Managing loss of visibility with the uptick in encrypted traffic

By Sergio Bea

Encryption is becoming widely adopted as a standard. What are your options for regaining visibility for quality, performance, and security?

Much to the improvement of security and privacy for networks and the internet in general, we live in an era of encryption. After decades of development, and driven heavily by regulations like GDPR and CCPA, encryption is becoming a widely adopted standard.

In the early days of the internet, we had Secure Sockets Layer (SSL), a precursor security protocol that established authenticated and encrypted links between networked computers. SSL was eventually replaced by Transport Layer Security (TLS), which solved many of the flaws inherent to SSL (for example, SSL does not provide any security once the data is on the server).
Over the last few years, demand for strong encryption has skyrocketed. We’ve gone from less than 50% of web traffic being encrypted in 2014 to approximately 95% today, with encryption technology getting stronger along the way. Today, the most rapidly expanding encryption is TLS 1.3, the result of two decades of refining the TLS protocol.

What makes TLS 1.3 so popular? In the landscape of ever-increasing cyber threats, TLS 1.3 offers users several benefits:

1. Confidentiality — This is what most people think about when they think of encryption. Preventing others from snooping on the content that is being transferred between networked devices is core to user confidence, both in terms of privacy and security.
2. Integrity — While it’s important to maintain confidentiality from users outside of the data transaction, it’s equally important to ensure the data that is received is the same as the data that was sent, without any alteration that may compromise its integrity.
3. Authentication — Authentication ensures that both the sender and receiver are in fact who they say they are. This helps prevent an unintended recipient from intercepting the data, or for a fake sender to send false or malicious information to an unsuspecting recipient.

Switching to TLS 1.3

The encryption of the vast majority of network traffic is undoubtedly a healthy development for networks, but it can come with an unintended consequence — loss of visibility for network managers, leading to major headaches that can result in the loss of network quality.

While some network management tools work reasonably well with TLS 1.2 traffic, TLS 1.3 traffic is so tightened down that it can become invisible to network administrators. Try to perform an analysis on a web client’s HTTP traffic and you’re likely to see an error message reading “No data.” That’s because the traffic is encrypted, along with any insights on network traffic, response times, or hosts that are responding to HTTP traffic. On one hand, the customer’s data is safe, but on the other hand, network administrators are blind to performance analysis and threat detection — a scary prospect.

In fact, an EMA survey of organizations switching over to TLS 1.3 found that 91% were also concerned about the loss of visibility, with over a third (35%) “extremely” or “very” concerned.

They’re right to be concerned. If network managers don’t have visibility at this layer, how can they proactively identify network issues and manage their customers’ quality of experience? If the network can’t be seen, it can’t be managed, and if it can’t be managed, the performance will suffer, customers will seek service elsewhere, and the organization will develop a bad reputation for poorly performing apps.

As the leading provider of network performance analytics, cybersecurity threat detection, and end user experience solutions, Accedian is tackling this issue head-on. With Accedian Skylight’s built-in TLS decryption, organizations can manage their performance effectively without breaking encryption. Skylight TLS decryption means that customers can get all of the wonderful benefits from TLS 1.3, including confidentiality, integrity, and authentication, but managers can still get insight into traffic to maintain and improve performance.

How is this possible?

In very simplified terms, Skylight TLS decryption allows network operators to install a key sensor on the clients or servers where monitoring is necessary. The system then captures TLS symmetric keys from memory and exports them for symmetric decryption. The decrypted traffic is captured by the sensors for performance analysis, while the data from the server remains encrypted, so there’s no chance of leakage or interference from an entity less trusted than the operator. The sensors can be installed for cloud applications in addition to on-premises, so operators can still get best-in-class insight into traffic performance even if they don’t control their server.

Skylight TLS decryption works on all major platforms, and because the decryption is fast and efficient it can be scaled to thousands of sensor instances and applications without performance taking a hit.

Now, network managers can share customers’ enthusiasm for TLS 1.3 encryption without having to fear loss of visibility. For more information about Skylight TLS decryption, see this solution brief.