To protect enterprise data and intellectual property, network security administrators enforce encryption policies to secure traffic to and from their networks. However, adversaries also use encryption, often using it to hide their activities. Normally, these activities—like command and control, loading malware into a network, and exfiltration of sensitive data— would be detected by traffic inspection devices, but those devices typically cannot inspect encrypted traffic.
Transport Layer Security Inspection (TLSI), also known as TLS break and inspect, is a security process that allows enterprises to decrypt traffic, inspect the decrypted content for threats, and then re-encrypt the traffic before it enters or leaves the network. Introducing this capability into an enterprise enhances visibility within boundary security products, but introduces new risks. These risks, while not inconsequential, do have mitigations.
Direct to Full Text
4 pages; PDF.