How Centralized Decryption Can Help Meet Compliance Requirements

One of the needed byproducts of a digitally transformed society in recent years, has been increased attention for the privacy rights of individuals. Examples of this can be found in the implementation of the General Data Protection Regulation (GDPR) in Europe, and the California Consumer Protection Act (CCPA) in the United States, both of which are designed to give individuals more control over the collection and use of their personal information online.

However, cyber criminals and other bad actors have never been stopped by legislation. And in many cases, encryption remains open to exploitation by attackers and hackers who are determined to wreak havoc on corporate networks, and people’s private information and data. As such, companies should consider decryption and inspection as a means of improving network security and privacy compliance. If implemented properly and supported by specific policies and safeguards, decryption can play a key role in improving a business’ security and protecting individuals’ sensitive data.

How attackers commonly use encrypted traffic

An encrypted attack in three simple steps:

1. Malware delivery. Attackers will use encryption to send malware via encrypted connections as part of phishing or other attacks. Network security tools will largely be blind to the encrypted session.
2. Command and control traffic. When a machine is compromised, the command and control traffic that attackers use to escalate privileges and move laterally within the network is typically encrypted to obscure the attacker’s actions.
3. Data exfiltration. After an attacker gains access to sensitive business data, the attacker will then exfiltrate the information via encrypted channels and prevent data loss prevention solutions from detecting the data leakage.

Concerns about decrypting traffic

Many organizations have largely resisted embracing decryption on a wide scale for a number of reasons. Some are willing to selectively decrypt a few categories of traffic with the highest risk (e.g. gambling, pornography) but are otherwise worried about exposing sensitive user information. Others are worried about the performance impact of decryption and that doing it would be too costly. Still others believe that not much traffic is encrypted or a solution can’t fit their environment. While Encrypted Traffic Management technologies have been around for a while, the market still lacks an understanding of how to prevent encrypted threats in a cost-effective, low-latency and privacy-compliant way.

The regulatory environment adds complexity

Non-compliance can result in a laundry list of issues and headaches for any large organization. Some of those matters are likely already known, while others might not be so obvious. Among the problems that could arise from non-compliance are:

• Potential legal action as a result of compliance failure
• Potential data loss/damages/public releases
• Fines/penalties related to compliance failures
• The impact on public perception/reputation
• Loss of business revenue
• Loss of accreditation/certification that impacts potential sales opportunities
• Internal problems/decrease productivity

When it comes to implementing decryption, a decision should be made following a detailed assessment of why it is justified, how it is risk-balanced and what safeguards the organization will implement in order to minimize intrusiveness and limit users’ privacy risks. Because of its significance in modern privacy law, and because many other regulatory standards have borrowed from it, the EU GDPR is a great reference point for establishing decryption guidelines and policies. As such, Symantec recommends the following steps should be taken when decryption plans are on the table:

• Involve the right teams and gain consensus across the organization
• Create detailed, documented policies for the collection of decrypted data
• Establish stringent controls for the management of decrypted data
• Maintain transparency through clear and specific communications

Protecting an organization’s users, infrastructure and data from a cyber attack is a difficult task. A centralized approach to decryption solutions can help organizations selectively decrypt and inspect network traffic and maintain compliance with GDPR and other privacy regulations. Privacy and security is more relevant than ever given the increasingly digital and interconnected nature of most people’s lives: whether at home, at work, or in public.