iCompaas Support

Profile Applicability:

• Level 1
  

Description:
 Setting the 'Minimum TLS version' helps mitigate vulnerabilities associated with older versions of TLS by enforcing the use of TLS v1.2 or higher, ensuring secure communication channels. This setting prevents clients from using deprecated and insecure versions of the TLS protocol.

Rationale:
 Older versions of the TLS protocol, such as TLS 1.0 and TLS 1.1, have known vulnerabilities. Enforcing TLS v1.2 ensures that data is encrypted with stronger, more secure protocols, protecting against "Man-in-the-Middle" (MITM) attacks and other security threats associated with weaker encryption.

Impact:

• Pros:
  

  • Enhances the security of data in transit by using stronger encryption.
    

  • Reduces the risk of cyber attacks that exploit older, vulnerable TLS versions.
    

  • Helps in meeting industry compliance standards (e.g., PCI-DSS).
    

• Cons:
  

  • Older clients or services that do not support TLS v1.2 may experience connectivity issues.
    

Default Value:

By default, TLS version 1.2 is enforced on Azure services that support this configuration.

Pre-requisites:
 Ensure that TLS v1.2 is supported by the clients and services accessing the system.

Remediation

Test Plan:

Using Azure Portal:

1. Log in to the Azure Portal: https://portal.azure.com.
   

2. Go to Azure Cache for Redis or the relevant service.
   

3. Click on the name of the instance.
   

4. Under the Settings section, select Advanced Settings.
   

5. Review the setting under Minimum TLS version.
   

   • If 1.2 (Recommended) or a higher version is selected, the instance is compliant.
     

Using Azure CLI:
 1. Run the following command to check the Minimum TLS version

az mysql flexible-server parameter show --name tls_version --resource-group <resourceGroupName> --server-name <serverName>

• The output should return TLSv1.2 or higher.
  
  

Implementation Plan:

Using Azure Portal:

1. Log in to the Azure Portal.
   

2. Navigate to Azure Cache for Redis or the relevant service.
   

3. Select the instance and go to Advanced Settings.
   

4. Under Minimum TLS version, set the version to TLS 1.2 (Recommended) or a higher version.
   

Using Azure CLI:
1.  To enforce TLS v1.2, use the following command

az mysql flexible-server parameter set --name tls_version --resource-group <resourceGroupName> --server-name <serverName> --value TLSv1.2

Backout Plan:

Using Azure Portal:

1. Go to Azure Cache for Redis or the relevant service.
   

2. Under Advanced Settings, reset the Minimum TLS version to an earlier version (TLS v1.0 or TLS v1.1), if necessary.
   

Using Azure CLI:
1.  To revert the TLS version setting

az mysql flexible-server parameter set --name tls_version --resource-group <resourceGroupName> --server-name <serverName> --value TLSv1.1

References:

• Azure MySQL SSL Connection Security
  

• Azure TLS Encryption Best Practices