Financial services organisations are unprepared for the shift to 90-day TLS certificates and post-quantum cryptography, new Venafi research reveals.
Venafi, the leader in machine identity security, today released a new research report, Organisations Largely Unprepared for the Advent of 90-Day TLS Certificates. The report examines organisations’ current state of preparedness to transition to new machine identity standards, including shorter certificate lifecycles and post-quantum cryptography.
The survey of 800 security decision-makers across the U.S., UK, Germany and France, included 117 respondents working in financial services (FS). It revealed that 70% of FS security leaders (72% cross sector) recognise the pressing need to move to shorter certificate lifespans to improve security. However, many feel unprepared to take action, with 74% (77% cross sector) saying the shift to 90-day certificates will mean more outages are inevitable.
Additional highlights from the survey findings include:
“We recently lived through the world’s greatest IT outage which severely impacted banks and financial institutions worldwide – the CrowdStrike update outage was an error and unexpected. Security teams know they will be hit with major risks when new outages occur from what they love to hate: more expiring certificates,” said Kevin Bocek, chief innovation officer at Venafi. “Shifting to shorter certificate lifecycles significantly reduces these risks and is a necessary move. However, this can also bring more chaos for security teams – and it’s a double whammy with Entrust being distrusted in Chrome. There aren’t just canaries in the coal mine; there are groundhogs in every cloud, virtual machine and Kubernetes cluster. It’s not just one software update vendor; it’s the entire Internet as we know it.”
The introduction of 90-day certificates means FS organisations will need to renew their certificates five times more often than they do now – quintupling the effort needed. The survey reveals this will be a major challenge for FS organisations for two reasons:
Similar challenges exist with quantum. 69% of FS survey respondents (67% cross sector) believe shifting to post-quantum cryptography will be a nightmare, as they don’t know where all their keys and certificates are. Looking at the specific challenges these shifts present, the potential speed of the migration, lack of internal skills and knowledge, as well as fears that adversaries will use quantum computing to attack before businesses have a chance to migrate, were cited as the top three concerns for FS organisations. However, 85% (86% cross sector) say taking control of the management of keys and certificates is the best way to prepare for future quantum risks.
“There’s great news: from 90-day certificates to replacing distrusted CAs to making the transition to post-quantum, FS security teams today have machine identity security capabilities they didn’t have available just a few years ago. Security teams can get certificate lifecycle management (CLM), PKI-as-a-service and workload identity issuers all on one control plane now,” Bocek concludes. “The business case is simple for making sure 90-day certificate lifetimes don’t wreak havoc. We know the problem is coming, unlike the last major IT outage, and the automation we put in place with machine identity security gets us ready for the post-quantum future, the next CA distrust and running in whatever cloud our developers choose. At Venafi, we are built for these times.”
As the financial services industry faces significant changes in machine identity management and cryptography, Kevin Bocek, Chief Innovation Officer at Venafi, shared exclusive comments with Bobsguide, shedding light on the future landscape and best practices for financial institutions.
“Machine identities, such as TLS certificates, are the foundations of our digital world. They enable secure and encrypted communication between machines, authenticating that systems, servers, and applications are what they say they are. With financial services becoming critical infrastructure, machine identities play a key role in enabling everything from balance transfers to processing loan applications securely. However, several factors are driving rapid changes in the landscape.
Firstly, the growth in digital services is increasing the use of machine identities. Financial services institutions are using more technology, with traditional banks feeling pressure from digital challengers. They now use 4,934 TLS machine identities and expect this to grow by 42% in the next two years. Each identity is a potential failure point if not managed correctly. Expired identities can cause outages, as seen with recent CrowdStrike outages. Additionally, if identities fall into the wrong hands, there are severe security risks.
Google’s plan to reduce machine identity lifespans from 398 days to 90 will mean identities expire five times faster, increasing the risk of outages if institutions can’t replace them in time. As a result, 74% of FS security leaders believe outages are ‘inevitable’, and 79% believe the move will amplify existing challenges around managing certificates.
We’re also seeing volatility in the certificate authority (CA) landscape. Recently, Entrust was deemed untrustworthy, necessitating the replacement of these identities. This is not isolated, with 86% of FS security leaders impacted by similar incidents in the past, causing outages and security incidents.
Finally, quantum computing is on the verge of becoming a reality, potentially rendering today’s cryptography standards obsolete. While the consensus is that machine identities will need to be quantum-resistant within the next 5-10 years, 69% of FS security leaders see this migration as a nightmare, yet 81% are waiting for a quantum computer capable of cracking encryption before addressing the issue.”
“Currently, it takes FS organisations 2-3 working days on average to issue a certificate, with only 8% fully automating the process. This needs to change for institutions to manage the upcoming changes.
The good news is that the tools to address these challenges are available. By automating machine identity security now, financial services firms can prepare for Google’s 90-day certificates and CA trust issues, ensuring rapid replacement of identities. This also sets the stage for migration to post-quantum cryptography. Automation will be critical to addressing these and future challenges.”