The SANS Institute, realizing the critical nature of security risks to SSL/TLS, has added several requirements related to SSL/TLS management to Critical Security Control 17: Data Protection. From recent vulnerabilities like Heartbleed, Shellshock, POODLE, and FREAK to the Sony and CHS breaches and other APT attacks, like APT 1 and APT 18, enterprises can no longer blindly trust SSL/TLS certificates.
This growing lack of blind trust in SSL/TLS certificates stems largely from corporate security teams’ failure to secure and manage their vast certificate and key populations properly. By following the new SANS 20 requirements for SSL/TLS certificate management, enterprises can regain trust in SSL/TSL and rely on it once again for secure communications, authentication, and authorization for applications, appliances, devices, and cloud services.
For more details on how to best comply with these new SANS SSL/TLS certificate management requirements, get the SANS whitepaper, New Critical Security Controls Guidelines for SSL/TLS Management.
