Encryption’s Double-Edged Sword

In my last piece for Security Now I wrote about the need to encrypt everything.The reasons for being in favor of encryption are pretty straightforward and have been written about countless times — let’s just say that the bad guys are skilled, plentiful, and probably already in your network. If you want to have any hope of keeping your organization’s data safe, you need to have an encryption protocol in place.

With that said, encryption isn’t without its drawbacks. One of the more important is that encryption can mask malicious payloads as easily as it protects sensitive private data. Typical solutions to the problem include terminating VPN tunnels and un-encrypting data to let it pass through IPS, filter, or firewall appliances, then re-encrypting it before sending it down the wire. That can be a functional approach, but it carries serious performance costs and it adds enormous complication if you’ve decided to embrace micro-segmentation with encryption (and, in theory, security stages) between every component of the application.

That’s why today’s announcement from Cisco is important. The company’s Encrypted Traffic Analytics (ETA) — technology that allows encrypted traffic to be scanned for malicious content without being unencrypted — has been around since mid-2017 in the company’s big campus-level switches. Today, though, Cisco announced that ETA is available on the bulk of its enterprise routing platforms, including branch office routers (the ISR and ASR) and virtual cloud services routers (CSR).

Cisco isn’t alone in noting the importance of scanning and protecting encrypted network traffic. SonicWall has encrypted traffic inspection in its enterprise firewalls. Other vendors, like F5, note the importance of looking into encrypted streams but do so by terminating and inspecting tunnels at high speed.

The announcement today is important for Cisco customers but in the long-term it’s meaningful because it increases the pressure on other infrastructure vendors to develop and include similar capabilities in their switches and routers. There’s no question that encryption is going to become SOP for most organizations. If it’s easier to inspect those encrypted data streams for malicious content (as well as impermissible content heading out of the organization), then the shift to encrypted data will be faster and the benefits will be greater for everyone — except the bad guys.