> where nobody knows why its done just that its done
Compliance. You think your IT dept wants to deploy this crap? How ever painful you think it is as an end user multiply it having to support hundreds/thousands of endpoints.
Look, I hate traffic inspection as much as the next person but this is for security, it's just not for the security you want it to be. This is so you have an audit trail of data exfiltration and there's no way around it. You need the plaintext to do this and the whole network stack is built around making this a huge giant pain in the ass. This is one situation where soulless enterprises and users should actually be aligned. Having the ability in your OS to inspect the plaintext traffic of all incoming and outgoing traffic by forcing apps off raw sockets would be a massive win. People. seem to understand how getting the plaintext for DNS requests is beneficial to the user but not HTTP for some reason.
Be happy your setup is at least opportunistic and not "block any traffic we can't get the plaintext for."
No, they really really don't. Source: I've worked in corporate IT for many years, and this kind of shit is always forced upon us just as much as it is on you guys. We hate it too.
Not the OP, but currently I work in a regulated industry (financial) where Corporate Risk and Legal depts ask for this stuff (and much more) to satisfy external auditors. The IT people hate it just as much.
I had never experienced just how much power a single dept could hold until we got acquired by a large finance enterprise and had to interact with the Risk dept.
Still, what exactly has changed in the last year that Zscaller/Netskope became prevalent? What law has changed? Can someone pinpoint on it. I work for telecom company for example, two years ago there was no zscaller/netskope MITM in my request from the corporate laptop to Internet, today there is one. What law has changed if any what mandates that? If that matter ISP is registered at NJ.
20 years ago I was configuring VPNs on work laptops that then had all the exit traffic routed to a Bluecoat system to MITM the traffic. The difference is that zScaler is "Zero Trust" so you are actually not on a VPN anymore. It's intercepting the traffic locally and then determining what to do with it. At my current workplace we are using it to access internal services only; allowing all external traffic to exit directly.
Not in your country, but my point about compliance wasn't that a law requires it specifically (laws don't specify technical "solutions" anyway) - just that often the IT dept is compelled by other depts (eg Risk) to implement and support stuff that allows that other dept to show auditors that they are doing something rather than being negligent.
Compliance. You think your IT dept wants to deploy this crap? How ever painful you think it is as an end user multiply it having to support hundreds/thousands of endpoints.
Look, I hate traffic inspection as much as the next person but this is for security, it's just not for the security you want it to be. This is so you have an audit trail of data exfiltration and there's no way around it. You need the plaintext to do this and the whole network stack is built around making this a huge giant pain in the ass. This is one situation where soulless enterprises and users should actually be aligned. Having the ability in your OS to inspect the plaintext traffic of all incoming and outgoing traffic by forcing apps off raw sockets would be a massive win. People. seem to understand how getting the plaintext for DNS requests is beneficial to the user but not HTTP for some reason.
Be happy your setup is at least opportunistic and not "block any traffic we can't get the plaintext for."