TLS or SSL Encryption? What the Answer Means for Your Clients

Given that so much of your clients’ data today is transmitted on the cloud, including their most sensitive and regulated data, the security protocols that those cloud services employ are critical to the integrity of your clients’ businesses--and can even play a role in keeping them on the right side of costly regulations.

July 15, 2016

5 Min Read
TLS or SSL Encryption? What the Answer Means for Your Clients

Given that so much of your clients’ data today is transmitted on the cloud, including their most sensitive and regulated data, the security protocols that those cloud services employ are critical to the integrity of your clients’ businesses–and can even play a role in keeping them on the right side of costly regulations.

But most businesses, likely including many of your clients, know surprisingly little about the specific security and compliance measures their cloud vendors take (or fail to take) to protect their data. Moreover, given the complexity of the major data privacy regulations such as HIPAA and GLBA, few companies know if the security protocols taken by third-party providers to protect their data in the cloud will meet the regulations governing their industry.

So here is a brief primer on the two primary encryption protocols used to transmit data over the Internet: SSL and TLS. These could be valuable lessons to share with your clients. After this discussion, I will offer a solution you can offer your clients that will help them greatly improve their fax security and regulatory compliance–and which can serve as a lucrative addition to your portfolio.

SSL, or “Secure Sockets Layer”

Few security technologies in the modern era can remain intact for long because bad actors are always looking for creative ways to to undermine them. This is why, for example, anti-virus software makers so frequently update their products: They are continually having to adjust, patch and otherwise strengthen their software in response to new attacks or discovered vulnerabilities.

But a disturbingly large percentage of businesses continue to send data over the Internet with an encryption solution that was most recently updated in 1999. That protocol, SSL version 3.0, has proven vulnerable to breach in such high-profile cases as the POODLE attack.

This is not surprising, of course, given that cyber criminals have had more than a decade and a half to find and exploit SSL’s weaknesses. In fact, several of the leading Internet companies, including Google and Mozilla, have publicly stated that SSL is no longer a safe encryption protocol.

How SSL Works, and Where it Falls Short

As the cyber-security training organization SANS Institute states, Secure Sockets Layer was created to provide a secure means of communication that would be both private and reliable for two applications over the Internet. For security, SSL encrypts the data being transmitted, and demands verification of the recipient’s identity via digital certificates. For reliability, SSL employs several message integrity checks.

But as SANS notes in its SSL and TLS: A Beginner’s Guide, SSL does not require public and private encryption keys, which the manual deems a major security shortcoming. Why? Because when a sender transmits the standard “ClientKeyExchange” message for the recipient to open, that message itself contains details about the encryption key.

One of the major consequences of this security flaw is that it exposes companies using SSL to widespread “Man in the Middle Attacks,” or “MITMAs.” Such attacks let hackers or other bad actors grab the message along its Internet journey and even change the message’s contents–where neither sender nor recipient ever know their communication has been breached.

The SANS manual also points out another SSL security weak point–namely, that it doesn’t in all cases encrypt data during its several stops on servers along its journey. And these server stops are also high-risk points for Man in the Middle Attacks.

It’s worth pointing out here that of the many cloud vendors your clients use every day to transmit their data, some will provide that data in-transit with no encryption protection at all. And, of those that do, many still use the outdated and insecure SSL 3.0. How do you think your clients would react if they realized that much of their sensitive and even regulated corporate documents are being delivered across the Internet using either no security at all, or security measures that Google warns is unsafe?

TLS, or “Transport Layer Security”

SSL’s successor is TLS, or Transport Layer Security. SANS defines this newer protocol as an advanced encryption that “allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering or message forgery.”

What this means is that TLS was designed specifically as an upgrade to SSL, as a way to overcome its key weaknesses, such as the Man in the Middle Attack.

One major security upgrade in TLS is the “Record Protocol” it employs–using symmetric cryptography keys and a Message Authentication Code to establish a secure connection between the two communicating parties. In other words, this enhanced level of security in the sender-recipient connection helps to prevent such intrusions as Man in the Middle Attacks.

Indeed, today TLS is the most advanced and sophisticated means of encryption available for transmitting messages across the internet.

What all of this means is that your clients are probably overdue for a review of their data transmission processes and an audit of the security protocols (if any) that their cloud vendors use to send their messages. If they aren’t employing TLS encryption to transmit their proprietary or regulated data, your clients could probably do better.

For cloud faxing, your clients can trust industry leader eFax Corporate.

For the sensitive data your clients send by fax, eFax Corporate can enable TLS encryption to keep their messages highly secure over the Internet.

Our fax-by-email service is built on a multimillion-dollar, worldwide network of secure colocations and redundant telco-grade servers–all of which we leverage to transmit millions of pages of highly sensitive and regulated data every day, for many of the world’s most successful corporations.

The eFax Corporate secure cloud fax solution can greatly enhance the security of your clients’ fax documents, improve their compliance with federal regulators, and give their IT teams peace of mind.

Become an Authorized eFax Corporate Partner

And you can offer this highly secure cloud fax service to your clients, through our hands-on, lucrative Partner Program. Learn more at our eFax Corporate Partner Page.

Currently responsible for the Enterprise Partner Program for j2 Cloud Services, Peter Ely is a 27-year technology veteran, having held senior executive positions looking after presales support, product management,  product marketing and technical evangelist teams in the telecommunications and data networking arenas in positions located across two continents and three countries.

Read more about:

AgentsMSPsVARs/SIs
Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like