A recent report from Sectigo highlights significant concerns among organizations about the future of digital trust. The first State of Crypto Agility Report, conducted in collaboration with global research firm Omdia, sheds light on pressing issues such as the reduction in SSL/TLS certificate validity and the upcoming shift to post-quantum cryptography.
The findings reveal that an astonishing 96% of organizations are anxious about the implications of shorter SSL/TLS certificate lifespans for their operations. While there is clear apprehension regarding these changes, the report indicates that many companies remain ill-prepared to address them.
Insights from the State of Crypto Agility Report
Concerns Over Shortened SSL/TLS Certificate Lifespans
- Prevalent Anxiety, Minimal Readiness: A significant 96% of organizations express concern about the impact of shorter certificate lifespans. However, merely 19% feel adequately equipped to handle the transition to 47-day renewal cycles.
- Automation Challenges: Only 5% of organizations have managed to fully automate their certificate management processes. This leaves a staggering 95% still relying partially on manual practices, increasing the likelihood of operational hiccups as renewals become more frequent.
- Lack of Visibility: A mere 28% of organizations maintain a complete inventory of their SSL/TLS certificates, with only 13% expressing strong confidence in their ability to track all certificates accurately.
Challenges of Migration to Post-Quantum Cryptography (PQC)
- Implementation Obstacles: An impressive 98% of organizations anticipate challenges in implementing post-quantum cryptography. Among them, 92% foresee various barriers to successful migration.
- Assessment Shortcomings: Only 14% of organizations have conducted a comprehensive evaluation of their systems vulnerable to quantum threats.
- Low Confidence Levels: A small 15% of businesses are highly confident in their ability to integrate PQC without significant disruptions.
- Increasing Investment: Despite these readiness issues, a vast majority, 90%, have allocated budgets for PQC preparedness in the upcoming year, with 92% expecting to boost these investments over the next two to three years.
Expert Insights from Sectigo’s Chief Compliance Officer
We had the opportunity to speak with Tim Callan, Sectigo’s Chief Compliance Officer, to delve deeper into the report’s findings and their implications for enterprise cybersecurity.
According to Callan, the existing gap in organization preparedness poses tangible security risks, especially with regards to the ‘Harvest Now, Decrypt Later’ attack. This method involves threat actors collecting data with plans to decrypt it later as technology evolves. The longer enterprises take to fortify their defenses, the more at risk they become of exposing critical information.
Key Operational Barriers to Migration
The transition to PQC will inevitably take time, and Callan emphasizes that organizations need to actively mobilize themselves around this migration. This process should involve setting priorities, outlining a roadmap, and budgeting adequately. Failure to prepare can leave businesses vulnerable, particularly those that have yet to establish a Cryptographic Bill of Materials (CBOM) or develop a thorough migration plan.
Effective Strategies for Transitioning to PQC
To shift from merely allocating budget funds to implementing a grounded plan for post-quantum cryptography, organizations must first grasp the full scope of their needs. Establishing a CBOM is crucial; this document serves as an exhaustive record of the cryptographic and digital identity assets currently in use.
Alongside the CBOM, companies should evaluate which software and hardware will need updates to support PQC. It’s essential to determine timelines for these updates and devise solutions for software that may not receive necessary updates. From this foundation, organizations can create an actionable plan to transition to PQC systematically.
Regulatory Considerations and Risks
From a compliance standpoint, the greatest risk associated with the quantum transition lies in the lack of oversight of cryptographic assets. Often, these assets go unnoticed by central management due to their fundamental role in digital operations. As a result, monitoring the use of cryptographic assets poses a challenge, making compliance with PQC directives difficult. To mitigate this risk, businesses should prioritize the discovery and tracking of all certificates within their environments.
