A policy announced in March by the White House Office of Management and Budget (OMB) calls for all publicly accessible federal websites to support traffic encryption within two years by adopting the HTTPS secure communication protocol.
By mandating the secure protocol across the board for federal sites, the policy will deliver a powerful boost to HTTPS adoption across the Web ecosystem. Vendors of Web services to federal agencies will need to move at once to support the new standard. Moreover, state and local governments, along with many other organizations, will take their cue from the federal government in making HTTPS and encryption the new normal on the Web.
Most broadly, the Web traffic encryption policy represents a proactive approach of protecting data on an ongoing basis, rather than limiting protection to endpoints or responding only to specific identified threats.
Rolling Out Encryption Across the Federal Government
As John Ribeiro reports at InfoWorld, the OMB policy sets a spectrum of compliance benchmarks for providing HTTPS encryption on federal websites. New websites will need to be compliant when they launch. Existing federal websites and services will phase encryption in, with priority given to sites that handle sensitive traffic or have high traffic with personally identifiable information.
Federal intranet sites, those not available to the public, are not specifically mandated to adopt HTTPS, but such adoption is “strongly encouraged.”
A number of individual federal agencies and sites, among them the Federal Trade Commission and the White House itself, have already shifted to HTTPS. Current use of the encrypted standard is typical of banking e-commerce and other sites that deal with financial data or other highly sensitive information. However, most of the Web still uses unencrypted HTTP for data transfers.
Protection as a Default
Adoption of the new federal policy hands security professionals a powerful tool in advocating within their organizations for Web encryption. Vendors of Web services to government agencies will need to be in compliance. For other organizations, the new policy still sets a new standard of expectations that will in effect become the current state of the art in website design.
The decision to provide encryption for all federal Web traffic also embodies the new normal for data security. This is a recognition that all data traffic is subject to attack threats at all times and thus needs to be protected at all times.
Web encryption through HTTPS is not a magic bullet; there are no magic bullets. However, proactive security throws up roadblocks against attacks on an ongoing basis. The goal is to make life as difficult for attackers as possible and provide data with multiple layers of protection. This makes HTTPS and Web encryption one more weapon in the good guys’ arsenal.
Image Source: iStock