Zero Trust with Zero Visibility Can’t Stop Ransomware

The real goal of zero trust isn't necessarily to prevent every breach—it's to limit the movement of malware within the network and thus limit the damage it can do.

Babur Nawaz Khan

December 20, 2021

4 Min Read
Zero Trust with Zero Visibility Can’t Stop Ransomware
(Source: Pixabay)

As ransomware runs rampant in today’s dynamic and hybrid work environments, zero trust has emerged as a critical model for strengthening cyber defense. It makes sense; with the erosion of traditional concepts of secured zones, perimeters, and network segments, organizations can't afford to take chances with a “trusted” user introducing a threat, intentionally or not, into critical systems. But even zero trust isn’t perfect. After all, trust only applies to things you can see—and when it comes to encrypted network traffic, zero trust has a blind spot you could drive a truck full of ransomware through.

Why Zero Trust Is Essential—And Why It Fails

Facing the triple challenge of rising threats, rising vulnerability, and a critical shortage of cybersecurity skills, enterprises can feel overwhelmed and unable to respond effectively. In this light, the very name of zero trust can feel reassuring, with its implication of absolute protection. Nobody is trusted, no excess privileges are allowed, no free movement can occur, and so on. Still, as noted in an earlier article, even the most rigorous prevention controls can allow ransomware to slip through the cracks. The real goal of zero trust isn't necessarily to prevent every breach—it's to limit the movement of malware within the network and thus limit the damage it can do. In that respect, it’s highly valuable and effective.

Still, given the realistic limitations of zero trust—it can greatly reduce breaches but not eliminate them entirely—it's crucial to bolster its effectiveness wherever possible. And there's one area where it needs all the help it can get: encrypted communications.

As a foundation of online communication, we tend to take encryption for granted. The vast majority of online communication is encrypted using SSL or TLS, primarily for data protection and privacy. However, this practice has also had transformative benefits for hackers. After all, security components such as DLP, antivirus, firewall, IPS, and IDS can’t monitor, filter, or analyze what they can’t see. Ransomware and malware can hide comfortably within encrypted internet traffic—and once inside the environment, nearly half of malware uses TLS to establish a connection and communicate with command and control servers. At that point, even zero trust is little help.

Opening the Eyes of Zero Trust

An attack surface is only as secure as its weakest spot. Without a way to address the encryption blind spot, even the most extensive—and expensive—cyberdefense investments can’t protect your business. On the one hand, you can’t do without encryption; on the other hand, you can’t allow it to undermine the safety of your organization, either.

Security vendors are well aware of this dilemma. In response, many now incorporate TLS decryption into their products. It's a great solution, in theory, making it possible to catch malware, sensitive data, and anything else concealed in encrypted communications. In practice, it can come at a high cost. By the time you’ve decrypted, inspected, and re-encrypted communications, you’ve incurred a significant penalty in network performance—and that’s before the next device in the security stack has taken its turn. Latency grows, bottlenecks tighten, cost and complexity rise. Meanwhile, the need to distribute private keys across the multi-vendor, multi-device security infrastructure creates new vulnerabilities of its own.

Foolproof Zero Trust with Comprehensive Visibility

The drawbacks that can come with a suboptimal TLS decryption strategy are more a matter of implementation than of principle. Instead of being performed on a device-by-device or per-hop basis, decryption, inspection, and re-encryption should be done centrally by a single, dedicated component optimized for this purpose. Traffic should be decrypted once, inspected by devices across the security stack, and then re-encrypted once to continue on its way. This approach enables the full visibility needed for zero trust to be effective while increasing the efficiency of TLS decryption to avoid performance penalties.

Ideally suited to modern computing and workplace environments, zero trust allows organizations to tightly restrict and control access and movement across applications, databases, cloud environments, and other assets. By complementing this granular protection with comprehensive visibility—even into encrypted traffic—organizations can fulfill its promise as a cornerstone of modern cybersecurity.

Babur Nawaz Khan is a Technical Marketing Engineer at A10 Networks

Related Network Computing articles:

About the Author(s)

Babur Nawaz Khan

Babur Nawaz Khan is a technical marketing engineer at A10 Networks. He primarily focuses on the company’s enterprise security solutions, including Thunder® SSL Insight for TLS inspection and Cloud Access Proxy, which is a SaaS access security and optimization solution. Prior to his current role, he was a member of A10 Networks’ corporate systems engineering team, working on application delivery controllers. Khan holds a master’s degree in computer science from the University of Maryland, Baltimore County.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights