Here is a recurring question - how often do you see SSL/TLS on "internal" communications? Its a relevant question, after all "internal" systems house the most valuable data, identity protocols, authentication, management, and services. Its not the keys to the kingdom, its the whole kingdom.
Most websites and mobile apps have at least some of their external facing communications protected by TLS/SSL (And yes there are lots of config problems there too, but leaving those aside for now).
I asked a bunch of people at Chisec if they thought whether they liked the over/under of 25% industry wide doing SSL/TLS on internal comms.
@JBW_1 asked a better question: "You could ask a different way - how many enterprises still think their internal network is trusted?" That really gets to the heart of the matter. Most people, certainly security people regard the network as untrustworthy, but if you look at the architecture and deployment decisions out of those same groups its TLS/SSL external and not TLS/SSL internal. In other words - we know internal is not trustworthy but we're trusting it anyway.
So two questions -
1) Do you like the over or the under on 25% industry wide using TLS/SSL internal? I like the under
2) Is that a rational tradeoff?
I asked a number of people this and here is what they said
@petrillic · 5-10% and 80% of those are self signed and badly configured
"for admin login sometimes"
"some but never on db"
@BrandonJeup · I'd say we're doing better than 1/4, but there's certainly a lot of room for improvement.
"What is ldaps?"
"let me round it down to the nearest digit - zero"
"we do....with busted certs” (twice)
@hhopk · remembers a place I once worked where we tried to do proper certs everywhere. Failed. unmanageable w/out automation
Most people took the under on 25%. The last point is interesting, if you try to do it internally, how feasible is it? AD can help quite a bit managing Windows resources, but what about Linux/Unix et al? What about test, dev, deployment? There are plenty of valid reasons why it may not happen. On the other hand that mean communication to LDAP, DB, MQ, Services, ESB, and on and on are whizzing by in the clear and very likely unauthenticated. Which brings me to queston #3 - what do you do instead?
Would be interested to hear from folks on any of these three, lack of protected communications, internal or external, creates all sorts of challenges. Please post comments or tweet (@oneraindrop), no need to comment on *your* organization, but general industry practices would be good to share here.
Robert Earl Keen sung "they say I'm apathetic, but really I just don;t care." I don't think apathy is a good choice here. Internal PKI is a big honking project, on the other hand doing nothing is pretty weak. What is in the middle? Monitoring is one of the only available middle roads.