Don’t Let Encryption Become A Double-Edged Sword That Undermines Zero Trust CyberSecurity
It is no secret that cybersecurity experts professionals universally recommend that people, businesses, and governments employ strong encryption as one of several methods of protecting sensitive information. Data that must remain private simply cannot be readable by unauthorized parties – and that rule applies both when the relevant information is at rest on an internal server, in the cloud, or on some backup media, as well as when it is in transit over any form of network or other means of communication. Therefore, the vast majority of discussions about encryption focus on the importance of adequately encrypting sensitive information and the many significant benefits of doing so.
Yet, it is important to understand that, if deployed without proper planning or otherwise utilized improperly, encryption can also become a dangerous double-edged sword; it can sometimes even detract from information security rather than enhance it. When it comes to modern-day zero trust initiatives, poorly implemented encryption can sometimes totally undermine expensive security investments.
Zero trust initiatives are efforts in which organizations transform their security models from ones in which parties are trusted based on from where they attempt to access resources, to one in which every request for a resource must be properly authorized. Zero trust applies regardless of whether a human manually initiates a particular request or the request is made by some computer system on its own. For example, in the world of zero trust, a CEO is no longer automatically trusted by their organization to access a particular payroll system simply because they issued the request from a specific laptop connected to a specific network – the request must be properly validated before being honored.
Because adopting a zero-trust model means that internal networks and the traffic on them are no longer inherently trusted, parties adopting such a model often increase their use of encryption — communications that were historically sent in cleartext over internal networks deemed to be fully secure and trustworthy, have been modernized to be strongly encrypted as the networks upon which they travel are no longer considered to be any more inherently trustable than even the insecure Internet.
As a result of the transition to encrypted communications, internal security systems that were previously able to scan and analyze requests moving along internal networks – and which were able to detect anomalous activities and other potential indications of cybersecurity dangers – may be rendered impotent; systems that cannot see what is going on inside the organization cannot know if what is going on is problematic.
For this reason, it is essential that when organizations explore zero trust – and as they begin initiatives to head towards true adoption of zero trust models – that they include an examination of their entire internal infrastructures and the security countermeasures used to protect such resources. Simply put, changes are likely necessary not just to improve security, but even to maintain current defense levels. Of course, as zero trust initiatives have proliferated, third-party products have also appeared on the market to assist personnel involved with zero trust initiatives in addressing such tasks on an ongoing basis.
Yes, it is possible to analyze encrypted traffic – it is just that older systems did not bother to do so because internal traffic was not encrypted. Performing real-time analysis of threat signals across endpoints and other devices can help enforce compliance with policies, and help reduce exposure to cyberthreats. Likewise, employing techniques ranging from anomaly detection of certificates to utilizing artificial intelligence to detect irregular traffic patterns, suspicious file transfers, and/or attempts by malware to beacon, modern countermeasures can help ensure that zero trust initiatives do not undermine internal network security analysis processes.
Migrating to zero trust without addressing how the changes involved impact existing security systems can transform a zero-trust program from a positive step forward for cybersecurity into a catalyst of serious problems. Information security planners and technologists can, and should, learn about, and make use of, one or more of the variety of tools that mitigate against the negative side-effect that encryption can create vis-à-vis detecting danger while protecting information infrastructure and the workloads within it.
The bottom line is that while the zero-trust approach can offer tremendous security benefits, it must be approached in an organized fashion, so that encryption that is utilized in order to achieve security benefits does not also facilitate security problems. There are various methods of acting when it comes to encryption and zero trust – but, to take advantage of them, one must act.
VMware sponsored this post. You can learn more about VMware and its Zero Trust security solutions here.