Back to case studies

HSTS Migration Across 1,800+ Systems

RoleCybersecurity Project Manager
OrganizationLarge-Scale Enterprise
StatusCompleted
1,800+
Systems Migrated
0
Disruptions
100%
HTTPS Enforcement
8mo
Duration

Overview

This initiative focused on securing the organization's domains and devices by enforcing HTTP Strict Transport Security (HSTS) and eliminating unencrypted HTTP (port 80) traffic. Given the scale — thousands of devices and numerous web interfaces — implementation required careful planning, persistent discovery, and disciplined change management.

Discovery and Assessment

The first step was a comprehensive discovery process. Nessus was used to scan for all services listening on port 80 across the corporate environment. Because many devices were intermittently connected, scanning was repeated on a regular cadence to ensure no endpoint was missed.

Once the inventory was established, stakeholders were identified and grouped into personas based on their actions. This segmentation allowed communications and remediation guidance to be tailored to each audience.

Policy, Exceptions, and Timeline

The organization set a firm enforcement date for enabling HSTS preloading across its domain name. Exceptions required formal documentation and a plan for future resolution while moving off the corresponding domain HSTS was being preloaded on.

The timeline was deliberate. Too short a window risked backlash from teams unprepared for the work; too long would allow competing priorities to erode momentum. A balanced schedule kept attention on the change while giving stakeholders enough lead time to act.

Support and Remediation Framework

Actions for impacted users were clearly defined: remediate port 80 usage by migrating to HTTPS, or submit an exception request and move off the affected domain if approved. To handle support efficiently, a triage model was implemented:

  • Level 1 — Basic questions and common issues, resolved through self-service resources and the help desk
  • Level 2 — Intermediate troubleshooting with the project manager
  • Level 3 — Advanced engineering support for complex or unique systems

The core project team met weekly to track progress and address blockers.

Organizing the Work

A Gantt chart served as the central project tracker, mapping tasks, owners, and deadlines week-by-week. This visual approach made it easy to see dependencies, track status, and adjust priorities.

Change Management and Communications

Change management was treated as a parallel workstream to technical remediation. The communications plan identified the most effective channels for each audience. Slack, Teams, staff meetings, and emails were used as a multi-pronged approach to ensure maximum reach.

The goal was not just to inform, but to change habits. For example, application development teams were reminded that new applications must never rely on HTTP under any circumstances. This policy was reinforced in technical forums, documentation updates, and during developer syncs.

Stakeholder change boards were engaged throughout the project. By maintaining a consistent presence, the project team gained influential champions who helped drive adoption within their departments. Executive leadership was also briefed regularly to secure top-down support.

Central Information Hub

A central "gold source" information page was created on the company intranet. This hub served as Level 1 support, containing policy details, timelines, how-to guides, and links to request exceptions. Every email, Slack post, or change request pointed back to this page to ensure consistency.

Execution and Enforcement

Once all elements were defined, the communications schedule was executed, delivering targeted updates over the full project timeline. As the enforcement date approached, the project team intensified reminders, provided extra support hours, and monitored remediation status closely.

On the enforcement date, HSTS preloading was enabled for all compliant domains, with exceptions documented and approved. Post-implementation scans confirmed a dramatic reduction in HTTP exposure, and the organization established HSTS as a permanent requirement for all future development and deployment.