You don't have javascript enabled.

Financial services not ready for TLS changes and post-quantum crypto

Financial services organisations are unprepared for the shift to 90-day TLS certificates and post-quantum cryptography, new Venafi research reveals.

  • Editorial Team
  • July 30, 2024
  • 7 minutes

Venafi, the leader in machine identity security, today released a new research report, Organisations Largely Unprepared for the Advent of 90-Day TLS Certificates. The report examines organisations’ current state of preparedness to transition to new machine identity standards, including shorter certificate lifecycles and post-quantum cryptography.

The survey of 800 security decision-makers across the U.S., UK, Germany and France, included 117 respondents working in financial services (FS). It revealed that 70%  of FS security leaders (72% cross sector) recognise the pressing need to move to shorter certificate lifespans to improve security. However, many feel unprepared to take action, with 74% (77% cross sector) saying the shift to 90-day certificates will mean more outages are inevitable.

Additional highlights from the survey findings include:

  • 90-Day Certificate Challenges – 79% of financial services security leaders (81% cross sector) believe Google’s proposed plans to shorten TLS certificate lifespans from 398 days to 90 days will amplify existing challenges they have around managing certificates. An overwhelming 93%  of FS survey respondents (94% cross sector) are concerned about the impact of the changes, with 68% (73% cross sector) saying it could cause “chaos” and a further 68% (75% cross sector) saying it could even make them less secure.
  • Volatile CA Landscape – The recent decree that certificates issued by Certificate Authority (CA) Entrust can no longer be trusted is just the latest example of disruption in the CA market. In fact, 86% of FS security leaders (88% cross sector) report their organisation has been impacted by CA revocations. Of these, 54% (45% cross sector) had to deploy extra resources to find, revoke and replace certificates; 38% (38% cross sector) suffered a security incident; and 26% (31% cross sector) had a certificate-related outage.
  • Quantum Denial – With momentum gathering around the need to migrate to new quantum-resistant encryption algorithms, 61%  of FS security leaders (64% cross sector) say they “dread the day” the board asks about their migration plans. 81% (78% cross sector) say if a quantum computer capable of breaking encryption is built, they will “deal with it then,” with 58% (60% cross sector) believing that quantum computing doesn’t present a risk to their business today or in the future. Moreover, 62% (67% cross sector) dismiss the issue, stating it has become a “hype-pocalypse.”

“We recently lived through the world’s greatest IT outage which severely impacted banks and financial institutions worldwide – the CrowdStrike update outage was an error and unexpected. Security teams know they will be hit with major risks when new outages occur from what they love to hate: more expiring certificates,” said Kevin Bocek, chief innovation officer at Venafi. “Shifting to shorter certificate lifecycles significantly reduces these risks and is a necessary move. However, this can also bring more chaos for security teams – and it’s a double whammy with Entrust being distrusted in Chrome. There aren’t just canaries in the coal mine; there are groundhogs in every cloud, virtual machine and Kubernetes cluster. It’s not just one software update vendor; it’s the entire Internet as we know it.”

The introduction of 90-day certificates means FS organisations will need to renew their certificates five times more often than they do now – quintupling the effort needed. The survey reveals this will be a major challenge for FS organisations for two reasons:

  • Delayed Deployment – Only 8% of financial services security leaders (8% cross sector) fully automate all aspects of TLS certificate management across their entire enterprise, with 33% (29% cross sector) still relying on their own software and spreadsheets to manage the problem. As a result, it takes an average of 2-3 working days (an average of 22.03 hours for FS compared to 21.75 hours cross sector) to deploy a certificate.
  • TLS Transformation – The volume of TLS certificates in use at organisations has been steadily rising, due to the growth in technology adoption in recent years. 97%  of FS security leaders (95% cross sector) say digital transformation initiatives have increased their organisation’s use of SSL/TLS in the past year by an average of 38% (36% cross sector). As a result, the average FS organisation now manages 4934 TLS certificates (3,730 cross sector) – a number that is expected to increase by 42% (39% cross sector) by 2026, taking the figure up to over 7,000 (5,000 cross sector).

Similar challenges exist with quantum. 69% of FS survey respondents (67% cross sector) believe shifting to post-quantum cryptography will be a nightmare, as they don’t know where all their keys and certificates are. Looking at the specific challenges these shifts present, the potential speed of the migration, lack of internal skills and knowledge, as well as fears that adversaries will use quantum computing to attack before businesses have a chance to migrate, were cited as the top three concerns for FS organisations. However, 85% (86% cross sector) say taking control of the management of keys and certificates is the best way to prepare for future quantum risks.

“There’s great news: from 90-day certificates to replacing distrusted CAs to making the transition to post-quantum, FS security teams today have machine identity security capabilities they didn’t have available just a few years ago. Security teams can get certificate lifecycle management (CLM), PKI-as-a-service and workload identity issuers all on one control plane now,” Bocek concludes. “The business case is simple for making sure 90-day certificate lifetimes don’t wreak havoc. We know the problem is coming, unlike the last major IT outage, and the automation we put in place with machine identity security gets us ready for the post-quantum future, the next CA distrust and running in whatever cloud our developers choose. At Venafi, we are built for these times.”

As the financial services industry faces significant changes in machine identity management and cryptography, Kevin Bocek, Chief Innovation Officer at Venafi, shared exclusive comments with Bobsguide, shedding light on the future landscape and best practices for financial institutions.

The evolving landscape of machine identity and cryptography

“Machine identities, such as TLS certificates, are the foundations of our digital world. They enable secure and encrypted communication between machines, authenticating that systems, servers, and applications are what they say they are. With financial services becoming critical infrastructure, machine identities play a key role in enabling everything from balance transfers to processing loan applications securely. However, several factors are driving rapid changes in the landscape.

Firstly, the growth in digital services is increasing the use of machine identities. Financial services institutions are using more technology, with traditional banks feeling pressure from digital challengers. They now use 4,934 TLS machine identities and expect this to grow by 42% in the next two years. Each identity is a potential failure point if not managed correctly. Expired identities can cause outages, as seen with recent CrowdStrike outages. Additionally, if identities fall into the wrong hands, there are severe security risks.

Google’s plan to reduce machine identity lifespans from 398 days to 90 will mean identities expire five times faster, increasing the risk of outages if institutions can’t replace them in time. As a result, 74% of FS security leaders believe outages are ‘inevitable’, and 79% believe the move will amplify existing challenges around managing certificates.

We’re also seeing volatility in the certificate authority (CA) landscape. Recently, Entrust was deemed untrustworthy, necessitating the replacement of these identities. This is not isolated, with 86% of FS security leaders impacted by similar incidents in the past, causing outages and security incidents.

Finally, quantum computing is on the verge of becoming a reality, potentially rendering today’s cryptography standards obsolete. While the consensus is that machine identities will need to be quantum-resistant within the next 5-10 years, 69% of FS security leaders see this migration as a nightmare, yet 81% are waiting for a quantum computer capable of cracking encryption before addressing the issue.”

Best practices for staying ahead

“Currently, it takes FS organisations 2-3 working days on average to issue a certificate, with only 8% fully automating the process. This needs to change for institutions to manage the upcoming changes.

The good news is that the tools to address these challenges are available. By automating machine identity security now, financial services firms can prepare for Google’s 90-day certificates and CA trust issues, ensuring rapid replacement of identities. This also sets the stage for migration to post-quantum cryptography. Automation will be critical to addressing these and future challenges.”