I largely agree with the author. When our SOC wanted to implement TLS inspection I blocked it. Mostly because we not nearly at the security level for this, but also because it just fucks with so many things.

That said, we are not a business dealing with highly sensitive data or legal responsibilities surrounding data loss prevention.

If you are a business like that, say a bank or a hospital, you want to be able to block patient / customer data leaving your systems. You can do this by setting up a regex for a known format like patient numbers or bank account numbers.

This requires TLS inspection obviously.

Though this makes it harder to steal this data, not impossible.

It does however allow the C-suite to say they did everything they could to prevent it.

▲

apexalpha an hour ago | parent [-]

Oh and the software (Netskope) was only able to decrypt our traffic in the cloud.

Lmao not in a million fucking years will I upload our data to an American company in fucking plaintext.

	▲	dcminter an hour ago \| parent [-]
		Netskope and the other DLP tools at my last gig would completely lock up my network connection for around 30 seconds every hour or two while maxing out 100% of a core. Fun times. The issue was still there a year after I first encountered it so I have grave doubts about the competence of those vendors. On the other hand I am sympathetic to the needs of big regulated orgs to show they're doing something to avoid data loss. It's a painful situation.