According to Gartner, 75% of the global population will have its personal data covered under privacy regulations by the end of 2024. And in their latest information security and risk management study, Gartner identifies Zero Trust Network Access (ZTNA) as the fastest-growing segment in network security, forecast to grow 31% in 2023 and propelled by the rise in remote workers. Hybrid work is a fact of life and expected to be served predominantly by ZTNA versus VPN services.
Compliance and ZTNA are driving encryption into every aspect of an organization’s network and enterprise and, in turn, forcing us to change how we think about protecting our environments.
Unintended consequences
ZTNA is great for security in one aspect, providing greater control over movement and access as the Atomized Network continues to grow and applications and people are everywhere. Instead of authenticating once and then getting relatively open access to resources and devices on a network, zero trust is about authenticating and receiving a set of permissions and authorization for explicit access. However, ZTNA’s use of encryption to secure all connections, regardless of where they reside in the infrastructure, is creating massive issues in another aspect of security. As I’ve discussed before, encryption is blinding many of the network visibility and security tools we have traditionally used for enterprise protection.
Organizations that decide to use secure access service edge (SASE) platforms to manage ZTNA, also sacrifice a degree of visibility for the sake of authentication and encryption. With SASE, authentication and authorization is managed when users connect to their provider’s dedicated cloud. From a user perspective the experience is fairly seamless, but security teams tell us they don’t have what they need to do their jobs. Typically, they are only able to view authentication logs and access logs, so they can’t see what is happening in real-time across that cloud environment.
Even when an organization doesn’t go the zero trust route because it may be overkill for their environment, they still implement encryption for data privacy and protection reasons. The highest level of encryption is used – not just for internet-facing hosts, but also internally to secure data at rest and in transport.
The risk paradox
As encryption becomes pervasive, organizations are adding complexity for security teams to do things like troubleshooting and threat hunting. The combined impact of encryption and the atomization of networks is deprecating a lot of the legacy tools that use deep packet inspection (DPI) and packet capture technologies, making them significantly more expensive and complex to deploy and manage.
The traditional thought process is that in order to detect and respond we have to see everything, which means we have to decrypt everything. Sure, decryption is possible, but it doesn’t scale anymore. In a dispersed and ephemeral environment with no defined perimeter, putting an appliance in the middle to do decryption is getting harder and harder to do. We have more traffic to decrypt, more certificates to manage, and any point at which we break encryption for detection and response is another point at which we are potentially exposing sensitive data. In an effort to keep our networks secure, we are elevating our risk profile.
Network security without breaking decryption
The time has come to reimagine our approach to network security so we can see what is going on and detect and respond to threats without introducing additional risk.
Learn More at SecurityWeek’s Zero Trust Strategies Summit 
Join us as we decipher the confusing world of zero trust and share war stories on securing an organization by eliminating implicit trust and continuously validating every stage of a digital interaction.
April 12, 2023 – Register
A lot of machines have endpoint detection response (EDR) agents installed on them that provide visibility into hosts on the network and local processes. However, not every networked device in an environment is capable of supporting an agent, and EDR doesn’t provide visibility into network traffic in real-time. That’s where metadata in the form of flow data comes in. There’s no need to capture and inspect every packet to view and monitor network traffic for detection and response. Metadata is widely available across your multi-cloud, on-premises, and hybrid environment and when enriched with context provides high-level real-time visibility into traffic across the Atomized Network.
Collectively, EDR and metadata provide a good picture of what’s on the network, what it’s doing, and what’s happening to it and can detect most attacks without breaking encryption. In cases where we see anomalous behavior that requires a deeper dive, we can narrow the scope of what we are looking at and narrow decryption. By changing procedures to only decrypt when necessary, we can reduce our risk profile accordingly while minimizing cost and complexity.
It turns out encryption and zero trust aren’t breaking key protections. Instead, they are forcing an inevitable change for the better. Organizations can move away from 100% decryption, which doesn’t scale anymore and introduces risk, enjoy the benefits of ZTNA and encryption, and still get comprehensive visibility and the coverage needed to protect their Atomized Network.
Related: Cyber Insights 2023 | Zero Trust and Identity and Access Management
