By John Harrison, Regional Product Marketing Manager, EMEA, and Fred Streefland, Regional Chief Security Officer
You might be surprised to learn that SSL decryption can be a valuable tool for protecting data in compliance with the European Union’s General Data Protection Regulation (GDPR), when applied according to best practices.
Responsible organizations everywhere want to protect their networks and the personal data their users entrust to them. As technology develops and regulations shift, it takes insight to implement security measures effectively while remaining in compliance. SSL/TLS decryption, which provides visibility into security threats that can be hidden within encrypted traffic, has emerged as a key technique for protecting against modern threats. In talking with our customers, however, we’ve found that some organizations believe they aren’t allowed to use SSL decryption because of GDPR, a comprehensive European Union data protection law that governs how entities collect or process the personal data of individuals in the EU.
On the contrary, the GDPR is a regulation, not an inhibitor. It states specifically that you are allowed to implement measures in order to secure the processing of personal data. It also goes a step further, recommending you take organizational and technical security measures to secure the processing of personal data. Because of this, it’s not correct to say, “I cannot do SSL decryption because of GDPR.” In fact, it’s more accurate to say, “The GDPR requires me to do it.”
Encryption and Hidden Threats
Encryption is increasingly used to secure not just sensitive or private information but practically all traffic traversing enterprise networks. According to a Google 2019 finding on encrypted traffic, 87% of internet users’ time is spent on pages that use HTTPS, and 70% of pages are loaded on HTTPS.
The downside is that organizations are essentially left blind to any security threats contained inside encrypted traffic. Attackers exploit this lack of visibility and identification to hide within encrypted traffic and spread malware. The availability of cheap or free certificates from sites such as Let’s Encrypt have made encryption far too simple for attackers to leverage with their automated malware and phishing campaigns. Even legitimate websites that use SSL can be infected with malware. Adversaries inside a network can also use encryption to hide data being exfiltrated.
If you can’t see what’s coming into your company, you can’t protect it, especially in today’s environment. More than ever, organizations need the ability to decrypt, gain visibility, classify, control and scan SSL-encrypted traffic.
A Plan for SSL Decryption and GDPR Compliance
To implement SSL decryption, you need buy-in within your organization. Part of that involves reassuring stakeholders that you have a plan for rolling out your implementation in a way that remains sensitive to compliance considerations. Your first step should be to set clear expectations around which data you do and don’t want to decrypt. For example, you could inform your board of directors, management and legal counsel that you will not decrypt certain categories of sensitive data, such as data related to health care, banking and government.
Another option is not to start SSL decryption of everything on day one. Instead, you could designate certain high-risk categories to focus on, such as recently registered domains, recently infected websites or uncategorized websites. Other good web hygiene options include not allowing users to connect to websites with expired certificates, untrusted certificates or self-signed certificates. These last options can be done even without actually decrypting traffic but can substantially protect users. Then, be sure your technical implementation follows the expectations you set. Palo Alto Networks Next-Generation Firewall, for example, makes it easy to enable an optimal security policy while respecting confidential traffic parameters.
Best Practices for SSL Decryption and GDPR
To truly protect your organization today, we recommend you implement SSL decryption. Palo Alto Networks has created a set of resources, documentation and best practice guides to help. Running a Best Practice Assessment is one way to get started and strengthen your security.
Understand what you need to enable and deploy SSL decryption.