Current state of TLS encryption and data loss protection

I’ve worked enterprise IT for far too long to fall into the “privacy at work is king” camp. If you use your organization's resources, then you may give up the right to privacy at work. I’ve implemented data loss protection (DLP) software for a 12,000-user U.S. Federal agency. Users don’t like it. It impacts system performance, and automatic encryption of removable devices makes data sharing more difficult. However, the worse scenario is having an Equifax like headline hit the news. Such breaches are why encryption breaking technology for snooping on employees remains interesting.

Types of DLP

No single method of DLP is effective. Most organizations take a multi-tier approach to endpoint, storage, and network to protecting the infrastructure from unauthorized data loss. Then, of course, DLP should be considerations within the design of applications and organizational data policies.  

In traditional data loss protection solutions, organizations place snooping devices in-line of the data processing. There are many places to put eavesdropping solutions. One location is on the endpoint. By installing an agent on the desktop or server, security teams can monitor data at the endpoint. Endpoint protection prevents users from copying data to a removable device or transferring data to an unapproved web destination.

A second area is the storage device. Some storage vendors attempted to create data solutions with the ability to filter for sensitive data at the storage layers.

The third area is at the network layer. In theory, if you place filters at the egress of the network, DLP solutions prevent copying of data to unauthorized destinations. However, encryption complicates the ability to protect at the edge.

TLS encryption

Commonly referred to by its predecessor SSL, TLS encryption ensures that traffic from endpoint to endpoint is private. TLS enables some services we depend on from banking to private corporate & social communications. The bedrock of the technology is based on certificates. Identity is a critical part of the trust we place in TLS. A certificate authority validates that thectoadvisor.com is indeed thectoadvisor.com.

The challenges with TLS is that it makes snooping on corporate data very difficult. Governments across the world want device, software and cloud companies to create backdoors to TLS encryption. The concept is that encryption is good until the good guys want to snoop on the bad guys. The only problem with the approach is that when you create a back door, the bad guys will stop at nothing to find a way in.

In the world of corporate DLP, the corporation is the good guy. Companies have a legitimate right to inspect traffic leaving their networks. Again, the goal is to prevent an Equifax-like headline. The only problem is there are no official backdoors to TLS encryption.

 

Breaking TLS

While there are no official backdoors, there are ways to exploit TLS. One way is to create a man-in-the-middle attack. The exploit uses the process in the certificate authority to allow DLP devices and software to decrypt traffic as it leaves the network. These solutions present themselves as certificate authorities to the endpoint. So, one of these middle-boxes looks like thectoadvisor.com when in fact the device is owned and operated by a separate entity.

The technic is effective. Security organizations can now use their existing DLP tools to inspect encrypted traffic with the goal of preventing an Equifax-like data leak. Two vendors in this space are Ixia and Gigamon. I recently sat through presentations of both technologies as part of two separate Tech Field Day events. (Gestalt IT sponsored my travel to both events).

Each vendor went through the approach and the speeds and feeds of their solutions. While currently valid, I found the schemes to be temporary in practice. As stated before, these are work-a-rounds and leverage exploits inherent to TLS. Engineers behind the encryption framework are actively working to close this exploit. So, while useful, the solutions are going to be short-lived. How short-lived? It depends.

Not only does the team behind TLS have to come up with an update, the soluton must be rolled out across the industry. The current version of TLS may have a very long tail.

Alternatives

The alternative to man-in-the-middle attacks is to leverage machine learning and AI to identify data within encrypted flows. You may think this hard. You’d be correct. A few vendors are looking to make this approach a reality. If you want to learn more about this technology and why this is a hard problem, The PacketPushers did an excellent podcast on the topic.