Encryption: A double edged sword for enterprise security

Copyright: 123rf/ Jason Winter

The following is a guest post by a 2016 Secure360 Twin Cities Gold Sponsor Zscaler. 

Encryption is critical for enterprise security in an age where we’re losing control of the device, the network and the data itself. When our sensitive files are stored on third party servers, all the SLAs in the world can’t guarantee that an unauthorized party won’t ultimately access the data. The last and most critical line of defense becomes encryption. Even if the files are accessed, all is not lost – the data is a useless bundle of 1’s and 0’s. When properly implemented, encryption provides the enterprise with an essential layer of security. Encryption is a powerful weapon in the battle to protect enterprise data, but weapons can be used by both sides. Encryption is also a powerful weapon for attackers.

At Zscaler, 25% of our customers take advantage of our ability to block unscannable files, which are often encrypted and 32% block password protected .zip files. The majority of customers allow these files to pass through uninspected. When I ask customers about this, the common answer is that there is a business need to transfer sensitive information and this is done using tools such as PGP or password protected archives. That’s fine when the encrypted content is known and trusted, but what happens when it’s not? It certainly isn’t uncommon for attackers to take advantage of policies such as this by delivering an encrypted file in a targeted attack and then separately provide the password to decrypt the file, spoofing a trusted source to deliver both. It’s a simple attack, which completely bypasses all inline security controls. There are other means for securely transferring sensitive data, such as corporate cloud storage services, that can better ensure that the source and content should be trusted, which don’t bypass security controls.

An even more intriguing statistic can be found in the rapid growth of SSL encrypted traffic on the Internet. At Zscaler, 43% of all customer web traffic now traverses our cloud over SSL encrypted channels. The rapid adoption of SSL by default for all content exploded following the Snowden revelations as major Internet properties raced to convert HTTP sites to HTTPS. The percentage continues to grow every month as even small sites adopt SSL by default thanks to initiatives such as Let’s Encrypt. This is fantastic for privacy, but it presents a very real dilemma for enterprise security. If you haven’t employed proxies capable of SSL decryption to inspect the content downloaded by your employees, you’re blind to 43% of it. All that money spent on IDS, IPS, sandboxes, DLP, etc. and it’s missing nearly half your traffic. Imagine being a goalie that’s blindfolded for 43% of the shots. Good luck winning the game. Fortunately, this message is hitting home as we now see 63% of Zscaler customers decrypting/inspecting at least some of their SSL encrypted traffic.

SSL decryption is a sensitive topic in any enterprise. Legal teams get nervous and employees are suspicious when the topic comes up, but encryption doesn’t pass moral judgment. It conceals malware just as effectively as it protects spreadsheets and it is for that reason that SSL decryption is essential for enterprise security. 38% of all malware that we see in the Zscaler cloud is delivered over an SSL connection. This occurs not because attackers are busy signing SSL certificates, but simply because they’re delivering their payloads from the same file hosting and social networking sites that have been aggressively adopting SSL be default over the past three years.

If you’re now convinced that SSL decryption is necessary in your enterprise, don’t expect to enable it overnight. This topic, rightly so, has a number of stakeholders and they deserve to be heard. Implementing SSL decryption requires a negotiated settlement, not an eleventh commandment. Expect to implement decryption is phases as stakeholders gain comfort with the process. Most enterprises start with the low hanging fruit by only decrypting uncategorized traffic, then slowly add higher risk categories and ultimately switch to a whitelisting model by assuming that everything is decrypted with specific exceptions for traffic such as financial and healthcare.

Encryption is a valuable tool for enterprise security so long as you know what is being encrypted and who has the keys to decrypt it. Reagan taught us to “trust but verify”. That’s where encryption becomes tricky. If we’re using encryption to secure our own data, we already trust the content and there’s no need to verify. If however we’re dealing with third party content, we must verify everything before permitting it into our network. If you’re allowing encrypted files to blindly enter the network, or have no means to inspect SSL encrypted traffic, you have no means of verification. You’re just crossing our fingers…and that’s never an effective strategy.