We experience encryption daily, mostly without our conscious engagement, by dint of browsers (encrypting data-in-motion) and devices (encrypting data-at-rest). Building encryption into products has been a critical approach for elevating privacy and protecting sensitive data without depending on the weakest link—people—to enforce rules and be smart online.
A new survey from Enterprise Management Associates (EMA) indicates businesses are investing heavily in new and better encryption. It's a way to keep sensitive data confidential, avoid data tampering, and thwart monitoring by folks who may not have a user or company's best interests at heart.
And if you are worried enough to spend tens or hundreds of thousands of dollars encrypting traffic, you aren't going to waste money on weak encryption. That's one of the findings in this survey of 249 IT leaders. The overwhelming majority has the newest standard, Transport Layer Security version 1.3, in place or in plan for adoption shortly.
"74 percent of respondents have either begun TLS 1.3 enablement for internal connections or plan to enable it for internal traffic within the next six months." - TLS 1.3 Adoption in the Enterprise, Paula Musich, Enterprise Management Associates, January 2019
All this is encryption is a good thing, right? Not necessarily, for two reasons.
Organizational Agreement (and the Lack Thereof)
First, encryption uses infrastructure managed by IT and application teams, not security teams. Even if security provides a spec, we've learned over the years that IT choices and priorities seldom magically align with security best practices. Think about it. IT optimizes for availability first and performance second, while security optimizes for confidentiality and integrity, followed by availability. And if you are building an application, it's much easier, faster, and more satisfying to build something than to build a secure something.
Even with a strong will to be secure, most IT teams lack the edge-case knowledge to recognize when their decisions or errors might affect security. System and service misconfigurations cause as many problems as attackers do at most companies. What are misconfigurations? Poor choices by the weakest link: people.
Secondly, encryption blinds almost all of the tools security teams use to monitor and investigate attacks, compliance, and insider abuse. Effectively, the lights are turned off so analytic algorithms can't detect the good or the bad within the traffic. Sadly, even when the IT team builds in a technology to return visibility by decrypting traffic, their choice often also introduces security flaws. The most popular decryption options built for previous generations of encryption standards are bad choices for today:
- Decryption using an in-line technique (such as a firewall or web gateway) opens up a man-in-the-middle (MITM) attack surface and the opportunity for downgrade attacks that puts the attacker in control of your data integrity and sensitive information.
- Decryption using a network packet broker or aggregator siphons a copy, then decrypts the traffic, but does not re-encrypt afterwards. This leaves the sensitive data traversing systems and storage unencrypted, which entirely defeats the intent of encrypting internal traffic against snooping and theft.
Deliberately, the new TLS 1.3 standard introduces a new way of managing certificates to reduce the potential size of a loss. Few products have found a way to decrypt TLS 1.3 at all. No in-line system will be effective and secure due to performance constraints, latency in delivery, and the MITM drawback described above. Out-of-band systems have a better shot, if they can avoid sending traffic around the network or storing it unencrypted.
Compensating for these issues takes time and knowledge. The EMA survey points out: "The greatest need for work [in adoption of TLS 1.3] comes not from impacting business, but from maintaining the ability to provide visibility into the traffic for security and operations troubleshooting."
So here's the wakeup call for IT and security leaders, and the execs who manage them. Security teams need to engage NOW with IT teams, and IT teams need to engage NOW with security teams to create a safe and sustainable architecture to both encrypt and decrypt traffic. The longer you wait, the more risk, cost, and cleanup will be required.
For more details on the timelines, tradeoffs, and implications of encryption in the enterprise, read the EMA report here.
This article was first published on Forbes.com. Read the original here.