Last updated: 
2 months 6 days ago
Blog Manager
I'm the Information Security Manager at Janet and through this blog I'll be sharing some of my experiences, ideas and thoughts on information security topics.

Group administrators:

Suppliers and encryption

Tuesday, August 29, 2017 - 10:52
Encryption is a powerful security tool, but one that is very easy to misuse and implement poorly. The past years have seen several vulnerabilities and events that we have had to respond to HEARTBLEED, BEAST, POODLE, the retirement of SHA1 certificates, and PCI DSS mandating TLS 1.1. 
We have spent a lot of time and effort ensuring that our own systems are well managed, and it is important that our suppliers are able to keep pace with changes in how we want to use encryption. This has led us to start including requirements for encryption within procurements.
I don’t think that details of ciphers, protocols and algorithms are particularly useful in discussions with suppliers. What was best practice when the supplier was chosen can unexpectedly become tomorrow’s vulnerability, and it’s unlikely that the supplier’s sales staff or account manager can have this level of technical conversation (I know I can’t!).
In place of specifying ciphers we have been referencing other organisations tasked with keeping pace with developments in encryption – in our case SSL Labs (other references exist, see the Mozilla SSL Configuration Generator and BetterCrypto’s Applied Crypto Hardening guide).
Where relevant we have required suppliers to:
  • Confirm that all HTTPS interfaces must can achieve a grade of B or higher when tested by SSL Labs
  • Provide Jisc with URLs for the service against which we can confirm the grades given by SSL Labs.
  • Commit to maintaining the level of security provided by any encryption controls throughout the lifetime of the service.
  • Commit to maintaining and improving other encrypted connections such as those provided by SSH and STARTTLS