Changes are on the Horizon for Your Encryption Protocols: Are You Ready?
It seems like information technology professionals are working to prevent data breaches from every angle. One important angle that every business leader should consider, particularly those working in e-commerce and other online industries, is that of encryption protocols. Maintaining optimal database security is one of your most important duties to your customers and stakeholders.
As a diligent IT leader, you probably already have some sort of encryption. However, you may not know quite what to make of the upcoming changes and how to implement them. Or maybe you have just launched your online enterprise and are looking for guidance. Either way, you need to get ready as quickly as possible to keep your networks safe from cybercriminals hunting for nefarious entry into your system.
As of June 30, 2018, it is time to say goodbye to SSL/early TLS to reduce the risk of data breaches. Do you know about the changes? If so, have you started the migration process? If you’ve answered “no” to either or both of those questions, keep reading so you can get up to speed right away.
A Quick Review of the SSL/early TLS
Since as early as April 2015, SSL/early TLS encryption protocols were deemed as no longer secure, according to Jones Day. At that time, the Payment Card Industry Data Security Standard (PCI DSS) offered important guidance about the vulnerabilities within the Secure Sockets Layer (SSL) protocol, as well as problems with early versions of the Transport Layer Security (TLS) protocol.
The PCI Security Standards Council (SSC) originally ordered the removal of SSL and early TLS versions from cardholder data environments as of June 30, 2016, which was later extended to June 30, 2018. The organization went on to order an entirely new set of implementations of SSL and early TLS.
A cryptographic protocol, TLS establishes a secure communications channel connection between two different systems or computing environments. It works by authenticating one or both communicating systems, protecting the integrity and confidentiality of the data that passes between the two.
Going back further, early TLS was developed as SSL by Netscape in the early 1990s. The Internet Engineering Task Force (IETF) has standardized TLS, which has gone through many revisions to reflect the ever-changing nature of cyberspace, to improve security and block known attacks. TLS also provides support for any newly developed cryptographic algorithms.
The Risks of SSL/early TLS Now Far Outweigh the Rewards
Over the years, professionals have uncovered several serious vulnerabilities in both SSL and early TLS. If these issues are left standing without change, it puts businesses at risk of suffering a data breach, or possibly multiple data breaches.
The POODLE attack and the BEAST exploit were prime examples that uncovered just how out-of-date SSL and TLS had become as early as 2014. These widespread exploits allowed hackers to take advantage of weaknesses in early TLS and SSL, giving them the opportunity to compromise organizations and their data.
In April 2014, the National Institute of Standards and Technology (NIST) announced that there were no patches or fixes that could address the problems with SSL and early TLS and that they were no longer effective. Thus, the plan began to develop new encryption tools as soon as possible, in addition to working to disable any means of reverting to SSL and early TLS.
The New Encryption Tools Were Inspired by PCI DSS v3.2
The newly implemented PCI DSS v3.2—particularly requirement 2.2.3—provides a good representation of the new encryption requirements. The PCI SSC urged that it was important that future encryption tools have formal Risk Mitigation and a Mitigation Plan in place.
What Will Happen on June 30, 2018?
Come June 30, 2018, everyone must disable SSL/early TLS encryption tools to adopt and implement and new and more secure encryption protocol. The PCI Security Standards Council (PCI SSC) recommends that online merchants and other e-commerce website enterprises update TLS 1.1 or higher. The PCI SSC strongly suggests that businesses implement TLS v1.2 for peak protection.
What Is the Best Way to Migrate from SSL/early TLS?
One way that you might consider taking on your migration from SSL or early TLS to the prescribed new encryption protocol is to immediately remove or discontinue all instances and iterations of SSL and TLS 1.0 if your business operations allow such a pause. During that time, do not use any new technologies before configuring your systems to use TLS v1.1 or v1.2 while fully disabling fallback options to SSL and early TLS.
Next, you will need to patch TLS software in opposition to implementation vulnerabilities, such as Heartbleed in OpenSSL, which is extremely dangerous and may pose serious risks to your system. Ensure that your TLS software is consistently updated and that you ensure it has all the necessary patches to fight these vulnerabilities. Additionally, search for workable counter measures for any other possible attacks.
Finally, configure TLS securely in your system. Ensure that TLS cipher suites are supported with your new protocols since older and out-of-date cipher suites may allow attacks on data while in transit. You may also want to go ahead and disable any cipher suites that are simply no longer beneficial for interoperability, particularly if you suspect it is a cipher suite that might have played a role in a recent vulnerability.
With these steps, you should be up, running and ready to enjoy the extra layers of protection that updated TLS versions provide.
Alert Your Website Visitors of Your Update and How It May Affect Them
Make sure to prepare your website visitors for initial issues that may occur due to the upgrade. Users relying on old browsers—or old versions of browsers—or operating systems may receive an error message once July 1, 2018 comes along and you’ve fully implemented your new encryption tools. Provide a message letting your guests know that they may need to update their browser, in accordance with TLS v1.1 and above, which they may need to do for many websites since all online commerce enterprises must perform this update.
What Happens If You Do Not Migrate to the Necessary TLS Encryption Tool?
Besides leaving your customer’s data at risk if you do not migrate to the new TLS encryption tool version, you leave yourself open to a greater risk of processing interruptions. If you somehow suffer a data breach during the time you have not migrated to the TLS v1.1 or greater, after June 30, 2018, it will be far more difficult to determine where processing capabilities failed and how much of the onus falls on your company.
Reach Out for Professional Help to Ensure Proper Migration from SSL/early TLS to the Right Version for Your Business
At I.S. Partners, LLC., we understand how overwhelming it is when there are several enforcement deadlines hitting your business in a short time frame. Even just one new significant update and migration like this one can greatly impact your team and their daily work schedule. We can help you sort it out and determine the best encryption tool for your business and how to perform the proper migration steps in plenty of time.