The Fast Mode spoke to Badri Narayanan Parthasarathy, Global VP, Integrated Service Delivery and Service Wrap at Tata Communications on new encryption technologies and their impact on today's networks. Badri joins us in a series of discussions with leading vendors in the traffic management, service assurance, traffic monitoring, analytics, policy control and network security space, assessing various attributes of encryption, its benefits as well as the challenges it poses, specifically loss of visibility that makes networking increasingly complex.
Tara: How has encryption impacted network and traffic visibility?
Badri: As businesses race to leverage the cloud and support their digital transformations, cloud adoption has boomed rapidly. Gartner estimates that by 2025 over 95% of digital workloads will be deployed on cloud-native platforms. Many businesses understand the need for cloud technology but have concerns about moving sensitive data to the cloud. The 2022 Thales Cloud Security Report suggests that 45% of businesses have experienced a cloud-based data breach or failed audit in the past 12 months, up 5% from 2021, raising greater concerns regarding data security. Despite increasing cyber-attacks, when it comes to securing sensitive data in multi-cloud environments, respondents cited encryption (59%) and key management (52%) are the security technologies they currently use. Encryption technology has enabled greater privacy and security for enterprises.
There are multiple encryption modes that are done at the application level, network level, or endpoint level. Application-level encryption happens within the services hosted on servers in the cloud or the datacentres. Network-level encryption happens at traffic aggregation points at the firewall or the router, where encryption is processed. Endpoint-level encryption happens at the endpoint device levels enabling flexible remote access and roaming users’ access to enterprise data. These types of encryption have been around for about a decade and have grown with the usage of smartphones.
Encryption mechanisms use keys and certificates to ensure security. Due to this, visibility across the network is getting complex and traditional means of detection don’t work. Deep Packet Inspection (DPI) is a technology that has provided this essential function. DPI technology can analyse traffic traversing networks, identify traffic flows, and decipher applications, their functions, and their impact on the network by looking inside the packets.
The Ponemon Institute reported that 62% of organizations have an encryption strategy in place – the sharpest increase in adoption in nearly two decades. However, there are still challenges associated with encryption, such as the ability to monitor and measure the flow of traffic, application distribution, performance, proactively detecting security events, and monitoring session behaviour and malicious activity. Increased levels of encryption impact these functionalities.
The efficiency of deep packet inspection technology has reduced due to increased encryption levels and has become more resource intensive. Threat inspection with bulk decryption, analysis, and re-encryption is not always practical. Organizations need technology to perform heuristic analytics and selective / on-demand decryption to optimise performance and identify malicious content in encrypted flows without a heavy dependency on signature-based technologies.
Tara: What technologies/techniques can potentially help in delivering visibility into encrypted traffic?
Badri: Privacy requirements has driven encryption to record levels, making visibility of encrypted network traffic crucial. Visibility into encrypted traffic requires identifying core applications behind a traffic flow regardless of the protocols or the payload information. The technology approach must differentiate between different applications with a high degree of granularity using multiple techniques, such as heuristics, to identify flow behaviour and information that may be present in the other active flows in the subscriber’s traffic stream. For example, Facebook video has different requirements than Facebook browsing. Emerging techniques leverage sophisticated flow analysis and intelligent analytics that don’t rely on header or payload information, not affecting classification.
AI and ML techniques are essential to refine and maintain application signatures and detect encryption. Technologies utilize initial data packets in the flow, the sequence of packet lengths and times, the byte distribution, and transport layer security (TLS) specific features for extracting information. The TLS handshake contains unencrypted metadata, TLS versions, and the client’s public key length. This information is fed into the AI/ML engine that can accurately predict the application information based on a combination of these behaviours.
Other techniques can detect irregularities, suggesting a current malicious activity. By supplementing network data with endpoint and cloud data, additional information can be gleaned for gaining visibility.
In summary, the use of SSL, TLS, IPSec, and other encryption technologies will increase across the globe. On the other hand, advanced malware and malicious activity using encryption tools is also set to increase. Encryption offers adversaries to conceal their command-and-control (C2) activity, affording more time to inflict damage.
There is a need to monitor activity to ensure enforcement of security and regulatory requirements, which impacts encryption in any geographical territory. There are governmental regulations around encryption to ensure that information is secure and out of the hands of unauthorized individuals using it for illegal purposes, but the key role of encryption is to ensure the right of privacy. The new OHCHR Report on Privacy in the Digital Age is a strong endorsement of encryption issued by the world body and issued a strong indictment against governmental attacks on encryption. It endorses that it is a key enabler of security and is essential for safeguarding rights. While technologies can provide visibility into encrypted traffic, it is important for the industry to come together to consider the viewpoints of key stakeholders and define a framework around this evolution.
This interview is a part of The Fast Mode's Real-time Visibility for Encrypted Traffic segment, featuring 34 leading IP networking solution providers and their views on the impact of encryption on traffic visibility. A research report on this topic will be published in February 2023 - for more information, visit here.
