A power retailer had a problem, they were facing the common trade-off between security and customer experience:
- Due to both PCI and general increased security requirements, the security team was needing to strengthen the cryptographic protocols that provide authentication and data encryption between the customers and the retailers applications (namely deprecating TLS1.0 and TLS1.1).
- The downside to this is that customers using browsers that don’t support newer protocols would not be able to connect to the applications. From the moment the protocols are deprecated the browsers would simply not connect, no message explaining the problem would be displayed, hence the business was also concerned about customer experience and calls to the helpdesk.
Given they already had RedShield’s secure application publishing service deployed they asked RedShield for options.
RedShield proposed a phased solution that started with informing customers and reporting statistics and then moved through to restricting access
The crypto protocols were set to prefer newer protocols when supported by the browser (default behaviour). On detection of the browser not supporting the newer protocol, the following phases where proposed:
- Compatibility: a RedShield hosted splash page to be displayed informing the user that there were security concerns with the browser, providing links to browser upgrade pages, a pending service restriction date, but also a click to continue option, plus statistics of who was getting this page displayed to them provided to the company
- Restricted access: a modified RedShield hosted splash page to be displayed to the user informing them that certain pages were no longer accessible, statements on the security reason, upgrade links, online support capability and links to services that were still available. In this phase it is also possible to allow specific customers to use older protocols in a monitored mode by exception.
- Full protocol enforcement: complete protocol deprecate, with no splash pages at a time acceptable to the business
Compliance, security and happy customers shouldn’t be a tradeoff. Too often security measures are introduced that negatively impact our customers’ experience. The solution that RedShield has provided allows us to inform and communicate with our customers and make allowances for their specific circumstances whilst we increase security, truly the way it should be done.
Post successful testing and following customer change management, phase 1 of the RedShield solution was deployed in front of relevant web applications (note no changes were required to the applications themselves).
After the first month the statistics reported enabled the business to understand the impact on their customer base and hence set some target dates for restriction of access. They were also able to see who was upgrading, contact various customers for feedback and slightly modify the splash page message.
After 3 months statistic showed that the upgrade push had worked and very few customers would be affected by the restricted access. Hence phase 2 was implemented approximately 4 months after phase 1.
Phase 3 is still to be implemented and very few exceptions to use the older protocols have been granted.