• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • About
    • Secure360
    • UMSA
    • Get Involved
  • Events
    • Secure360 2021
    • Student360
    • Past Events
      • 2020 Secure360 Twin Cities
      • 2020 Student360
      • 2019 Secure360 Twin Cities
      • 2019 Student360
      • 2018 Secure360 Twin Cities
      • 2018 Secure360 Wisconsin
      • 2018 Student360
      • 2017 Secure360 Twin Cities
      • 2017 Student360
      • 2016 TC Secure360 Conference
      • 2015 Secure360 Conference
      • 2014 Secure360 Conference
      • 2013 Secure360 Conference
        • 2013 Secure360 Conference Speaker Presentations
      • 2012 Secure360 Conference
  • For Sponsors
    • Secure360 Twin Cities
    • Student360 Sponsors
  • For Speakers
    • Secure360 Speaker Details
    • Student360 Speaker Details
  • Blog
  • Nav Social Menu

    • Facebook
    • LinkedIn
    • Twitter
    • Vimeo

Secure360

Encryption: A double edged sword for enterprise security

April 20, 2016 by Michael Sutton

encrypted data

Copyright: 123rf/ Jason Winter

The following is a guest post by a 2016 Secure360 Twin Cities Gold Sponsor Zscaler. 

Encryption is critical for enterprise security in an age where we’re losing control of the device, the network and the data itself. When our sensitive files are stored on third party servers, all the SLAs in the world can’t guarantee that an unauthorized party won’t ultimately access the data. The last and most critical line of defense becomes encryption. Even if the files are accessed, all is not lost – the data is a useless bundle of 1’s and 0’s. When properly implemented, encryption provides the enterprise with an essential layer of security. Encryption is a powerful weapon in the battle to protect enterprise data, but weapons can be used by both sides. Encryption is also a powerful weapon for attackers.

At Zscaler, 25% of our customers take advantage of our ability to block unscannable files, which are often encrypted and 32% block password protected .zip files. The majority of customers allow these files to pass through uninspected. When I ask customers about this, the common answer is that there is a business need to transfer sensitive information and this is done using tools such as PGP or password protected archives. That’s fine when the encrypted content is known and trusted, but what happens when it’s not? It certainly isn’t uncommon for attackers to take advantage of policies such as this by delivering an encrypted file in a targeted attack and then separately provide the password to decrypt the file, spoofing a trusted source to deliver both. It’s a simple attack, which completely bypasses all inline security controls. There are other means for securely transferring sensitive data, such as corporate cloud storage services, that can better ensure that the source and content should be trusted, which don’t bypass security controls.

An even more intriguing statistic can be found in the rapid growth of SSL encrypted traffic on the Internet. At Zscaler, 43% of all customer web traffic now traverses our cloud over SSL encrypted channels. The rapid adoption of SSL by default for all content exploded following the Snowden revelations as major Internet properties raced to convert HTTP sites to HTTPS. The percentage continues to grow every month as even small sites adopt SSL by default thanks to initiatives such as Let’s Encrypt. This is fantastic for privacy, but it presents a very real dilemma for enterprise security. If you haven’t employed proxies capable of SSL decryption to inspect the content downloaded by your employees, you’re blind to 43% of it. All that money spent on IDS, IPS, sandboxes, DLP, etc. and it’s missing nearly half your traffic. Imagine being a goalie that’s blindfolded for 43% of the shots. Good luck winning the game. Fortunately, this message is hitting home as we now see 63% of Zscaler customers decrypting/inspecting at least some of their SSL encrypted traffic.

SSL decryption is a sensitive topic in any enterprise. Legal teams get nervous and employees are suspicious when the topic comes up, but encryption doesn’t pass moral judgment. It conceals malware just as effectively as it protects spreadsheets and it is for that reason that SSL decryption is essential for enterprise security. 38% of all malware that we see in the Zscaler cloud is delivered over an SSL connection. This occurs not because attackers are busy signing SSL certificates, but simply because they’re delivering their payloads from the same file hosting and social networking sites that have been aggressively adopting SSL be default over the past three years.

If you’re now convinced that SSL decryption is necessary in your enterprise, don’t expect to enable it overnight. This topic, rightly so, has a number of stakeholders and they deserve to be heard. Implementing SSL decryption requires a negotiated settlement, not an eleventh commandment. Expect to implement decryption is phases as stakeholders gain comfort with the process. Most enterprises start with the low hanging fruit by only decrypting uncategorized traffic, then slowly add higher risk categories and ultimately switch to a whitelisting model by assuming that everything is decrypted with specific exceptions for traffic such as financial and healthcare.

Encryption is a valuable tool for enterprise security so long as you know what is being encrypted and who has the keys to decrypt it. Reagan taught us to “trust but verify”. That’s where encryption becomes tricky. If we’re using encryption to secure our own data, we already trust the content and there’s no need to verify. If however we’re dealing with third party content, we must verify everything before permitting it into our network. If you’re allowing encrypted files to blindly enter the network, or have no means to inspect SSL encrypted traffic, you have no means of verification. You’re just crossing our fingers…and that’s never an effective strategy.

Filed Under: Guest Posts

About Michael Sutton

Michael Sutton has dedicated his career to conducting leading-edge security research, building world-class security teams and educating others on a variety of security topics. As CISO, Sutton drives internal security and heads Zscaler's office of the CISO. Zscaler has built the world's largest security cloud, trusted by 5,000+ companies, making internal security a critical focus requiring 24/7 monitoring from internal and external resources.The office of the CISO is a team engaging security executives at a peer level, to drive best practices and facilitate industry-wide collaboration on emerging security topics.

Reader Interactions

Comments

  1. Cristopher Burge says

    July 8, 2016 at 9:05 am

    Cloud Security is still a problem for enterprises. I solely believe that the main reason for this problem is the lack of a proper strategy. Cloud computing has evolved over the years and now it’s a must have for businesses, from start-ups to enterprises. The price of cloud computing solutions is on the rise (http://www.cloudstorage101.com/cloud-storage-prices-rise/ ), because of the high demand, but my main concern is that the people who are in charge of handling the data are taking “the cloud” for granted. They don’t have a proper vision, so an encryption/decryption strategy sounds kind of risky without solid training.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Categories

  • Uncategorized
  • Guest Posts
  • Business Continuity Management
  • News and Events
  • Physical Security
  • Cybersecurity
  • Professional Development
  • Risk and Compliance

latest tweets

  1. Secure360 Conference
    Secure360 Conference: From #cybersecurity, to critical event management, to the Internet of Things, when we say intelligent security ever… https://t.co/PqZqXou8j9
    about 1 day ago

  2. UMSA Foundation
    UMSA Foundation: Have you registered for @Secure360 yet? Don’t miss this fully virtual event featuring a high-quality interactive ev… https://t.co/LJRkOYBsqm
    about 2 days ago

  3. Secure360 Conference
    Secure360 Conference: Interesting & relevant read on #vaccinepassports! Thanks for sharing @CheckPointSW https://t.co/eNHWZjjqvm
    about 3 days ago

Footer

Contact

For more information about UMSA events, contact: Marie Strawser

Email List Signup

Join our email list for monthly Secure360 news and updates!




Join our tradeshow email list for updates on sponsorship opportunities and upcoming exhibitor deadlines.

Sponsored by:
© 2021 Secure360. All rights reserved.