Encryption Everywhere: Why Everyone Should Care About Website Security
As someone who runs a website, the worst nightmare you can face on the Internet is the theft of customer data from your website, and the damage to your company’s reputation that occurs when a large scale data breach takes place.
In just the last year alone, major global corporations like Adobe (152 million customer accounts compromised), eBay (145 million customer accounts compromised), JP Morgan Chase (76 million customer accounts compromised), Target Stores (70 million customer accounts compromised), and Home Depot (56 million customer accounts compromised) have all faced crushing scrutiny, the loss of millions of current and future customers, and billions of dollars in remediation and restitution costs, all due to lax website security (Source).
For many years the use of encryption on the Internet primarily revolved around e-commerce or financial services sites. Companies who were collecting financial and other personally identifiable information (“PII”) would protect their customer’s data “over the wire” during web transactions (primarily through the use of HTTPS/TLS encryption) and by encrypting “data at rest”, or data files and databases which store PII data on the website’s servers.
But times have changed. Put simply, encryption is no longer an option, it’s a duty you have to the users of your website to protect them, regardless of what service you may provide with your website. And as a web site manager, you need to insist that your web site is secure, each time and every time.
Fortunately, there are two primary and relatively simple steps that every organization should be doing to protect users of their websites.
1. Use HTTPS/TLS certificate encryption
All websites should utilize HTTPS/TLS certificate encryption, and enforce its use, to protect their users’ data “over the Internet.” You may notice that many of the larger websites (Google.com, Gmail.com, Outlook.com, as well as our own Percussion.com) now enforce the use of encryption, regardless if the user asks for it or not. Open any of these sites as HTTP, and you’ll immediately be swapped to encrypted HTTPS. Google is now even giving preferential ranking to companies that automatically swap all customer connections over to HTTPS.
Setting up this “HTTPS Always” takes some time, and does involve some expense for the purchase and setup of a security certificate, but in general it’s less than a day of work for most web sites, and a 1 year security certificate can be purchased for as little as $100 these days.
This change is so important that the Electronic Frontier Foundation, one of the leading voices in the world for privacy on the Internet, along with Cisco and a number of other leading vendors, announced Let’s Encrypt, a new initiative that aims to make basic HTTPS/TLS certificates free for everyone that started in Spring of 2015, and to simplify the process down to a matter of minutes.
2. Encrypt all site user data on disk, always
If you are storing data in databases, then turn on database encryption. If you are writing out text files, either reconsider this strategy entirely and write to encrypted databases, or if you must write to text files then look into utilizing on-the-fly encryption tools (if available for your operating system), so that if files are downloaded from your server they cannot be decoded.
As a website owner, the integrity of your site users’ data, both on-disk and on-the-wire, is your responsibility. Encryption is the first, simplest, and best way to protect your company’s reputation on the web—securing your customer’s data shows how seriously you value your customer’s business, and brings customers back to you knowing that they can trust your organization with their critical assets.
With over 30 years experience in enterprise IT, Reed brings his extensive knowledge, vision, and leadership to Percussion’s growing suite of cloud services. An industry pioneer, author, and expert in computer security and technology law, Reed has made his mark at legendary Boston area companies including IONA Technologies, Vertex Pharmaceuticals, PictureTel, and Stream Global Services/Corporate Software. In his free time, Reed enjoys spending time with his wife and two young sons, championing progressive humanitarian causes, and sharing his favorite geek culture finds with friends and colleagues.