There are many important considerations to keep data safe and the more layers of security a business uses, the less risk there is of a breach. Many of the layers of security available are extremely low cost, allowing the company to spend just a few cents a day to keep their data secure as well as to protect customer’s data for payments or when providing personal information.
An essential component of corporate cyber security is to avoid sending any data over what are known as clear or unsecured channels. It includes everything from specific files and information to the actual authentication protocols to set up the secure connection.
The easiest way to provide these secure channels is through an SSL certificate. This technology can be used to encrypt all data, including authentication data, across any network, even if it is an unknown and therefore untrusted network.
A Brief Overview
SSL, which stands for Secure Sockets Layer, is not a new technology. In fact, it has been around since 1994, although it has continued to evolve and to become more complicated to address the full spectrum of encryption and decryption now required to maintain a secure connection.
The basics of this technology, which is still referred to as SSL but is now actually known as TLS or Transport Layer Security, is a set of protocols that are uniformly developed and implemented across all countries and through all Certificate Authorities.
When a business wishes to provide a secure connection between a device or browser and a server through encryption, the first step is obtaining an SSL certificate. It is possible to get a certificate in two different ways, through a self-signing option or a Certificate Authority.
The self-signed certificate has limited ability to provide cyber protection, with this becoming apparent as we discuss the issue further. The value of the certificate and the technology is having the independent third party (the Certificate Authority), verifying the authenticity of the business based on specific levels of verification.
The certificate itself works to provide verification to the embedded root certificates, recognized by browsers and devices as being from a trusted source. It allows the creation of a secure channel through what is known as an SSL handshake.
The handshake is a way that the server and the client recognize each other as valid and trusted. It is completed through the exchange of the certificate as well as the use of paired set of keys that provide the encryption and decryption.
The paired keys are random strings of numbers and letters. The signing keys are required to be 2048 bit, and the standard encryption for data transmitted is 256 bit. These are the industry standards and offer the ability to create a secure channel even for the authentication processes, eliminating the risk of network security threats such as man-in-the-middle attacks or eavesdropping on passwords and logins required to set up the secure connection.
Once the SSL certificate and the paired keys are used in the SSL handshake, the encryption creates an unreadable string of data that, even if intercepted, cannot be decrypted. The only method of decryption is through the use of the private key, which is always maintained and protected on the server.
There are different levels of these certificates in use today. The level of the certificate will range from the primary domain verification, used when minimal information is transmitted through the channel. Blogging sites typically use this level of verification as there is limited personal information. It requires the Certificate Authority to verify the owner of the domain is the applicant for the SSL certificate.
Organization level verification is more stringent, with the domain level verification, as well as details about the business also included and verified by the Certificate Authority. This level is most commonly used for the smaller ecommerce sites and for some businesses transmitting some sensitive documents and files online.
The extended validation (EV) certificate is the most intensely verified. The EV level requires the Certificate Authority to verify all aspects of the domain and organizational levels as well as fully vetting the business entity applying for the certificate. While the verification level provides the standard padlock in the address bar, the EV level provides a green address as well as information about both the CA and the business.
General Authentication and Cyber Security
While most people think of SSL/TLS certificates as a way to provide the best information security for browsing the web and making purchases online, it is also critical for sharing information. These general purpose protocols can provide a secure authentication means for an authenticated clients (such as an endpoint device) ensuring that all data is fully encrypted, including the authentication information that is used to set up the secure SSL connection.
It will also allow remote access to the devices across the secure channels. Authentication essential for the IT security services in any enterprise to be able to access the endpoints or the network itself without the risk of transmitting any data or information over clear channels that are not fully encrypted. Authentication allows remote users to access data within the system through these secure channels. Any company that uses telecommuting as part of its business model needs to ensure that the access is fully encrypted and secure.
Ashraf is a Technical Blog Writer from Comodo. He writes about information security, focusing on web security, operating system security and endpoint protection systems.