Busting the myths around scanning encrypted traffic

Constant scanning of encrypted data traffic is seen as a critical component of all IT security strategies, yet alarming numbers of organisations opt not to do it.

As a result, they provide a tempting channel for cybercriminals to gain entry into their IT infrastructure and either steal data or cause disruption. On the other hand, the encryption hides their activity and enables them to act with immunity.

The reasons for not scanning are varied. However, each can be shown to be without merit. By understanding how encryption works and the benefits it delivers, organisations will be much better placed to make more informed decisions.

Both Secure Sockets Layer (SSL) encryption and its successor Transport Layer Security (TLS) establish secure tunnels between a browser and destination site using a third-party validated public-key certificate.

Unfortunately, cybercriminals know that TLS encryption is the industry standard for data protection. They‘re also aware that companies are still not scanning most of their encrypted traffic and therefore use this channel as the preferred vehicle for malware.

Common myths

Organisations that opt not to scan encrypted traffic flowing through their networks often use unsound justifications for their decision. Some of the most common include:

  1. We are not on the cybercriminal’s radar screen

Some organisations think they are too small or inconsequential to be of interest to cybercriminals; however, this is dangerous thinking. Bad actors don’t differentiate between large or small organisations but instead, look for easy targets.

Today, it is no longer a question of if you are attacked; it’s a question of when. Business leaders who ignore this threat are playing a dangerous game, as it is more than just their job on the line if they fail to protect their organisation.

  1. Scanning encrypted traffic is a breach of privacy

While inspecting encrypted traffic might expose personal information, this is not its intended purpose. It becomes a balancing act organisations need to perform between managing risk for the enterprise and respecting privacy.

TLS inspection is used to identify potential threats hidden in encrypted data traffic. An inspecting device decrypts the data to identify threats, reviews it against a set of “known-bad” signatures, and inspects the data stream to determine threat risks such as malware coming in or company data inappropriately going out. This does not violate employee privacy, as data is not shared with anyone.

  1. Anonymity will no longer be guaranteed

Anonymity is an important part of the functioning of the public internet, but in a corporate environment, it must have its limits. It can be in place until a risk or threat triggers the need for an organisation to remove that anonymity.

It’s only if there is a real danger that an organisation has the right to respond. Spill, it must be documented in a company’s Acceptable Use Policy (AUP) shared in the employee’s employment agreement.

  1. Convincing data privacy officers will be a tough challenge

Objections by lawyers and privacy professionals might indeed be the most challenging hurdle to overcome at first glance. However, there are a few simple rules forgetting the legal department involved to reach an agreeable output calmly.

Overcoming privacy objections, or even stop them from having objections at all, comes down to communication. First, they have to clearly understand the sensitivity of the data and the controls to protect that sensitive information. Therefore, that function must be involved from the beginning when an IT organisation evaluates a security solution that can scan 100% of its encrypted traffic.

  1. Unions will prevent staff monitoring

Unions may have similar objections to legal teams with regard to staff monitoring at work. For this reason, education is essential to explain how TLS scanning works and why such a solution is required.

Union officials must understand the purpose is not to gain insight into what each individual is doing at work but protecting the company’s data in the fight against malware entering a corporate network. Shedding light on the technical details of TLS scanning might help.

  1. It’s too hard to scale scanning

When the decision is taken to scan all traffic, even the IT department might have objections. The problem is that traditional on-premises security tools like next-generation firewalls struggle to provide the performance and capacity needed to decrypt, inspect, and re-encrypt traffic effectively. They were not designed to do deep content inspection.

Thankfully, traditional hardware-based technology is available with the appropriate capacity, but that comes at a price and does not scale easily with the volume of internet-related traffic and its spikes in today’s digital world. Cloud-based solutions are good alternatives, providing the ability to scale and the necessary flexibility, especially when a cloud-based security proxy was designed for deep inline content inspection.

Scanning of encrypted traffic needs to be a part of every organisation’s approach to security. By using appropriate tools and following documented guidelines, monitoring can be undertaken impacting either performance or privacy.

Steve Singer
Steve Singer is Regional Vice President and Country Manager - Australia and New Zealand for Zscaler.