Flexible Architecture

The closed loop architecture that Arandjelovic mentions is key to the integration. Third party solutions can either sit in active or passive mode within this. In Passive mode the appliance merely feeds the decrypted SSL packets for inspection but passes the original traffic through. In active mode it waits for the traffic to be inspected, on receiving a “red light” back it will block the traffic, or on receiving a green light it will forward the original packet.

This decryption is scaleable, so for enterprise customers with multiple devices performing different security operations they only need a single appliance to carry out SSL visibility processes. The Blue Coat appliance decrypts and forwards on each message only once, waiting for the all clear from the various security appliances if appropriate. This approach Arandjelovic argues is the best approach to take:

“’Decrypt once, feed many’, it has been embraced industry wide as the appropriate way to go about an SSL decryption or visibility strategy, not to have every single node in an security architecture or infrastructure decrypt and re-encrypt because that creates bottlenecks and complexity. The recommended approach is decrypt once, perform all the different security operations that your policy insists upon and then encrypt and send it on. We accommodate that through a closed loop.”

So if the device is that simple why is there no competition out there? Blue Coat appear to have stolen a march on the market, but it is not just about grabbing a growing list of customers to integrate to, there are some subtleties within the device. The intelligence that lies within the appliance comes with policy settings, determining which packets need decryption and which should be left untouched.

A new generation of SSL security policies.

Arandjelovic made clear that the SSL “blind spot” is not one that is going to suddenly disappear: “This is an issue that any company that has encrypted traffic is going to have to resolve.”  Large enterprises, and industry verticals such as Financial Services, Government, Healthcare and Retail all carry sensitive data and therefore have a larger blind spot. They also have the need to address this faster. Other industries will also be challenged as more and more data becomes encrypted.

The appliance is capable of setting up policies for specific traffic, so that financial transaction data within the banking sector may remain encrypted while other similar traffic is decrypted for inspection.

Arandjelovic also believes that the landscape is becoming more complex as he explained: “…there is an extra factor. We have technology problem A, we have technology solution B, but there is also a C issue, ensuring you can do so in a way that is complaint with privacy considerations and data protection considerations.”

These considerations are not restricted merely to vertical industries but also by country. Companies will need to consider their encryption strategies carefully, This is especially true in some European countries as Arandjelovic pointed out, such as Germany and France.

A company may think nothing of decrypting employee web traffic for inspection but this runs the risk of employee surveillance. In the UK the Employee Act looks at such matters but in Germany the regulations are far tougher. Each company will almost certainly need to liaise with its workers councils and/or unions in order to gain approval for the inspection of packets. This is because it may be private data that is being transmitted, albeit in a closed loop in the clear.

One may have thought that Blue Coat would solve this problem by distributing a template by country that meets legislative requirements, but it is not that simple and each company should consider its strategy in isolation with the backdrop of regulation. Blue Coat offer policy guidance but no more. At first glance this seems less than they might have done, but actually it is a sensible approach that means they are not dictating what should or should not be done. It also moves responsibility to the security/data protection teams in each company and avoids any issue for Blue Coat.

(Next the future of CyberIntelligence)


Please enter your comment!
Please enter your name here