Are Retailers Using SSL Inspection? Not According to Ponemon
Insights from the Ponemon Institute Survey “Hidden Threats in Encrypted Traffic”
We’ve all seen the headlines about the latest cyberattacks that hit popular retailers. If you've shopped at any of the retailers that were targeted, you may have become embroiled in the breach yourself — hackers have compromised the payment records of millions of individuals, resulting in the reissue of millions of credit and debit cards and forcing consumers who were impacted to be hyper-vigilant about their credit reports.
These breaches cost retailers dearly, not only in terms of lost revenue and decreased productivity, but also by damaging the brand reputation and customer confidence. Knowing that consumers blame retailers (75 percent of consumers believe that keeping shopper information safe is the retailer’s responsibility) and regulators are looking to hold stores accountable, we have seen retailers increase their focus on improving cyber security to better protect the payment and customer information they collect during payment transactions.
Unfortunately, it can be difficult to ensure security measures are consistently enforced across all of a retailers’ remote locations; particularly since most stores do not have anyone on-premises with cyber security expertise.
One thing retailers can do is encrypt sensitive customer data collected by their point of sale (POS) systems and ecommerce sites to keep it private and secure.
A recent report by the Ponemon Institute, “Hidden Threats in Encrypted Traffic,” sponsored by A10 Networks, found that retailers are encrypting an average of 33 percent of their outbound Web traffic. These same retailers expect that percentage to increase to 42 percent over the next 12 months.
This is a start. Unfortunately, encryption can also present some real security challenges.
Malicious use of SSL encryption
Hackers are using encrypted (SSL) traffic to hide their attacks and bypass an organization’s defenses (such as next-generation firewalls, intrusion prevention systems (IPS), unified threat management (UTM) platforms, etc.).
The Ponemon survey confirmed this trend. In fact, 77 percent of the study’s retail respondents believed their organizations had been the victim of a cyberattack or malicious insider activity in the past 12 months, and 41 percent of those attacks used encryption to evade detection (15 percent were unsure).
While 92 percent of retail respondents to the Ponemon survey recognize that SSL traffic inspection is “Important” to “Essential” to their business’ overall security infrastructure, only 35 percent decrypt Web traffic to detect attacks, intrusions and malware.
As a result, many are not confident in their ability to protect against attacks hiding in encrypted traffic. As such, 66 percent of Ponemon respondents are concerned or very concerned that encrypted traffic leaves their network vulnerable to hidden threats; only 37 percent of retail respondents feel their organization could prevent costly data breaches and loss of intellectual property by detecting SSL traffic that is malicious.
Reasons for weak SSL inspection practices
When probed on why they are not inspecting more encrypted traffic, respondents cited performance degradation (53 percent), insufficient resources (46 percent) and lack of enabling security tools (36 percent). Independent tests show that most security devices experience an 80 percent performance degradation when they decrypt and re-encrypt traffic.
The problem is compounded with Elliptic Curve Cryptography (ECC), which is increasingly designated as the method of choice for Google and Apple. Many devices experience a 75 percent performance degradation over and above other SSL methods when ECC is used.
Concerns about SSL bandwidth demands
Interestingly, 53 percent of retailers who responded to the Ponemon study agreed with the statement that their business’ security solutions are collapsing under growing SSL bandwidth demands and SSL key lengths.
As a result, retailers often make the decision to forgo or only selectively inspect traffic, which is why 42 percent feel their perimeter security investment is ineffective because of the outbound/inbound encrypted traffic (28 percent are unsure).
Features that matter to retailers
Retailers require a solution that enables them to scale SSL inspection to identify potential threats without impacting the overall performance, productivity or availability of their sites. Ponemon probed to identify the features that were most important to retailers, which included a solution’s ability to:
- Scale to meet current and future SSL performance demands – 90 percent
- Securely manage SSL certificates and keys – 89 percent
- Satisfy compliance requirements – 81 percent
- Maximize the uptime and performance requirements of the overall capacity of the security infrastructure – 80 percent
- Interoperate with a diverse set of security products from multiple vendors – 75 percent
- Granularly parse and control traffic based on custom-defined policies – 75 percent
- Categorize Web traffic to ensure confidential or sensitive data remains encrypted (satisfy regulatory requirements) – 74 percent
- Intelligently route traffic to multiple security devices – 70 percent
A proven, high-performance SSL inspection solution
A10 Networks Thunder SSLi delivers these capabilities. SSLi (SSL Insight) offloads SSL decryption and re-encryption from third-party security devices to enhance the performance of the overall infrastructure and ensure malware, distributed denial of service (DDoS) and Web app attacks hidden in SSL traffic are detected.
The solution is purpose-built to quickly decrypt SSL traffic and then forward it to one or many dedicated security devices; when the traffic has been inspected, SSLi can re-encrypt it and forward it to the appropriate destination.
SSLi enables retail organizations to maintain the availability and security of their POS systems and ecommerce sites, with high-performance decryption for even their smallest store locations.