisations are equipped with the tools to manage these requirements efficiently.”

Notch also feels the trade-off between the increase in security and the effort to maintain certificates is a good one, “so the shortening of SSL/TLS certificate lifespans to 90 days is welcomed. It’s also unsurprising, as these lifespans have been shrinking for a while now. The shorter the lifespan the higher the security after all.”

“But from a leadership perspective, it will make certificate management even harder and more costly,” he adds. “It’s likely that organisations will need more staff hours and budget to keep up. To combat this, automation will be essential to ensure operations teams aren’t bogged down by the onerous, but essential, task of certificate lifecycle management.”

Parlee agrees that it is critical to automate certificate lifecycle management. “The manual burden of renewing certificates every 90 days can overwhelm many organisations,” he says. “To adapt, organisations must focus on utilising certificate lifecycle management tools.”

Ultimately, shorter certificate lifespans may appear a challenge, “but they are a part of shifting security attitudes that are reinforcing positive change,” says Fégaly. “In fact, it closely aligns with the industry emphasis on enhancing security through more frequent certificate rotation, ensuring that security actions are proactive rather than reactive.”