An Introduction to Transport Layer Security Protect sensitive data – and comply with regulations – using TLS/SSL Ariel Gilbert-Knight, Carlos Bergfeld and Adam Chapman - April 12, 2012 Protect sensitive data — and comply with regulations — using TLS/SSL. This article was originally published in August 2009 and was updated in 2012.With all the recent stories about security breaches, you may be wondering what you can do to help secure your nonprofit or library's data and communications. Transport Layer Security (TLS) is a protocol (or set of guidelines) that can help you do this. If your organization stores or processes payment or health-care data, or if it collects confidential information in general, security safeguards such as TLS or Secure Sockets Layer (SSL) might be not only a good idea but also legally mandated.Below, we'll show you how TLS/SSL works, when you should use it, and how you can implement it at your organization. What Is TLS/SSL?TLS is the successor to SSL, which is an older protocol. The differences between TLS and SSL are minor and very technical. For purposes of this discussion the protocols are basically identical, so we will lump them together as TLS/SSL.TLS/SSL can be used to create a secure environment for web browsing, emailing, or other client-server applications. For example, TLS can be used to create a secure connection between your organization's donation web page and a donor's web browser. The donor's financial or other personal information is encrypted in such a way that only you and the donor can access and use it. TLS/SSL encryption requires the use of a digital certificate, which contains identity information about the certificate owner as well as a public key, used for encrypting communications. These certificates are installed on a server — typically a web server if the intention is to create a secure web environment, although they can also be installed on mail or other servers for encrypting other client-server communications.Microsoft has a more detailed explanation of how TLS/SSL works.Securing a Web Server with TLS/SSLThis is probably the most common use of TLS/SSL. If used with a web server, TLS/SSL can encrypt online transactions and confidential data relayed between a user's web browser and a website. A secured web server can be identified by a padlock symbol at the bottom of the browser window or in the address bar, as well as by a URL that begins with "https" rather than "http."Securing a Mail Server, Database Server, or Directory Server with TLS/SSLTLS/SSL can be used with mail servers to encrypt email messages. An email that was sent with TLS/SSL encryption may display a ribbon or other icon in the recipient's email client. TLS/SSL can similarly be used with database and directory servers to encrypt server queries.Securing a Virtual Private Network (VPN) with TLS/SSLTLS/SSL can be used to encrypt the connection between a remote user's device and the network being accessed.Does My Organization Need to Use TLS/SSL?Whether you need to use TLS/SSL depends on your organization's activities. For organizations involved in health services or payment processing, using a security protocol such as TLS/SSL to encrypt network communications may be a federal or commercial requirement. For other organizations, using TLS/SSL might simply be a good idea.Organizations Involved in Health ServicesFor organizations involved in health services, using security safeguards such as TLS/SSL may be a federal requirement. Any organization that transmits electronic billing information to any health insurance provider, Medicare, or Medicaid, is covered by the Health Insurance Portability and Accountability Act (HIPAA) and must meet certain security standards. Additionally, any organization that stores or transmits user login or patient information may need to be compliant with the HIPAA Security Standard, even if it is not technically a covered entity. It is important to remember that security protocols such as TLS/SSL can help an organization become HIPAA compliant, but they do not provide compliance on their own. For more information on HIPAA and finding out whether your organization needs to comply with its requirements, see Idealware's In Search of HIPAA-Compliant Software and visit the official HIPAA website at the Department of Health and Human Services.Organizations That Store or Process Payment InformationFor organizations that store or process payment information, such as donor credit card numbers, implementing TLS/SSL may be a requirement of the Payment Card Industry Data Security Standard (PCI DSS). This standard was created by the PCI Security Standards Council, a group of several major payment card brands, to protect cardholder data. Organizations may be required to comply with the PCI DSS by their acquiring bank or payment processor. You may have heard the term PCI-compliant in reference to certain websites, meaning that these sites have proven their compliance with these standards. As with the HIPAA standards noted above, remember that security protocols such as TLS/SSL can help an organization become PCI compliant, but they do not provide compliance on their own. For more information on PCI DSS and compliance, visit the PCI SSC website.Other OrganizationsIf your organization stores confidential user information but does not transmit health or payment information, you still might want to implement security safeguards like TLS/SSL. First-time visitors will appreciate knowing that their personal information (like address and phone numbers) is secure when submitting it to your website. Organizations associated with human rights and justice could benefit from encryption by protecting the information, and even the identities, of the people they serve. The use of TLS/SSL can also provide secure connections for organizations accessing their networks remotely. Though these safeguards would not be required by the federal government or a commercial entity, they could help to ensure that an organization's mission is not compromised by security breaches.How Can My Organization Use TLS/SSL?Most uses of TLS or SSL require a digital certificate from a certification authority or certificate authority (CA), a trusted authority that can attest to the identity of the certificate owner. Organizations will also need a system or network administrator who is familiar with whichever client-server applications need to be secured to enable TLS/SSL encryption.If an organization purchases a certificate from a trusted CA, that certificate will contain the digital signature of the certification authority, attesting to the certificate's validity. Organizations can also create their own certificates, known as self-signed certificates, although these will not be inherently trusted by a web browser if installed on a web server and will usually display a security warning for any user who visits a website with a self-signed certificate.Certificates are usually issued for a one-year period, and different security features may be available depending on the vendor. Most of these features are targeted at organizations that will install these certificates on web servers. Extended Validation (EV) certifies that the certificate owner meets the highest standard of identity validation criteria established by the Certificate Authority Browser Forum — a voluntary organization of certification authorities — and vendors of Internet browser software. EV certificates also enhance security visibility by displaying the organization's name in green in the address bar as well as displaying the name of the issuing certification authority.There are several commercial certification authorities, including VeriSign, Comodo, GeoTrust, and GoDaddy. Visit each of those organization's websites to compare prices or request a certificate.Organizations That Use TLS/SSLOrganizations of various sizes have made use of TLS/SSL for many of the purposes described here. A good example is the National Cristina Foundation, a nonprofit organization that provides computers and other technology to people with disabilities, students at risk, and the economically disadvantaged. Their website uses SSL to secure an online form that is filled out by parties who wish to donate computers or other items to the organization. The organization also uses SSL to encrypt its online grant application used by prospective recipients to obtain the technology they need.Another nonprofit organization, Blood Centers of the Pacific, uses SSL encryption on its Blood Heroes blood donation website to allow donors to securely enter their information, make appointments, and view health information about their blood. And of course, TechSoup uses SSL certificates to keep its own members' information secure. The TechSoup login page uses this encryption, as does the entire check-out process on TechSoup's Get Products donation site.ConclusionNo single security measure will fully protect your organization from unauthorized data breaches, but implementing security protocols like TLS/SSL can reduce the chance of such threats. If you are not obligated by law or commercial edict to implement a protocol like TLS/SSL but think it might be a good idea, you should find out whether you have the technical staff and resources to do so. Staff and constituents who are worried about their information's safety will likely appreciate these safeguards. When it comes to data security, erring on the side of caution is typically a prudent choice. This work is published under a Creative Commons Attribution-NonCommercial-NoDerivs 4.0 International License.