New SANS 20 Requirements for SSL/TLS Security and Management

SSL/TLS is the foundation of online trust— and it’s now threatenedSSL/TLS certificates are used for authentication and authorization

applications appliances devices cloud services

23,000 OVER keys and certificates per enterprise

—up 34% since 201323,000

SSL/TLSSSL/TLS

But cybercriminals are using rogue or fraudulent SSL/TLS keys and certificates to...

HeartbleedPOODLEFREAKEX

AMPL

ES

Snoop on encrypted communications

Bypass security controls, like IDS/IPS, DLP, and NGFW

Impersonate legitimate websites

Certificates sold for $1000 each on the black market$1000

NIST has declared that SSL is no longer acceptable to protect data

New PCI DSS v3.1 requires TLS 1.1 or higher

SANS 20 adds key and certificate requirements to CSC 17: Data Protection

Organizations need to secure SSL/TLS to regain online trustThe greatest threat is the lack of adherence to security standards

An actionable approach is needed to meet new SANS 20 SSL/TLS key and certificate requirements

CSC 17-2: Verify configured to use publicly vetted algorithms

CSC 17-3: Identify sensitive information that requires encryption

CSC 17-10: Only allow approved certificate authorities (CAs)

CSC 17-11: Perform an annual review of algorithms and key lengths

CSC 17-14: Define roles, responsibilities, and process lifecycle for key management

CSC 17-2:

CSC 17-3:

CSC 17-10:

CSC 17-11:

CSC 17-14:

Read the new SANS whitepaper

Contact Venafi to help customize the action approach for your organization.

Venafi.com/CSC17

Implement SSL/TLS Security for Your Organization

Venafi.com/Contact

*Filkins, Barbara. SANS. New Critical Security Controls Guidelines for SSL/TLS Management. June 2015.