SSL Decryption: The ABCs of Network Visibility
Coded, disguised forms of communication (also known as ciphers) are nothing new. For centuries, people have sent messages designed to be unreadable, if intercepted or received by hostile forces. The enigma machines used by Germany during WW2 are a famous example of this. Today, SSL (secure sockets layer) encryption and decryption are the means by which sensitive data is safely transmitted – and protected from prying eyes – over the internet and across networks.
On a basic level, SSL encryption occurs when sensitive data is transformed into an unintelligible, unreadable “ciphertext”. SSL decryption occurs when this “ciphertext” is returned to its original format. To do this, a key, which gives instructions on how to decode the encrypted message, is required.
Network Security and SSL Decryption Use Cases
We live in an age where the stakes are high for both individuals and organizations that fall victim to data theft. So it’s for good reason that SSL encryption has soared (and continues to soar) in popularity. According to Mozilla, half of all internet traffic is now encrypted. SSL encryption is a powerful weapon in the battle for data security, but its greatest strength, is also its greatest weakness.
Encryption hides at-risk data. But it can also hide other, less innocuous things too. Cybercriminals can take advantage of SSL encryption, camouflaging malware and other undesirables in encrypted data, so that they’re able to sneak into, and around company networks undetected. Since many network tools can’t inspect SSL encrypted data, it’s necessary that data is first decrypted, and then inspected.
Considerations for SSL Data Monitoring
So, SSL decryption is vital to network security, yet it presents a number of challenges. These include:
Firewall Strain – Many organizations use their Next Generation Firewalls (NGFWs), (which typically come with decryption capabilities) as the main point of SSL decryption on the network. But, as data encryption continues to grow in popularity, firewalls will experience more and more strain. SSL decryption takes up valuable processing power, making the firewall less effective. This makes it easy for the firewall to become a bottleneck on the network, holding up other processes and stalling productivity.
Internal Threats – Following on from the above, firewalls often sit at the edge of the network, only decoding encrypted data that comes from outside. This means that encrypted communications that occur internally (between servers / clients) remain uninspected. This is a huge risk, since internal communications may comprise some 80% of encrypted network data. If malware does somehow make it into the network, SSL encryption within the network will help camouflage it.
Inefficiency and Overloading – Some network monitoring tools (aside from NGFWs) come with SSL decryption capabilities too. This isn’t an ideal solution however. As with firewalls, enabling SSL decryption on these tools can debilitate performance. Furthermore, requiring each tool to decrypt its own data is inefficient. It means multiple, siloed tools, performing the same decryption process, on the same set of data. This is a waste of resources. Why have several appliances repeating the same task when one tool could decrypt the data, and then push it out to all of them?
Data Compliance – HIPAA, PCI, and organizational best-practice policies mean personally identifiable information (PII) must be handled with care. When SSL decryption occurs, sensitive, personal data is exposed. Without the right safeguards in place, anyone with access to network monitoring tools becomes privy to this sensitive information. Data masking should be used to protect this data.
More Information on Decrypting Monitoring Data
Companies can overcome the challenges associated with SSL decryption by using a network packet broker (NPB) with decryption capabilities. Network packet brokers act as a central recipient, and “dealer”, of data in the network by decrypting the data at this point, before sending it out to network appliances (e.g. intrusion detection systems (IDS), intrusion prevention systems (IPS), firewalls). The NPB removes the processing burden from these tools, boosting overall efficiency and productivity. Unlike firewalls, NPBs are also able to decode encrypted data that arises from within the network.
A good NPB solution will also come with built-in data masking capabilities. Designed with usability in mind, a point-and-click user interface takes the pain out of data compliance in this area.