Decrypting SSL Traffic: Best Practices for Security, Compliance, and Productivity

, Decrypting SSL Traffic: Best Practices for Security, Compliance, and Productivity

Adrian Taylor, Regional Vice President of A10 Networks, discusses the importance of best practices in traffic encryption

Today, encryption has become ubiquitous — Google reports that as of June 1, 2019, 94 percent of traffic across all its products and services is encrypted. Google is not the only company reporting a rise in the use of encryption though; all the commonly used browsers, including Safari and Mozilla, are witnessing the same trend.

So, what does this rising wave of encryption mean for organisations, and what can they do about it?

How Encryption Can Put Organisations at Risk

The biggest benefit of traffic encryption is, of course, privacy. After all, if you’re shopping or banking online, you don’t want your credit card number or any other pieces of personally identifiable information (PII) to be seen by anyone else.

To ensure that such privacy is maintained for internet users, a variety of laws like the General Data Protection Regulation (GDPR) andCalifornia Consumer Privacy Act (CCPA) have been established around the world.

Encryption Creates Blind Spots

The protective nature of encryption can easily be misused to hide criminal activities. For organizations, encryption can create a large blind spot that makes it difficult or impossible to identify criminal attacks.

For instance, if 80 percent of an organisation’s traffic is encrypted, and they lack a proper decryption solution, they’ll only be able to see and analyse 20 percent of their traffic.

That leaves a huge gap where attackers can freely infiltrate the network regardless of any firewalls or other defences.

These are just some of the ways that attackers can use encryption to their advantage:

  • Drive-by downloads (unintended downloads of malicious files)
  • Viruses and Trojans embedded within productivity documents
  • Spoofed websites intended to infect visitors with malware
  • Phishing attacks, whether personalised (spear-phishing) or general
  • Ransomware attacks using encrypted connections as a delivery mechanism

Once an organisation’s system has been compromised, their sensitive data can then be quickly smuggled out and sent to the attacker.

Or, in the case of ransomware, it can be encrypted and held for ransom indefinitely. That data can include credit card information, names, addresses and more.

To put it simply, organisations can’t be truly secure unless they have complete visibility into their traffic, encrypted or otherwise.

How Encryption Can Impact Compliance and Productivity

Security issues aside, encryption can have serious implications in terms of both compliance and productivity.

When it comes to compliance, it’s clear that with the recent proliferation of GDPR and CCPA, organisations are required to encrypt traffic. In failing to do so, they can find themselves facing sky-high fines.

For example, CCPA, which goes into effect in January 2020, permits fines of up to $2,500 per unintentional violation. For intentional violations, that number jumps to $7,500.

However, as discussed above, encryption can introduce its own set of challenges. In this case, if an encrypted data breach happens, organizations will be held responsible and once again face huge fines and penalties.

At the same time, compliance standards like HIPAA (Health Insurance Portability and Accountability Act of 1996) also require organisations not to decrypt healthcare data to maintain complete user privacy.

Encryption can also have severe consequences on productivity as well. With the rise in encryption, we can also see a rise in the use of encryption as a delivery mechanism for malware and ransomware.

The encrypted malware and ransomware can easily blend in with legitimate encrypted traffic and, without full visibility into the traffic, slip into the network undetected.

Once delivered and installed, the malware or ransomware can wreak havoc in the network, spreading across machines and stopping everything in its tracks.

Take, for example, the city of Baltimore, Maryland. In May of 2019, it was struck with a catastrophic ransomware attack that rendered major components of its municipal computer systems useless. These included voice mails, emails, a fine database and a payment system.

The attackers used a ransomware variant called RobbinHood, a Trojan horse type of malware. This variant is so new that its precise delivery method is still unknown.

For the systems affected by the breach, the attack was crippling. Officials were unable to verify 14,000 sewer charges, home sales were delayed and Baltimore politician Bernard “Jack” Young estimated that the total cost of the attack would be $18 million.

With that in mind, it’s plain to see how cyber-attacks that abuse encryption can cause organisations’ productivity to plummet.

There’s also an interesting performance dynamic when talking about SaaS applications.

Many businesses are moving most of their productivity software, like Microsoft Office 365, to the cloud. Traditionally with legacy enterprise deployments, traffic was going east-west between your users and on-premises applications.

Now with SaaS applications in the cloud, your traffic is going north-south between the users and the cloud. This means that all of your traffic needs to go out of your network, through your security stack before going out to the internet.

Oftentimes, the security stack that companies use is not prepared for such loads, and can create bottlenecks within your network, adding latency and deteriorating the user experience.

You can imagine how these issues could be magnified when enterprises have multiple global locations.

To alleviate these issues, SaaS providers like Microsoft recommend that organisations perform local breakout to improve performance. Local breakout works by separating SaaS traffic at the branch level, diverting it directly to the cloud.

This improves performance but creates another problem: lack of visibility into SaaS traffic.

Why Full Traffic Visibility Is Critical

Full visibility is essential for enterprises to increase their security, remain productive and avoid things like non-compliance. So how do you do that? Decryption.

Organisations must decrypt their traffic to:

  • Control encryption: It’s important to determine where and for what types of traffic encryption should exist within the enterprise network, as well as where it shouldn’t exist.
  • Enable proper inspection: There must be a spot in the communication path within the network, where it is possible to inspect all traffic.

By implementing effective decryption, companies can avoid the loss of productivity and hefty fines associated with a data breach.

The Importance of Dedicated SSL Decryption

It’s essential that companies deploy SSL decryption on the edge of their enterprise network. That’s because companies usually have a security stack comprised of multiple security solutions and devices, and as discussed above, these devices are ineffective without decryption.

In such a multi-device, multi-vendor environment, traffic must be decrypted for the entire security stack without causing major disruptions.

In other words, companies should seek out SSL decryption solutions that support and enhance their existing security infrastructure.

Ideally, those solutions should be dedicated. Although many next-generation firewalls (NGFWs) are capable of decryption, they fail to decrypt nearly as effectively or efficiently as a dedicated decryption product.

In fact, a 2018 research from NSS Labs found that NGFWs with SSL/TSL decryption turned on caused an:

  • Average connection speed degradation of 92 percent
  • Average throughput degradation of 60 percent, with a maximum of over 90 percent degradation for certain vendors
  • Average latency increase of 672 percent

Clearly, it’s not financially feasible for companies to either keep buying increasingly expensive NGFWs or to settle for a significant drop in performance and poor user experience.

Instead, organisations should be looking at dedicated decryption solutions.
A Decryption Solution with Centralised Visibility and Management Is Key

We have discussed how decryption solutions that can selectively decrypt traffic is essential to protect user privacy and data and enable and enhance existing defences against encrypted threats.

But, as organisations grow and expand into multiple locations, it becomes hard to keep track of the policies applied across all the decryption devices.

In order to maintain fool proof security and to apply uniform policies across all locations, a centralised management solution becomes essential, so that no security loopholes are left.

However, in terms of compliance, some data regulations only apply to certain regions, while others only apply to certain types of data.

Therefore, the centralised management solution needs to be flexible enough that different policies can be created for different regions and deployments.

Finally, the centralised management solution should also be coupled with a visibility solution, so that all the devices deployed across multiple locations, can be monitored from a central location.

This also strengthens the security as any traffic events or anomalies occurring across multiple locations can be detected and acted upon immediately.

Having full traffic visibility simultaneously across all branches as well as the cloud also provides insight into the traffic bypassed for SaaS optimisation at the branches, eliminating the adverse effects of local breakout.