There is a seismic shift happening in the cloud. Two great, tectonic forces of change are colliding and creating unprecedented disruption for security, DevOps and cloud professionals. Ultimately, this shift has prompted the evolution of how to gain out-of-band decrypted visibility in the cloud. The tectonic forces of change are:
- The new TLS 1.3 encryption standard; and
- Cloud application architecture
TLS 1.3 Breaks Legacy Out-of-Band Decryption
TLS 1.3 became the official encryption standard in March 2018. TLS 1.3 and its precursor, TLS 1.2 with Perfect Forward Secrecy (PFS), Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) ciphers and pinned certificates were designed to enforce the idea that encryption should be more robust, encryption keys should be prolific and temporary and decryption should be possible only at the endpoint. In TLS 1.3, certificates are used only for authentication. Everything after the ServerHello is encrypted. The contents of the certificates are encrypted in the TLS handshake and, consequently, not available for use as components of key construction or derivation. With more than 70% of all network traffic encrypted, the new standard dramatically increases the security of data-in-motion while also improving the efficiency and speed of the TLS handshake. Overall, this is very good for security.
The impact is that TLS 1.3 breaks legacy out-of-band decryption. Because certificates are not available for decryption key derivation, old solutions do not work. It used to be the case that all the session traffic between two points could be decrypted once the encryption key was provided or derived. Now keys are ephemeral; they work only for a single session. Legacy, out-of-band solutions that relied on RSA key exchange or certificate access for decryption do not work in the new TLS 1.3 world.
Cloud Application Architecture Breaks Man-in-the-Middle Decryption
Applications are no longer single, monolithic code structures. The cloud has opened up the ability to distribute and decentralize application layers and processes. This distributed and decentralized, microservices-based architecture means that applications are an amalgam of networked services, API calls and elastic workloads. Modern application workloads communicate over TLS encrypted networks to perform their tasks, deliver data and run mission-critical applications for business. Each workload makes thousands of TLS-secure connections each day. Each workload is a TLS client and sometimes a TLS server. Historically, the only option to gain decrypted visibility was to decrypt at the server or create chokepoints with man-in-the-middle architectures and decryption zones. This was acceptable in the data center, where east-west connections were controlled, TLS clients and TLS servers were known and network edges were hardened perimeters. Incoming and outgoing communication—north-south—was an obvious location for inspection, monitoring and control.
The impact is that as containers and microservice-based architectures accelerate the decentralization of application workloads in the cloud, there is no longer a “middle” into which a decryption solution may be inserted. Man-in-the-middle decryption offered by some legacy firewalls and inline security devices either don’t work in the cloud or require restrictive architectural designs—such as hair-pinning all connections through a bottleneck— that the value of the cloud’s elasticity is eroded, expenses are increased and flexibility is lost.
Symmetric Key Intercept Restores Out-of-Band Decryption for the Cloud
Security teams must still monitor cloud content. Enterprises are still compelled by regulation and good security practice to inspect their encrypted data and data coming in from third-party systems via integrations and API calls. Without inspection of encrypted traffic, encryption can become a secure technique for delivering malware, rendering the security provided by encryption inept. IT, security and DevOps teams need to inspect network traffic at the packet level, which means decrypting it. Their tools require decrypted packet data to monitor, inspect and perform core functions such as threat hunting, incident response, root-cause analysis, forensics and troubleshooting. The good news is that decrypted visibility and security in the cloud does not have to be an either/or conundrum anymore.
Symmetric Key Intercept is a patent-pending process that works by separating and solving the two key challenges with cloud decryption:
- Identifying and obtaining the final, symmetric encryption key.
- Performing the decryption of a particular, encrypted, packet stream.
By decoupling the discovery of the ephemeral, symmetric encryption keys from the actual decryption of a packet, enterprises are better able to control, secure and scale their decryption, security, inspection, troubleshooting and compliance processes.
This cloud-native architecture delivers universal TLS visibility and decryption for any workload, whether it is acting as the TLS server or TLS client. Symmetric Key Intercept works after the TLS Handshake by retrieving the final, ephemeral, symmetric encryption keys from workload memory. This means that it works for any cipher, it works with perfect forward secrecy and it works with any TLS / SSL standard, including the new TLS 1.3. This architecture enables real-time, multi-destination, decentralized decryption of mirrored traffic, as well as instant decryption and replay of mirrored and encrypted pcaps that can be stored for future investigation, compliance or inspection.
Symmetric Key Intercept architecture answers the secure-versus-visibility conundrum that most enterprise IT organizations need to solve. The process ensures that original end-to-end encryption is preserved while cloud-scale decrypted visibility is created.
Symmetric Key Intercept Architecture: How It Works
First, AI rules-based, final key discovery, and extraction happens at either end of the TLS handshake. This TLS client/server approach is critical for universal, decrypted visibility in cloud environments where applications are made of decentralized, distributed workloads and third-party data feeds. Because TLS 1.3 enforces perfect forward secrecy and ephemerality of encryption keys, there can be hundreds of thousands of symmetric keys created each day. Ephemerality means that a new, symmetric key is created for each network session. Symmetric Key Intercept from Nubeva is able to discover and extract every symmetric key as it is created in memory.
Next, once the symmetric keys are extracted, they are securely stored within the enterprise’s own cloud in a secure key depot. The keys never leave the enterprise’s environment. The enterprise retains complete control and keys are never exposed to hackers or bad actors. Keys may be purged or preserved for as little or long as needed.
Finally, a software decryption agent container sits next to each tool destination workload. This agent is a container and can be deployed in the same cluster, host-VM or VPC as the tool workload. The decryptor buffers incoming encrypted packet traffic, retrieves the correct key from the key depot and decrypts the traffic. The decryption agent then feeds the decrypted packets to the tool destination along with the original, encrypted traffic stream. In this way, tools, teams and processes have access to the original, unaltered encrypted traffic streams in addition to the newly decrypted streams. They are able to inspect the encrypted traffic headers as well as the decrypted packet payload.
Decrypted Visibility in the Cloud Restored
The new Symmetric Key Intercept architecture ensures decrypted traffic is never exposed to potential threats if it gets intercepted. Instead of decrypting traffic in storage then sending it to monitoring tools for inspection, Symmetric Key Intercept allows users to send encrypted traffic to tools, databases or storage and then decrypt right at the tool. The architecture is easy to deploy and scales to meet any traffic load without any configuration overhead or architectural constraints.
With Symmetric Key Intercept in place, cloud DevOps and security teams can, with confidence, decrypt TLS traffic inside their cloud environments, enabling security, performance and diagnostic systems and processes.