For end users, SSL has long been a means to secure web-based transactions that enable e-commerce and online banking. Over time, the simplicity of SSL has made it the perfect vehicle for migrating new online services to web-based models, including applications for viewing medical records, ordering prescriptions, and filing tax returns.
Surveys show that over 50 percent of enterprise applications now use SSL – SharePoint, Exchange, WebEx, Salesforce.com and Google Apps are examples. Many social networking and consumer applications such as Facebook and Gmail already default to full-time use of SSL by their end users. The use of SSL in enterprise traffic and across the Internet has grown steadily, with a 52 percent CAGR in SSL-based WAN traffic. It’s clear that there are legitimate needs for encrypted data within, to and from the enterprise. But as many IT managers are aware, its privacy benefits can be overshadowed by its risks. While encrypting web sessions protects end-user data from being viewed in transit over the Internet, it creates a blind spot for IT administrators: they typically have no visibility into SSL-encrypted traffic. For that reason, SSL has quickly become one of the most popular ways to mask malicious code such as Trojan horses and viruses. Incoming threats can hide in SSL to bypass security architectures, and the same threats are now a growing problem for outbound enterprise traffic. This is becoming a hot button for security applications that tackle data loss prevention (DLP), compliance reporting and lawful decryption – solutions that could, at one time, see what was outgoing, but are suddenly in the dark because of the growth of SSL traffic. This lack of visibility into SSL can make it difficult or impossible for network administrators to enforce corporate acceptable use policies and to ensure that threats like viruses, spam and malware are stopped before they reach individual users. The inability to examine the contents of SSL communications also makes it possible for information to be accidentally leaked out of the enterprise – or worse, stolen.
Regulatory compliance requirements, including the identification of accidental or intentional leakage of confidential information, are also virtually impossible to meet because of SSL encryption. In many instances, enterprises face conflicting requirements to encrypt and examine data. In typical installations, these seemingly incompatible requirements cannot be met with acceptable performance. This SSL conundrum has wreaked havoc on organizations subject to industry and government compliance mandates, such as HIPAA and Sarbanes- Oxley (SOX), which require that only authorized individuals have access to hardware and software resources within the network infrastructure.
Other compliance mandates require organizations with publicly accessible networks to be able to provide law enforcement agencies with documentation of network activity – which requires that all traffic be unencrypted.