A Guide for a Successful TLS Inspection Deployment

Published on: April 05, 2024

.

6 min read

Deploying TLS (Transport Layer Security) inspection is a complex undertaking that involves both technical implementation and organizational readiness. Organizations usually need to revise computer use rules, acceptable use agreements, and other internal paperwork concerning IT systems. Full TLS inspection in many locations and nations necessitates the participation of workers' groups and unions.

It is important to guarantee the uninterrupted operation of your firm when using TLS inspection. Zenarmor® advises starting the implementation of your inspection rollout by selecting a small set of users and policies from different departments or business units. Gradually increase this group as your policy becomes more comprehensive and effective. This approach enables you to acquire knowledge while implementing it, with little interference.

An exhaustive pilot deployment of full TLS inspection enables expansion to be accomplished with relative ease. When the testing phase adequately addresses the use cases and business units, the process of expanding to a larger user base is typically uncomplicated. A successful TLS inspection implementation includes three main phases, planning, communication, and deployment. The subsequent sections provide foundational best practices for TLS inspection and discuss some of the crucial decisions that must be made in order to ensure a smooth transition from the pilot phases to production for TLS inspection.

Planning

Prior to implementing TLS inspection, it is crucial to engage in meticulous planning and conduct many rounds of piloting to ensure the business can reliably deploy it throughout the whole IT infrastructure. Defining TLS inspection strategy has 4 main steps:

1. Concerning Legal Issues: Consult with legal professionals, councils, or human resources to inspect website traffic that gives rise to legal or regulatory issues regarding local privacy regulations.
2. Defining Use Cases: Zenarmor advises beginning the piloting process by first defining the specific use cases that need to be addressed.
3. Selecting Clients: Determine the individuals who will be involved in each use case and specify the kind of traffic inspection that will be enabled.
4. Selecting Traffic: Carefully prepare the phases, scheduling, and success criteria for each use case.

1. Concerning Legal Issues

Kindly be aware that it is incumbent upon you to ascertain the legality of inspecting TLS communication within your area. Enabling the TLS Inspection feature grants permission for the service to analyze the TLS traffic of your users. Although automated processes are used for inspections, decrypting data in this manner may still violate privacy rules in some jurisdictions.

By implementing a full TLS inspection feature on your infrastructure, you acknowledge that you possess the legal authority to decipher this data in all applicable countries and have secured the requisite permissions from your users.

It is advisable to seek guidance from legal experts, councils, or human resources departments when examining website traffic that generates concerns related to local privacy regulations that may raise legal or regulatory issues.

Create revised policies regarding computer usage for HR and legal purposes. Ensure that all personnel, contractors, partners, visitors, and other users of the network are duly informed of these policies. By means of this distribution, users are hereby notified that their data might be subject to decryption and a risk assessment in the event that decryption is executed.

2. Defining Use Cases

Use case identification is determined by considering the geographical locations of your users and the distribution of your traffic. You may take into account these components for defining use cases:

• Which individuals possess the highest level of authorization to access the most delicate services or information?
• Are there essential services that need strict control?
• Are there any remote users, or are all of them physically present in the office?
• Are there any mobile devices (including Android and iOS) that have to be safeguarded?
• With which external entities are the servers permitted to communicate?
• What specific compliance standards need to be fulfilled?

The answers to these questions are used for determining which sources (devices, users, servers, etc.) need security and how their traffic interacts with Zenarmor.

3. Selecting Clients

To have a clear understanding of the applications in your specific setting, it is important to categorize users (both those involved in testing and those in the actual production) according to each specific application. Choose a pilot group of people for each of your use cases. Which users are suitable for pilot testing?

The first users participating in the pilot group should be aware that they may encounter some problems and interruptions. Choose a cohort of individuals who are capable of managing disruptions. It is not advisable to include consumers at a crucial period in their product development or regulatory schedules. Although it is possible to quickly revert policy changes, it is advisable to minimize the occurrence of such situations. Choose a group that is least susceptible to harm and ensure that you get the complete participation of that group before commencing the pilot program.

Exclude IT or development personnel from the pilot group since they tend to attempt to resolve problems on their own before reporting them. Furthermore, their tasks often include functioning in an environment that differs from that of the typical user. Make sure that the pilot group has a heterogeneous mix of typical users situated at an office location, business unit, or local area. As the number of job responsibilities performed by this group increases, the number of applications that will be examined and the number of alerts you will get will increase. You need input on your notice copy to ascertain whether it effectively communicates the necessary information and the procedure for escalating and resolving difficulties.

Ensure that your pilot group is familiar with the escalation procedure. It is preferable to have a representative from your security or IT team do a presentation on full TLS inspection and escalation. Additionally, it would be beneficial if they were accessible for immediate contact in the event of any problems. Ensure that you have a designated someone who is capable of promptly making adjustments or executing a rapid reversal of policy. Zenarmor facilitates rapid policy rollback and emphasizes the need for direct contact with your security team to effectively support the pilot clients.

As you begin defining your policies, it is probable that you will extend the policy to include a larger number of people. As you have a deeper understanding of your users and the requirements of your application, it is advisable to revise the policy accordingly.

Once your pilot group is fully established and functioning, you may proceed with implementing an inspection process across the remainder of your firm. Implement a strategy for this deployment to progress rapidly, proceeding from one location to another, until all of your users have been examined.

4. Selecting Traffic

Once you have assigned users for your use cases, the subsequent step involves determining which traffic to examine. This is determined by choosing one or more criteria depending on the source, as well as selecting criteria based on the destination. This practice aids in distinguishing between inspected traffic and non-inspected traffic, whether it is at the first testing phase or during the full duration of the procedure.

When evaluating source-based criteria, take into account your understanding of the use case and how policy might be formulated to specifically focus on the sources:

• By geographical location or network sub-division (such as headquarters, branch locations, specific building levels, or remote workers).
• By categorizing individuals based on their group affiliation or department, such as Engineering, Sales, Operations, HR, Finance, etc.
• By device categories, such as Windows, macOS, mobile operating systems, servers, kiosks, or Internet of Things (IoT) devices.

When considering which destinations to pick for examination, answer the following questions:

• Will you inspect all web categories and cloud applications?
• Have you considered the possibility of exempting some categories for legal reasons, such as financial or government-related data?
• Have you addressed web categories that pertain to sensitive and private information, such as personally identifiable information (PII) or health-related data?
• Implement a gradual strategy to choose certain sets of URL categories for each step.
• Begin with the individuals who are most likely to pose a danger.
• Begin by prioritizing web categories that are least likely to have an influence on your company.
• Begin with the greatest (or smallest) in terms of volume.

Once you have comprehended the source and destination criteria, deliberate about which traffic should be exempted from inspection. What is the most effective way to create a policy that specifically excludes this traffic from each of your use cases, while also avoiding any overlap with other instances where the traffic should be examined?

The most prevalent strategy is to first focus on users who are working remotely, specifically those who are not connected to your trusted networks. Subsequently, the scope may be broadened to users from any geographical area. Commence with examining URL categories that are less likely to have an influence on your company, then gradually examine other categories as you obtain feedback and develop confidence.

Plans for Risk Tolerance and Acceptance

What standards does the company use to decide if the risk is reasonable if they can't check the traffic? Will the traffic be okay or will it be stopped? Talk about this advice with the people who have a stake in the project during the planning phase. You will need to move quickly on set plans when you need to investigate and fix problems that have been reported.

Important things to think about:

• Zenarmor can't see inside traffic that hasn't been inspected, so it can't find any threats that are hidden in incoming or outgoing traffic.
• Is TLS inspection enabled for everyone or just for a certain group?
• Find out under what conditions traffic is not inspected and contacts are allowed:
  • Excluded sites because of privacy and law rules
  • Services that are important to businesses
  • Connections to suppliers or business partners
  • Destinations with a Low risk

Set up your rules early on, and keep them up to date as you learn more about your surroundings and the services that need to handle exceptions.

Time Management

Planning the time of the project and its stages is a difficult task. Ideally, it is desirable to promptly take action to safeguard your surroundings from imminent risks. Nevertheless, it is important to provide sufficient time for the process of testing, receiving feedback, and acquiring knowledge at every level.

Organizations that give high priority to and comprehend the significance of TLS inspection should anticipate a successful implementation of TLS inspection for the majority of their use cases within a timeframe of 45-90 days. However, the exact duration may vary depending on factors such as the size, complexity, and progress of their Zero Trust journey.

The project's timeline should take into account the different stages and scenarios. Key factors to consider while developing project schedules are as follows:

• Should workstations be completed before mobile devices?
• Should we deploy to remote users prior to deploying to on-premises users?
• Can I arrange the client devices based on the operating system?
• At what point should compliance obligations be addressed?
• Do the mission-critical tasks first or last?
• When should servers, kiosks, and/or IoT devices be implemented?

Establish practical timetables to provide sufficient time for testing, receiving input, and acquiring knowledge at every phase. Do not hesitate to transition to a broader implementation in any scenarios where you have already conducted successful tests, even if additional scenarios are still being investigated. Extend your presence to locations and timeframes that you find suitable, ensuring that you do not encroach into areas that are not yet prepared for implementation. When you start producing anything on a larger scale, if there are major concerns that have a huge influence, be ready to go back a little and carefully examine and test new situations.

Define clear and measurable benchmarks throughout the initial planning stage for both the testing phases and the production phases. One such set of requirements for testing may be as follows:

• Conducted a usability test with a sample size of ten participants over a period of five consecutive work days.
• Resolved reported problems within a timeframe of two hours.
• Received less than three problem reports throughout the last two days of testing.

The concept is to maintain a straightforward approach. Conduct a test on a small portion (1-5 percent) of the use case base for a certain duration to get confidence in the performance of various apps and services. Monitor the number of reported problems during the testing period, as well as the team's investigation and resolution time for each issue. Observe if the number of reported problems significantly decreases (or ceases) during the last segment of the testing period. If users are operating well, any reported problems are resolved, and the overall situation seems favorable, then it is reasonable to anticipate a comparable increase in output for this particular scenario.

Criteria for Success

The criteria for the success of a TLS inspection deployment project vary. You may formulate the use cases based on your findings, taking into account the anticipated proportion of traffic attributed to these use cases, as well as the traffic that falls outside the scope of the project.

Project success criteria may be defined as follows:

• The majority of the user population, over 85%, has enabled traffic inspection in some manner.
• The reported difficulties have a frequency of less than one per 100 users per day.
• More than 70% of all encrypted communication is undergoing inspection.

It is fair to assess success by expecting that the majority of the user base will be examined, the reported problems will be relatively low, and there will be a goal for total inspection. You may enhance this by providing a more detailed analysis of the extra hazards identified by the increased visibility offered by TLS inspection in the environment.

The objective is to thoroughly examine a maximum amount of encrypted online traffic. It is necessary for the organization to establish a minimum standard for the proportion of total traffic that may be examined, recognizing that there may be some traffic that cannot be inspected.

In an environment where 15% of destinations cannot be inspected due to certificate pinning, and other exemptions, and 15% of sources cannot be inspected, including the guest network, IoT devices, and anything outside the scope, it can be anticipated that 30% of the traffic cannot be inspected. Consequently, the absolute maximum inspectable traffic would be 70%.

Communication

Effective communication is crucial for a successful implementation of TLS inspection. You need to let your users know that things are going to change, usually by updating your Acceptable Use Policy. You should also tell them how to report any problems they may have.

At each stage, go back and look over the comments, lessons learned, and findings. Let the important people in the project know about changes and reports so they stay focused on why the project is needed and what it will do for them.

Deployment

Comprehending the procedure of establishing a TLS Inspection policy is essential for the rightful implementation and continuous functioning of an inspection program. Fortunately, the process of policy formation is rather simple in Zenarmor and you may quickly define a TLS control rule in your network.