Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Performance, management and privacy issues stymie SSL inspections, and the bad guys know it

Maria Korolov | Sept. 20, 2016
The technology is there for companies to inspect SSL traffic, but performance, management and privacy concerns combine to hinder its adoption.

In particular, many popular online collaboration and file sharing tools have built-in encryption, and are often used by both insiders and external attackers to exfiltrate information.

That means that most of the money that companies are spending on security is being wasted, said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

Next-generation firewalls, sandboxes and behavior analytics tools are only a quarter as effective as they should be if three quarters of the traffic is encrypted and just slides past them, he said.

Meanwhile, initiatives like Let's Encrypt have reduced the cost of encryption certificates down to zero, he added. "That creates a dangerous scenario."

He said that Venafi customers have reported finding almost 16,500 unknown TLS or SSL keys and certificates. "That's encrypted traffic that wasn't even known about. And keys and certificates are growing at least 20 percent year over year."

The problem will get worse before it gets better, he said. "It's a blind spot that we've continued to ignore."

"When I ask organizations about their SSL traffic, they often don't know much about it," said Bradon Rogers, senior vice president for worldwide sales engineering at Symantec. "And when they do know, between 50 and 75 percent of their traffic is SSL encrypted."

SVP Worldwide Sales Engineering, Symantec

And many companies are wary of deploying full-scale SSL inspection, even if they could, he added, because of potential compliance and privacy concerns related to seeing employees' credit card numbers, banking information, and medical data.

"This is the difficult balance that organizations have to walk when deciding when to decrypt and when not to," Rogers said.

However, A10's Cunningham said that companies are already inspecting most plain-text communications, at the very least, to check for malware.

"The absolute truth of the situation is that every time you as a user sign on to the system, you sign off on something that says that your company has the right to inspect your traffic," he said. "They need to look at that traffic to see if there's malicious activity taking place -- to protect users and protect data."

Companies should not be afraid of extending that same level of monitoring to encrypted traffic as well, he said. "But people are so afraid of doing what they said they will do."

Proxies and gateways

Meanwhile, proxies and gateway technologies have become a lot better, with configurable policies that allow companies to make distinctions between potentially malicious traffic and that related to confidential information. Plus, they've improved quite a bit in reducing the performance impact and management challenges.

A10, for example, offers appliances that take care of the pain of managing SSL certificates and take on the CPU-intensive encryption and decryption tasks so that the dedicated security devices on the network aren't slowed down. Both incoming and outgoing traffic is decrypted, sent to the security devices for inspection, and then encrypted again.

 

Previous Page  1  2  3  4  5  Next Page 

Sign up for CIO Asia eNewsletters.