Hero Panel Image

SSE solution series: choose SSL/TLS inspection of traffic at production scale

Share:
Nathan Howe

Nathan Howe

Contributor

Zscaler

Sanjit Ganguli

Sanjit Ganguli

Contributor

Zscaler

Mar 9, 2022

SSE vendors cannot claim to have best-in-class advanced threat protection and data loss prevention without the ability to inspect all traffic at production scale, including encrypted traffic.

With the vast majority (estimated around 85%) of Internet traffic encrypted, security service edge (SSE) vendors must inspect this traffic at scale and in-depth for adequate threat protection and data loss prevention required in the face of the exponential growth in security risks posed by encrypted channels. Why is SSL/TLS decryption at scale so important?

  • SSL/TLS encryption can hide harmful content such as viruses, spyware, and other malware.
  • Attackers build their websites with TLS and SSL encryption or inject malicious content into well-known and trusted SSL- and TLS-enabled sites.
  • SSL/TLS can hide data leaks, such as the transmission of sensitive financial documents from an organization.
  • SSL/TLS can hide the browsing of websites that belong to legal-liability classes.
  • The ability to control and inspect traffic to and from online services using HTTPS has become an important piece of an organization’s security posture.

Given these risks, an SSE vendor’s architecture must scale to function as an SSL/TLS person-in-the-middle proxy that provides complete inbound and outbound content analysis and immediately blocks any threat detected anywhere in the cloud.

Threat actors continue to evolve their tools, techniques, and procedures when targeting organizations, which include abuse of legitimate storage service providers like Dropbox, Box, OneDrive, and GDrive for hosting malicious payloads. These connections will use wildcard SSL/TLS certs of these reputed vendors when serving the malicious payloads, which if not inspected will result in a successful attack. The malicious payloads (executables, office documents, etc.) are also polymorphic in nature, as the goal is to evade basic fingerprinting detections. SSE vendors’ architecture must allow full payload extraction from these SSL/TLS encrypted connections and must be capable of unpacking and deobfuscating these files for accurate detection.

In addition to blocking threats, inspection at scale enables advanced data loss prevention. SSE vendors should be evaluated on their data classification capabilities. These should include regular expressions (regex) as a basic mechanism, but quickly finding and classifying sensitive data across all cloud data channels is a requirement to protect personal, health, and confidential data from loss. This classification requires SSL/TLS inspection and enables advanced capabilities like:

  • Exact data matching. The SSE uses index templates to identify a record from a structured data source that matches predefined criteria.
  • Document fingerprinting. The SSE uses a document repository to identify completely or partially matching documents when evaluating outbound traffic.
  • OCR (optical character recognition). The SSE detects sensitive data within an image file, embedded image screenshots, and handwritten texts and closes all cloud-based data exfiltration channels.
  • Machine learning. Pretrained algorithms make decisions about the sensitivity of the data.

SSE includes cloud access security broker (CASB) functionality to monitor and enforce policies between cloud service users and apps, and being able to inspect the encrypted traffic in-line has a number of advantages in this context. Inspection can be “out-of-band,” which means scanning the APIs of SaaS providers to protect data at rest, or “in-line,” the scanning of data in motion. Pay special attention to the latter, as in-line inspection prevents data from being uploaded to unsanctioned apps, data from being downloaded to unauthorized devices, and malicious content from being downloaded or uploaded. The SSE vendor should also allow granular access control based on a rich set of cloud app definitions, file type controls, and risk attributes.

With the adoption of hundreds and thousands of cloud applications, organizations’ sensitive data is widely distributed today. The top two data exfiltration channels are cloud desktop and personal email applications. A good SSE vendor should deliver complete contextual visibility and enforcement when rogue users upload sensitive data to their personal Box, Dropbox, and other cloud desktops. They should also stop data exfiltration on personal and unsanctioned webmail services such as Gmail and Hotmail.

Where the differentiation between SSE vendors becomes apparent is how well their ability to decrypt and inspect SSL/TLS traffic elastically scales upon traffic demands, and that this level of inspection be delivered without concern for performance—all of which can only be accomplished with a proxy-based SSE solution built with scale in mind from the start.

It is important to dig into how the SSE vendor accomplishes this. To maintain minimal latency for each packet inspection, the vendor should employ a single-pass architecture where the packet is placed into memory once and the inspection services, each with dedicated CPU resources, are able to perform their scans simultaneously. Vendors who service chain these inspections with serialized physical and virtual applications incur a processing penalty at each hop, and run the risk of excess latency applied to each packet.

These architectural advantages must be applied to newer standards like TLS 1.3, where a true proxy architecture has the advantage of being in-line with two separate connections to the client and server. Since this allows for the entire object to be reassembled and scanned, advanced threat protection, DLP, and sandboxing can be applied. Ensure that TLS versions and cipher upgrades are handled seamlessly by the vendor within their cloud—certain hardware-based vendors may force appliance refreshes to handle the additional load for new cipher support.

Certificate management should also be considered, given the potential complexity that can be introduced. SSE vendors should allow the ability to use their certificates or to bring your own, and permit rotation between the two via API. Certificates should be automatically replicated among the various service edges.

SSL/TLS inspection at scale with minimal latency significantly increases the ability to block threats by leveraging the power of the cloud to identify and secure sensitive data. Only SSE vendors with the right cloud-native architecture will deliver:

  • SSL/TLS inspection of all traffic at production scale with minimal impact on performance for the most in-depth threat and data protection.
  • A single memory scan architecture for unique scalability advantages for decryption at scale.
  • The experience to guide customers through the steps and challenges to achieving SSL/TLS inspection.

Part 1: SSE solution series: why a global, scalable cloud platform matters

Part 2: SSE solution series: the criticality of a zero trust architecture foundation

Editor's note: This content is adapted from The 7 Pitfalls to Avoid when Selecting an SSE Solution 

Recommended