I read your recent response on the importance of SSL monitoring. Can most enterprise, Web-based data loss prevention (DLP) products scan SSL traffic? How do the features vary, and what should I look for in an SSL decryption appliance?
Ask the Expert
Perplexed about network security? Send your network security-related questions today! (All questions are anonymous)
I would say many if not almost all DLP products have some type of SSL decryption ability. Actually, from my experience, most organizations opt for a next-generation firewall, which, in the vast majority of cases, has DLP, SSL decryption, intrusion detection, log correlation and email filtering, all wrapped up in one device or bundle of devices. These multifunction security devices are becoming preferred to point products because they're usually cheaper to buy and easier to manage.
But to answer your initial question: Yes, many Web-based DLP products can scan SSL traffic because data loss prevention and SSL decryption are very much complementary concepts.
Most within the security industry generally agree that DLP consists of three defining features: deep content analysis, central policy management, and broad content coverage across multiple platforms and locations. What should become readily apparent when comparing these characteristics with the concept of SSL decryption is that DLP is a broad concept, whereas SSL decryption is much more focused.
However, if your budget allows for it, don't discount the value of having a separate SSL decryption appliance as part of your security strategy. As the de facto standard for SSL encryption moves from 1024-bit to 2048-bit encryption, network throughput and network resources may become significantly strained. Anything you can do now to offload the processing requirements of SSL decryption will become increasingly important as the encryption standards become more burdensome.
When evaluating potential SSL decryption appliances, the most important characteristic to look for is a device's ability to handle the line-speed traffic levels that are typical for your network. Introducing delays into network traffic is a surefire way to ensure disgruntled end users. Additionally, the device should be easy to manage with an intuitive administrator interface. Finally, make sure that you find an appliance that provides the logging and reporting necessary to meet your enterprise's security requirements.
This was first published in February 2014