At the start of 2020, there are some technologies – originally developed only with the very best of intentions – that seem to have a darker side, challenging us to come up with new ways to harness and handle their capabilities.
One of these technologies is encryption, which was developed years ago as a way to enhance the security of digital data and data streams and is now deployed in countless consumer products.
The internet has been an important accelerator behind the use of encryption technology. As a result, more than 80 per cent of today’s global internet traffic is encrypted. WhatsApp, for example, uses encryption technology to reassure its users that their messages can only be read by the intended recipient. In a world in which cyber-criminals are active 24/7, trying to get their hands on as much data as possible, this level of security is an essential feature of online data exchange.
300 million attacks per month
However, the prevalence and success of encryption technology has not escaped the attention of internet data thieves. For years, cyber-criminals have been adopting all kinds of disguises to continue their pursuit of targets.
One of their most recent tricks is to send malevolent code in encrypted format in an attempt to sidestep traditional security programs, which are incapable of viewing the contents of encrypted data packets or are deliberately designed not to in order to protect users’ privacy. In some cases, a security solution may simply not have enough capacity to check the content of all encrypted traffic without grinding to a halt. Criminals are already deploying encrypted threats at huge scale. In 2019, the Zscaler ThreatLabZ team recorded almost 300 million of these kinds of attacks per month!
Certificate authorities
Many organizations believe that they are protected from attacks on SSL encrypted data because they use a public key infrastructure (PKI). A PKI provides the technology that is required to encrypt internet traffic, including a component known as a “certificate authority.”
Certificate authorities are the parties responsible for managing and securing the unique keys and providing websites with the certificates that act as the key to the browser’s “lock.” There are many certificate authorities that do a great job and do everything they can to ensure that communication is secure. But, in principle, anyone can set up a PKI infrastructure and issue certificates.
There are many certificate authorities that have a good reputation and that execute high-level checks and verification processes, but there are many others that aren’t as well regarded, who are known for issuing certificates to “bad actors” without any checks. As a result, it is now very easy for these bad actors to construct their own encrypted websites that, at least at first glance, can look entirely legitimate.
This means that a digital transaction may appear secure when, in fact, it is anything but. SSL/TLS encryption is a guarantee of confidentiality and integrity, giving users the assurance that their data cannot be viewed or manipulated while in transit. That little lock shown in your browser doesn’t tell you anything about the intentions of the person, or the system that you are communicating with.
A dilemma for CISOs
These developments have produced a complicated dilemma for many CISOs. They don’t need to worry about whether or not to use encryption for data in transit. That question has already been answered, because encryption significantly enhances security and is often mandatory anyway. The challenge lies in the incoming data traffic that is already encrypted.
While most CISOs understand that inspecting encrypted data can further boost security, some remain unsure as to whether or not to actually do it. Sometimes, the company may not have the technology needed to check incoming encrypted data effectively; sometimes, the doubt stems from uncertainty in relation to the employees’ rights to privacy.
This uncertainty ensures that the status quo is maintained, and that encrypted data traffic is accepted without question – even though the organization has no idea what a data packet contains or whether it could cause harm to the company or its employees.
The General Data Protection Regulation (GDPR) introduced in mid-2018 is one of the reasons why many CISOs doubt the legitimacy of measures to scan encrypted data traffic. Although the regulation does not set out exactly which preventive measures organizations should implement to be considered compliant, it is very clear on one thing: organizations are responsible for providing a secure digital work environment for their employees.
If an organization has no idea what data is coming into its systems and what the impact of it could be, it is not doing everything it could to facilitate a secure digital working environment as described in Article 32 of GDPR.
For any CISOs who have concerns about privacy, remember this: during inspection, the reports and logs (or, more accurately, the files generated from them) can be configured to show only metadata to operators. All PI fields are blocked out. This approach provides enough information to perform a technical check on the data.
If this check suggests that an incident has occurred to justify the disclosure of the PI data, you can initiate a process to gain insight into the obfuscated personal data.
This process applies only in exceptional circumstances, for example, if someone is suspected of leaking data or if you need to know whose systems have been compromised by a hacking attempt. Often, representatives from HR or the legal team are involved in these kinds of processes. Organizations can also set out their processes in privacy policies, which employees are expected to be aware of and understand.
The solution: the security cloud
Organizations are increasingly opting to send and receive all their data traffic via a security cloud. These services have sufficient capacity to analyze vast amounts of data, including encrypted data, in very short timeframes before forwarding it on to end users.
One of the main advantages of this way of working is that the process of decryption and inspection takes place in the cloud, which means that organizations do not need to make huge investments in processing power – and that they only receive data that has been approved by the cloud security provider.
Thanks to cloud technology, organizations can continue to benefit from the power of encryption, remain compliant with regulations, such as GDPR, and assure their employees that their privacy and data will be protected across all their devices.