demonishen - Fotolia
A recent report found that cloud-based application use is driving up the use of SSL/TLS. What is the correlation between the two? Are there any drawbacks that network security teams should be aware of when it comes to increased SSL/TLS traffic?
With many applications being utilized in a SaaS model, it's important to encrypt the traffic between end users and applications. When personal and sensitive data is transferred, processed or stored off local premises, the connections between these points need to be secured.
Many large websites default to SSL/TLS, increasing the encrypted traffic on the internet. This is a plus for data security, but malicious actors can and do take advantage of this encryption with their malware, spoofing and C2 servers. With organizations like Let's Encrypt and Amazon Web Services, attackers use these flexible, well-designed and inexpensive technologies for malicious purposes. It's for this reason that enterprises need to make monitoring of encrypted traffic and decryption appliances mandatory in networks.
The recent increase in SSL/TLS traffic within networks is cause for both delight and concern. The security community has seen the need for encryption, but so have malicious actors. From a network security standpoint, it's important to be cautious when dealing with encrypted traffic. Its use is only going to grow from here, and the majority of internet traffic will move toward end-to-end encryption.
With this increased traffic, network security administrators should look for decryption methods for monitoring and visibility purposes. It's one thing to understand where the traffic is destined to go -- many companies are using this to alert them of known malicious IP addresses -- but it's a completely different thing to have the capability to review the complete packet data for risks outside the source and destination IP addresses.
Including SSL inspection hardware on encrypted traffic at choke points within a network for additional visibility should become a priority. However, doing so will increase overhead, so validate the current resources on the hardware and determine what increase in resources might occur.
Organizations rely on SaaS apps more than ever now, so there needs to be visibility into what's being sent to these third-party providers. Another step organizations can take to increase their data governance around encrypted traffic is to use tools that enable visibility into encrypted traffic, and that also include data loss prevention functions to search for sensitive or malicious data being sent to SaaS apps. Cloud access security brokers are also in a growing field that can help organizations gain insight into their traffic.
When adding SSL inspection to your arsenal of security monitoring, be aware of how your appliance is encrypting outbound data. There were issues in the past with particular proxies re-encrypting the data with lower security standards than organizations were using -- or thought they were using. Also, keep in mind that key management on the certifications being used for inspection should be handled carefully, as to not disrupt traffic during expirations.
Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)
Find out why HTTPS interception tools weaken TLS security
Learn why the lack of SSL traffic inspection poses a threat to enterprises
Check out the SSL VPN based on open source software
Dig Deeper on Threat detection and response
Related Q&A from Matthew Pascucci
Understanding the differences between sandboxes vs. containers for security can help companies determine which best suits their particular use cases. Continue Reading
Troubleshooting VPN session timeout and lockout issues should focus first on isolating where the root of the problem lies -- be it the internet ... Continue Reading
What sets web roles and worker roles apart in Microsoft's Azure Cloud Services? Here's a look at how they are different. Continue Reading