[yfiapo]

The other side of the argument is frequently discounted and as an IT security person myself I understand that. However, there is a real challenge for companies who deal with large amounts of very sensitive data. To be able to effectively monitor for data loss it makes a lot of sense to be able to monitor the connection points between your protected network and outside networks. The move to all traffic being encrypted and uninspectable breaks this paradigm.

You can cover some of the same concern by implementing an agent on every connected computing device but this brings much greater complexity as you are monitoring potentially hundreds to thousands more places and still have to worry if you have complete coverage.

Consider an analogy of going through international customs. Do you employ customs officials at the border who are allowed to sample and inspect private belongings to verify laws are being followed? Or do you employ an official to help pack the belongings of each individual who you think may eventually cross the border? The second example is a bit stretched but hopefully illustrates the scale problem.

[dcbadacd]

> Or do you employ an official to help pack the belongings of each individual who you think may eventually cross the border?

Without telling the person who's things were packed that they were packed by the official.

[Legogris]

I assume that organizations deploying this make it clear to employees that the network and computer equipment is intended for professional use.

[Spivak]

But since every device needs to trust your CA aren't you forced to pack their belongings in either case?

[yfiapo]

Hmm, I'm straining my own analogy already so I won't try to beat that horse any deader. :-) I am mostly trying to argue the positives of centralized inspection at network chokepoints in simplicity and guarantee of coverage.