Security standards for cloud providers are constantly increasing due to new and advanced techniques being introduced by hackers and other nefarious entities on the internet. One of the ways that cloud providers ensure that your data is safe when you communicate with them over the internet is by using encryption so that no-one can spy, or “eavesdrop,” on those communications. A popular method of encryption employed by these cloud providers is called Transport Layer Security, or TLS.
TLS began with its first version – TLS 1.0 in 1999 – and is still in use today by many cloud and internet providers, although this is about to change. Unfortunately, as this protocol aged, weaknesses were discovered with it, and so TLS 1.1 (2006), TLS 1.2 (2008), and TLS 1.3 (2013) were developed to respond to issues like Heartbleed, POODLE, and other major vulnerabilities in the protocol that have surfaced in recent years.
TLS 1.0 is considered a depreciated standard, and as of July 2018, TLS 1.0 will no longer be allowed for PCI compliant merchants. This means that almost all cloud providers are removing, or have already removed TLS 1.0 support from their applications and networks. What does this mean for your business? If you are using on premise applications or 3rd party applications to interface with these cloud providers, you must update to the latest version of the software, since the newer versions of the software use TLS 1.1 or greater.
A few real world examples would be a small business owner using Quickbooks, or a business with custom API integrations to Salesforce, Box.com, or other cloud services. In July, when Quickbooks cloud stops supporting TLS 1.0, the Quickbooks application installed on the owner’s computer will stop working, because it will still be trying to use TLS 1.0 to communicate with the Quickbooks cloud, which Quickbooks will not allow. The owner must first update the Quickbooks install to the latest version, which uses the newer TLS standard, to allow the program to function.
In regards to the second example of a custom API, the enterprise must ensure with the 3rd party vendor, or with its internal application development team, that the code being used to connect to Salesforce, Box.com, and any other cloud services is updated to use at least TLS 1.1 or greater. If the code is not updated, the API connections will break, causing loss of service to line-of-business applications that depend on that service.
With all of these changes nearing, it’s necessary to assess any cloud applications you may be using and determine if they will be affected by the upcoming move away from TLS 1.0. For those in business operations, it’s important to contact your IT department or your IT provider and make sure that this is on their radar. For those in IT, it’s important to have a firm plan for upgrading the necessary systems, and to make sure that the other business units are aware of and have planned for the changes and upgrades that will be coming to their line-of-business applications.