As ransomware runs rampant in todayâs dynamic and hybrid work environments, zero trust has emerged as a critical model for strengthening cyber defense. It makes sense; with the erosion of traditional concepts of secured zones, perimeters, and network segments, organizations can't afford to take chances with a âtrustedâ user introducing a threat, intentionally or not, into critical systems. But even zero trust isnât perfect. After all, trust only applies to things you can seeâand when it comes to encrypted network traffic, zero trust has a blind spot you could drive a truck full of ransomware through.
Why Zero Trust Is EssentialâAnd Why It Fails
Facing the triple challenge of rising threats, rising vulnerability, and a critical shortage of cybersecurity skills, enterprises can feel overwhelmed and unable to respond effectively. In this light, the very name of zero trust can feel reassuring, with its implication of absolute protection. Nobody is trusted, no excess privileges are allowed, no free movement can occur, and so on. Still, as noted in an earlier article, even the most rigorous prevention controls can allow ransomware to slip through the cracks. The real goal of zero trust isn't necessarily to prevent every breachâit's to limit the movement of malware within the network and thus limit the damage it can do. In that respect, itâs highly valuable and effective.
Still, given the realistic limitations of zero trustâit can greatly reduce breaches but not eliminate them entirelyâit's crucial to bolster its effectiveness wherever possible. And there's one area where it needs all the help it can get: encrypted communications.
As a foundation of online communication, we tend to take encryption for granted. The vast majority of online communication is encrypted using SSL or TLS, primarily for data protection and privacy. However, this practice has also had transformative benefits for hackers. After all, security components such as DLP, antivirus, firewall, IPS, and IDS canât monitor, filter, or analyze what they canât see. Ransomware and malware can hide comfortably within encrypted internet trafficâand once inside the environment, nearly half of malware uses TLS to establish a connection and communicate with command and control servers. At that point, even zero trust is little help.
Opening the Eyes of Zero Trust
An attack surface is only as secure as its weakest spot. Without a way to address the encryption blind spot, even the most extensiveâand expensiveâcyberdefense investments canât protect your business. On the one hand, you canât do without encryption; on the other hand, you canât allow it to undermine the safety of your organization, either.
Security vendors are well aware of this dilemma. In response, many now incorporate TLS decryption into their products. It's a great solution, in theory, making it possible to catch malware, sensitive data, and anything else concealed in encrypted communications. In practice, it can come at a high cost. By the time youâve decrypted, inspected, and re-encrypted communications, youâve incurred a significant penalty in network performanceâand thatâs before the next device in the security stack has taken its turn. Latency grows, bottlenecks tighten, cost and complexity rise. Meanwhile, the need to distribute private keys across the multi-vendor, multi-device security infrastructure creates new vulnerabilities of its own.
Foolproof Zero Trust with Comprehensive Visibility
The drawbacks that can come with a suboptimal TLS decryption strategy are more a matter of implementation than of principle. Instead of being performed on a device-by-device or per-hop basis, decryption, inspection, and re-encryption should be done centrally by a single, dedicated component optimized for this purpose. Traffic should be decrypted once, inspected by devices across the security stack, and then re-encrypted once to continue on its way. This approach enables the full visibility needed for zero trust to be effective while increasing the efficiency of TLS decryption to avoid performance penalties.
Ideally suited to modern computing and workplace environments, zero trust allows organizations to tightly restrict and control access and movement across applications, databases, cloud environments, and other assets. By complementing this granular protection with comprehensive visibilityâeven into encrypted trafficâorganizations can fulfill its promise as a cornerstone of modern cybersecurity.
Babur Nawaz Khan is a Technical Marketing Engineer at A10 Networks
Related Network Computing articles: