Where Compliance and Security Hygiene Meet: Exploring The PCI TLS Encryption Update

Alexander Quilter Posted on 02.23.17 — by Alexander Quilter

If you’re looking at compliance as the endgame of your overall security hygiene practices, you’ll be missing out on crucial updates. The looming PCI TLS encryption upgrade offers us a prime case in point.

Compliance and security hygiene go hand-in-hand. Conventional wisdom posits that the more compliant you are the better your security hygiene program will be. This is the case whether your organization uses PCI-DSS, the NIST Cybersecurity Framework, the CIS Critical Security Controls, or any industry-specific regulations based on the type of sensitive data you store and share.

While good security hygiene will help you meet your compliance obligations, the opposite isn’t necessarily true. Compliance requirements are often the barest minimum levels of protection for your data. If you’re looking at compliance as the endgame of your overall security hygiene practices, you’ll be missing out on crucial updates.

Let’s look to the payment card industry (PCI) for an example. SSL/TLS has long been used as an encryption protocol within PCI. In April 2015, the PCI Security Standards Council (SSC) announced SSL would no longer be used as a security control, and that organizations would be required to upgrade their TLS implementation from v. 1.0 to v. 1.1. This move was designed to close a compliance loophole which was allowing older encryption protocols to be used. Some of these SSL/TLS versions were more than 15 years old and had known vulnerabilities.

Essentially, this was an upgrade of a single security protocol,  from TLS v. 1.0 to v. 1.1. The newest protocol, TLS v. 1.2, which was defined in April 2014, was recommended but not required by the PCI SSC.

Organizations were initially given a deadline of June 30, 2016 to comply with the upgrade requirements. But as the deadline approached, organizations were starting to understand how difficult it would be to take this simple step in security hygiene. Some time later, with the release of PCI DSS v3.2, the deadline for these changes was shifted to June 30, 2018.

How Compliance Requirements Fall Short

The TLS example is a particularly good illustration of how compliance requirements can fall short. While the PCI SSC update requirement was meant to address security loopholes, it also meant that organizations would be woefully out of date even after upgrading. TLS v. 1.1 was already nine years old in April 2015, when the PCI SSC first told organizations they needed to upgrade to it. The protocol will almost be a teenager by 2018, when the new compliance deadline takes effect. Although the slightly newer TLS v.1.2 had been  defined in August 2008, organizations will be considered within PCI compliance without implementing it.

This is an extremely long window for protecting data as sensitive as credit cards and other personally identifiable information (PII), especially when we consider how frequently we update our mobile phones or even our automobiles. The intent of PCI and other compliance standards is to improve the security postures of organizations by measuring them on a regular schedule. But as the PCI example shows, if you wait around for an industry body to demand you implement upgrades, you’ll find your security environment is dangerously out of date.

A rigorous security hygiene program would have had organizations implement these encryption updates back in 2008. That way, PCI-participating organizations would have been compliant with the updated standard long before it became required.

For anyone leveraging the Tanium platform managing this update would involve having a sensor for detection of TLS versions that runs against your entire infrastructure in seconds.  From the list of detected systems, Tanium can then deploy configuration content against those endpoints to bring them up to the latest version, again in seconds.

It’s key to to think of security hygiene as a journey, not a destination. You will learn along the way and adjust course accordingly. With compliance standards and regulations changing annually. Tanium makes organizations much more adaptable to changes in regulations in a way that wasn’t possible with the tools of 2008. Because Tanium is an open and extensible platform, new content — such as the PCI TLS sensor and remediation mentioned above — can make it easy to adjust your security posture in response to legal or regulatory changes.

To learn more about how Tanium can help with your compliance needs, download our PCI Checklist.

Like what you see? Click here and sign up to receive the latest Tanium news and learn about our upcoming events.