Leading up to the Asia-Pacific Community Meeting in Bangkok, Thailand, speaker Swati Sharma, QSA, CISSP, CISM discusses the SSL/TLS migration and the new Associate QSA program.
What is the security risk in continuing to use SSL and early TLS?
Swati Sharma: SSL and early TLS protocols are protocols to encrypt the channel transmitting confidential information between two points. E.g. server to server or browser to server. SSL and early TLS has vulnerabilities for which fixes are not available, hence these protocols can be decrypted in unauthorized way and are not secure to use. In simple words, SSL and early TLS can be compromised which can lead to interception of cardholder data and authentication data during transmission.
What are some of the challenges for merchants migrating away from SSL and early TLS and what can they do to address these challenges?
Swati Sharma: Some of the major challenges for merchants migrating away from SSL and early TLS, are getting senior management support for costing; resource allocation and changes; impact on the end customers using old browsers/loss of revenue; business partner and service providers are not supporting secure version of TLS and underlying technology not supporting secure version of TLS.
Merchants can overcome these challenges by proper planning, appropriate level of management commitments by adequately communicating risk to get required support and budget allocation, taking help from contract and legal teams to get required support from the third parties and getting help from technology experts to work on available options.
Why should organizations shift their mindset from believing that security is just an IT issue to realizing that security is a business priority?
Swati Sharma: Security has been no longer an IT issue, it is one of the top concerns in boardroom. Recent breaches have proven the impact of security breaches on revenues, business and brand values. Most of the organizations are working on alignment of information security strategy with their business requirements to achieve the best outcome.
Information is one of the most critical assets for businesses. To protect it we need to implement controls using people, process and technology. IT itself cannot be the only solution, but can be enabler for solution for security.
As a QSA, what are your thoughts on the Council’s recent initiative to expand the program in order to attract new cyber talent globally?
Swati Sharma: The new Associate QSA Program is a wonderful initiative which will not only help organizations to fill resource requirements gap, but will also help many information security professionals to accomplish their goal of making a career in the PCI industry as QSA . PCI SSC has ensured that the right steps are added to achieve the required level of expertise and qualification to become a QSA so that credibility of the QSA credential can be intact. For beginners this program can be a stepping stone for excellent career.
What is the one key takeaway you hope attendees will come away with after your discussion?
Swati Sharma: How to plan for SSL and early TLS migration and the most importantly how to tackle for what you have not planned.
Hear more insights from the APAC region at the next community meeting: