Cloud Hosting

By automatically discovering every key and certificate generated by your organisation as they are created, and integrating this data into security tools, you can finally shine a light on encrypted tunnels

Organisations have always been told that strong encryption is their friend. When applied to internet traffic, encryption secures the connection between user and website, locking the bad guys out and foiling the hijackers attempting to spoof legitimate sites or eavesdrop on communications.

So when Mozilla recently revealed that the majority of web pages loaded by Firefox used the secure HTTPS protocol, it seemed like a good news day for information security. Naturally, the story is far more complex than that.

The truth is that the hackers are getting increasingly adept at hiding in these encrypted tunnels which disguises their attacks from even the best defences. For example, roughly 90% of CIOs have already been attacked, or expect to be, by hackers hiding in encrypted traffic.

>See also:Enterprises using IoT arent securing sensitive data Thales

Businessesurgently need to improve their management of encrypted tunnels, or they risk compromising the effectiveness of our cyber security defences. But for that to happen, organisations must first gain visibility and control over their expansive estates of digital keys and certificates.

These keys and certificates are the cryptographic assets that form the foundation of encryption, allowing machines to identify each other in the same way usernames and passwords work for human users.

CISOs do not accept having limited visibility over identity and access management for all their users the same rigorous oversight needs to be extended to keys and certificates.

The growth of HTTPS is both a positive and negative thing. Encryption is the primary tool used to keep internet transactions out of the reach of prying eyes, and weve seen increased adoption over the past few years, partly driven by revelations of mass state surveillance exposed by NSA whistleblower Edward Snowden.

HTTPS protects the sensitive data of hundreds of millions of users around the world, offering protection against man-in-the-middle attacks and attackers looking to spoof trusted sites.

Encrypted traffic is beginning to become the norm, rather than the exception, and a survey from this years RSA Conference showed that this trend will continue: two-thirds (66%) of attendees said that their organisation is planning to increase encryption usage.

>See also:Who owns your companys encryption keys?

But what happens when a hacker manages to get into encrypted traffic? This is not a hypothetical problem a third (32%) of security professionals at RSA said that they are either not confident or have only 50% confidence in their organisations ability to protect and secure encrypted communications.

And once a hacker does get into encrypted traffic it will offer the same protections, but this time against the organisations security tools. Intrusion detection and prevention systems, firewalls and similar tools are rendered useless, unable to inspect the traffic going in and out of the organisation.

A hacker could hide malware or web exploits from these tools to launch an attack and then use the encrypted tunnel to ferry stolen data out again.

The problem ultimately boils down to the digital keys and certificates that form the Internets base of cyber security and trust. Today, this system is used to secure everything from online banking to mobile apps and the Internet of Things (IoT). Theres just one problem: our foundation is built on sand.

The volume of keys and certificates has exploded over recent years, thanks to virtualisation and the growth in mobile devices, cloud servers and now the IoT. Everything with an IP address depends on a key and certificate to create a secure connection.

>See also:Network security doesnt just begin and end with encryption

But organisations simply cant keep track of this explosive growth, often leaving them unsecured and managed manually. This has allowed cyber criminals to sneak in and use unprotected keys and certificates for their own ends.

The problem will only get worse as the number of IoT devices grows. Gartner recently claimed 8.4 billion connected devices will be in use globally by the end of 2017, up 31% from 2016, and reach a staggering 20.4 billion by 2020.

Additionally, half of the organisations Venafi polled last year said they saw key and certificate usage grow by over 25%. And one in five claimed it had increased by more than 50%.

As keys and certificates grow, so do the opportunities for the hackers. But there is hope. If were able to provide our security tools with the all-important keys, then they can open up and inspect encrypted traffic to ensure it doesnt contain anything malicious.

This is easier said than done; especially given the hundreds of thousands of keys and certificates a typical organisation must manage. New keys and certificates are retired and created every day.

What organisations need is centralised intelligence and automation system. This will ensure that all security tools are provided with a continuously updated list of all the relevant keys and certificates they need in order to inspect encrypted traffic.

>See also:Keys to the castle: Encryption in the cloud

By automatically discovering every key and certificate generated by your organisation as they are created, and integrating this data into security tools, you can finally shine a light on encrypted tunnels.

The result? IT leaders will not only benefit from improved resilience from cyber attacks, data breaches and the like, but also finally gain full value from their technology investments.

With encrypted traffic growing all the time and 85% of CIOs expecting criminal misuse of keys and certificates to get worse, businessescant afford to hang around.

Sourced byKevin Bocek, chief cyber-security strategist atVenafi

Nominations are now open for theTech Leaders Awards 2017, the UKs flagship celebration of the business, IT and digital leaders driving disruptive innovation and demonstrating value from the application of technology in businesses and organisations. Nominating is free and simply: just click here to enter. Good luck!

More here:
Keeping the enterprise secure in the age of mass encryption - Information Age