Cryptography isn’t new. Humans have always liked to keep secrets. Or at least try.
More than 400 years ago, Mary, Queen of Scots, tried. Unfortunately, in the encryption-gone-wrong Babington plot, she didn’t fair so well. When one of Queen Elizabeth’s cunning advisors decrypted a coded correspondence about an assassination conspiracy, it was off with poor Mary’s head.
Decryption can be used to your advantage. It certainly was in Elizabeth’s case.
Encryption: The Double-Edged Sword
Today, more and more Internet traffic is encrypted. In fact, according to the Dell 2016 Annual Threat Report (PDF), nearly 65 percent of it is.
But encryption is a double-edged sword. It’s good when it protects you, your confidentiality, and your data. However, as with most things in life, there’s two sides to every story. And encryption’s not so good when it protects the bad guys, too.
See, in addition to the growth of SSL traffic, studies also show that SSL is one of the fastest growing attack vectors. In fact, in its report, “Security Leaders Must Address Threats from Rising SSL Traffic,” Gartner predicted that, by 2017, more than 50 percent of network attacks will use encrypted traffic to bypass controls. Hackers are drawn to encryption because it makes it easier for them to move and hide malware, and, even, take from you the very data and privacy you aim to protect.
By all estimations, not only should a decryption and inspection strategy be viewed as a necessity for businesses, but as a top security priority in 2016.
What’s Fair to Decrypt?
If you’re using a company-issued laptop and company-hosted servers for email, should you be allowed to send work email to your personal Gmail account? Well, not really. Or at least not unless you’re cool with allowing your company to inspect those emails because, you got it, the situation does pose a legitimate security risk.
In the United States, it’s a touchy topic. Many privately held companies have begun to inspect this type of traffic, while many public companies are awaiting new legislation on the matter. In Europe, even where privacy reigns supreme, when and where to use decryption is coming up for debate more and more.
What’s important is to determine where there’s a clear security rationale for decrypting certain SSL-encrypted streams, and get a better understanding of who's doing the encryption that may be traversing your network. Because, oh yeah, another thing about today’s encryption: It’s stronger and more difficult to decrypt than ever before. So even if organizations wanted to decrypt every bit of SSL traffic (which would most certainly make their users uncomfortable with regards to loss of privacy), their networks would take huge performance hits due to the computationally intensive nature of SSL decryption.
Finding a Balance
Most security architectures use multiple inline and out-of-band security and monitoring tools, each responsible for inspecting traffic and performing its own unique function. The problem is complexity and cost. Decrypting and routing SSL traffic to numerous security and analytics tools or enabling those tools with decryption capabilities isn’t simple and can be expensive.
And if one thing is certain, it’s that security can be neither a business bottleneck nor an operational money pit.
That means organizations need to find a balance and, in many cases, find ways to do more with less. For now, a practical tack is to establish security policies with regard to traffic inspection, and implement the right mix of SSL decryption and traffic inspection systems such that they don’t introduce latency or business disruption.
A good place to start is with a security delivery platform (SDP) and SSL visibility appliances. An SDP enables scalability and availability of your network while ensuring that relevant traffic is delivered to all the right tools at once. With its load-balancing capabilities, you can spread traffic flows across multiple SSL visibility appliances, avoiding bottlenecks and strengthening your security architecture as a whole.
Once traffic is decrypted by an SSL visibility appliance, it can be quickly routed through several security and performance monitoring tools, inspected, and sent back to the SSL visibility appliance for re-encryption. And should ever an SSL visibility appliance crash, an SDP’s inline bypass capabilities usually offer a range of failover options, including fail close, fail open, logical pass-through, or distribution to other devices.
Too bad Mary and Elizabeth couldn't have found a similar way to align. As they say, two heads are better than one.
Related Reading: To Improve Security Effectiveness, Look Inside