{"id":102804,"date":"2019-10-18T15:35:19","date_gmt":"2019-10-18T22:35:19","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=102804"},"modified":"2019-10-18T15:33:22","modified_gmt":"2019-10-18T22:33:22","slug":"network-ssl-decryption-and-gdpr","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2019\/10\/network-ssl-decryption-and-gdpr\/","title":{"rendered":"SSL\/TLS Decryption Can Help with GDPR Compliance"},"content":{"rendered":"

By John Harrison, Regional Product Marketing Manager, EMEA, and Fred Streefland, Regional Chief Security Officer<\/span><\/p>\n

You might be surprised to learn that SSL decryption can be a valuable tool for protecting data in compliance with the European Union\u2019s General Data Protection Regulation (GDPR), when applied according to best practices.<\/span><\/p>\n

Responsible organizations everywhere want to protect their networks and the personal data their users entrust to them. As technology develops and regulations shift, it takes insight to implement security measures effectively while remaining in compliance. SSL\/TLS decryption, which provides visibility into security threats that can be hidden within encrypted traffic, has emerged as a key technique for protecting against modern threats. In talking with our customers, however, we\u2019ve found that some organizations believe they aren\u2019t allowed to use SSL decryption because of GDPR, a comprehensive European Union data protection law that governs how entities collect or process the personal data of individuals in the EU.\u00a0<\/span><\/p>\n

On the contrary, the GDPR is a regulation, not an inhibitor. It states specifically that you are allowed to implement measures in order to secure the processing of personal data. It also goes a step further, recommending you take organizational and technical security measures to secure the processing of personal data. Because of this, it\u2019s not correct to say, \u201cI cannot do SSL decryption because of GDPR.\u201d In fact, it\u2019s more accurate to say, \u201cThe GDPR <\/span>requires <\/span><\/i>me to do it.\u201d\u00a0<\/span><\/p>\n

 <\/p>\n

Encryption and Hidden Threats<\/b><\/p>\n

Encryption is increasingly used to secure not just sensitive or private information but practically all traffic traversing enterprise networks. According to a Google 2019 finding on encrypted traffic, 87% of internet users\u2019 time is spent on pages that use HTTPS, and 70% of pages are loaded on HTTPS.\u00a0<\/span><\/p>\n

The downside is that organizations are essentially left blind to any security threats contained inside encrypted traffic. Attackers exploit this lack of visibility and identification to hide within encrypted traffic and spread malware. The availability of cheap or free certificates from sites such as Let\u2019s Encrypt have made encryption far too simple for attackers to leverage with their automated malware and phishing campaigns. Even legitimate websites that use SSL can be infected with malware. Adversaries inside a network can also use encryption to hide data being exfiltrated.<\/span><\/p>\n

If you can\u2019t see what\u2019s coming into your company, you can\u2019t protect it, especially in today\u2019s environment. More than ever, organizations need the ability to decrypt, gain visibility, classify, control and scan SSL-encrypted traffic.<\/span><\/p>\n

\n