Regulations in many countries require organizations to secure and encrypt web traffic that may contain sensitive client data. The downside: Those organizations now have to grapple with threats that hide within encrypted traffic.
Encryption Laws and Regulations in the US and Globally
People have long used cryptography to hide secret communications. The use of codes and ciphers to protect sensitive information began thousands of years ago. The well-known “Caesar cipher” is named for Julius Caesar, who used shift-cipher to write sensitive military messages. In the early 1970s, IBM introduced crypto into its business practices when it designed a block cipher to protect its customers’ data. In 1976, the United States adopted the Data Encryption Standard (DES) as a national standard.
In the early 1990s the Internet moved into the commercial realm, and the need to scramble data became a requirement. Netscape developed the Secure Sockets Layer (SSL) protocol in 1994 to secure communications between clients and servers on the web. Over the years, SSL—and its recent replacement, Transport Layer Security (TLS)—have undergone many improvements and been widely adopted. Today, close to 90 percent of web traffic is encrypted, according to F5 Labs.
While some adoption of encryption-in-transit (SSL/TLS) can be credited to organizations’ desire to maintain security and privacy, a lot can be attributed to encryption laws and regulations or mandatory compliance standards.
Violating U.S. privacy laws can lead to hefty fines—and potential jail time.
U.S. Encryption Laws and Regulations
Depending on the type of data, the protection of U.S. residents’ data is defined by various laws or contractual obligations. Federal laws are primarily aimed at specific sectors, such as financial or health care. State laws focus on protecting individual consumers’ personally identifiable information (PII). Industry-mandated protection frameworks, such as PCI, prescribe the exact measures required to protect credit card data.
Most U.S. state privacy laws only determine the consequences of a breach of PII. They don’t typically define how to protect it in the first place. In any case, a data breach can lead to hefty fines—and potential jail time. The California Consumer Privacy Act of 2018 went into effect in January 2020. It greatly expanded the rights of individuals. Likewise, the U.S. federal healthcare industry law, HIPAA, mandates fines based on \the number of patients that are involved in a breach. Such fines are categorized in one of two categories: “Reasonable Cause” carries lower fines (between $100-$50,000) and no jail time. But “Willful Neglect” leads to higher fines ($10,000-$50,000) with potential jail time and criminal charges.
Several entities maintain network security guidelines for TLS. The four most adopted are:
• The Health Insurance Portability and Accountability Act (HIPAA)
• NIST’s SP 800-52r1 guidelines
• Payment Card Industry (PCI) Data Security Standard (DSS)
In Europe, the GDPR requires encryption with up-to-date technology, so only TLS 1.2 or higher is acceptable.
Europe’s GDPR and Encryption
In Europe, the General Data Protection Regulation (GDPR) is a broad-reaching law meant to protect the private data of Europeans. It mandates that regulated information must be protected with “appropriate technical and organizational measures.” These include encryption of personal data and the ability to ensure the ongoing confidentiality of systems and services. The GDPR defines personal data as any personally identifiable information (PII), personal health information (PHI), web usage information, and a set of personal characteristics such as race, sexual orientation, and political opinion.
Violating GDPR can be an expensive mistake. Lower level fines can be up to €10 million, or 2 percent of the organization’s worldwide annual revenue of the prior financial year. Upper level fines can be up to €20 million, or 4 percent of the worldwide annual revenue of the prior financial year, whichever is higher. The GDPR requires encryption with up-to-date technology, so only TLS 1.2 or higher is acceptable. Failing to provide this minimum of security compromises the communications security of all correspondents.
GDPR defines “personal data” as any of the following:
PII
Personally identifiable information such as names, identification numbers, location data, or online identifiers; or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
PHI
Personal Health Information.
Web Usage Information
Personal data that has been collected during web transactions, such as cookies and ad trackers.
Personal Characteristics
Race, sexual orientation and political opinion.
In APAC, Japan’s Personal Information Protection Act protects individuals’ rights in regard to their personal data. The act’s definition of personal data is so broad that it even applies to information that could be found in a public directory. It states that you must describe as specifically as possible the purpose of the personal data you’re collecting, and you must obtain consent before sharing the personal data with any third party (such as an email newsletter service). However, Japan has no specific encryption laws or policies that address a general right to encryption.
South Korea’s Act on Promotion of Information and Communications Network Utilization and Data Protection states that all information and communications service providers need to obtain a user’s consent before collecting their personal information. For the consent to be valid, you must provide the user with specific information, including your name and contact information, the purpose of the data collection, and the user’s rights concerning their own data.
While no laws or regulations with global implications exist within China to require the use of SSL/TLS to encrypt web traffic, China has blocked the use of TLS 1.3 through technical controls (the Great Firewall). Unlike the aforementioned laws and regulations governing a minimum level of security in relation to encryption of data in transit, China’s action essentially undermines the potential for greater user privacy in favor of government censorship capabilities.
In Japan, you must describe the purpose of the personal data you’re collecting and obtain prior consent to share it with any third party.
All these laws and requirements mean that organizations must take due care in protecting the sensitive data of individuals. This is the good news, because encryption provides endpoint authentication and protects data from many varieties of attack, including eavesdropping, tampering, and message forgery.
The bad news? Organizations now have to grapple with threats that hide within encrypted traffic. Encryption limits visibility into incoming traffic. Attackers are taking advantage of this security blind spot by sending malware and malicious payloads via encrypted connections. According to F5 Labs, 71 percent of malware websites leverage encryption certificates, which means that organizations should decrypt and inspect traffic to ensure nothing malicious is hiding in it.
This elevates the security risks associated with encryption. It also elevates the risk of noncompliance with privacy regulations. So, where should an organization place its focus? On protecting the organization from malware by decrypting and inspecting traffic? Or on adhering to privacy laws by letting encrypted traffic pass through?
You Can Do Both
With the availability of advanced security solutions, you don’t need to settle for an “either/or” answer. The policy-based traffic steering of F5 SSL Orchestrator can decrypt and steer traffic to service chains based on a policy match. The contextual classification engine has a rich set of traffic selectors to determine which traffic gets inspected and which traffic requires bypass. Your security service chain might include inspection tools such as an NGFW, data-loss prevention (DLP), an intrusion prevention system or intrusion detection system (IPS/IDS) device, or even an http/https web proxy.
Policy-based traffic steering allows organizations to determine what types of traffic get decrypted and inspected and what types get bypassed.
Based on traffic classification attributes—URL, domain name, protocol, source/destination address, geolocation and others—SSL Orchestrator takes the appropriate action necessary to decrypt, inspect, and re-encrypt that traffic or allow it to bypass untouched to adhere to regulatory standards. This means organizations can stop encrypted threats while maintaining privacy through intelligent routing, dynamic service chains, and standards support. SSL Orchestrator balances security and privacy in a single high-performance solution.
F5 SSL Orchestrator provides an all-in-one solution designed specifically to optimize an organization’s infrastructure, provide security inspection tools with visibility into SSL/TLS encrypted traffic, and maximize efficient use of existing security investments. This solution supports policy-based management and steering of traffic flows to existing security devices, is designed to easily integrate into existing architectures, and centralizes the SSL/TLS decrypt/encrypt function by delivering the latest TLS versions and ciphers across the entire security infrastructure.
The Visual Policy Editor (VPE) allows administrators to follow the flow chart and determine what happens to the output of that individual element, which is then fed into the next element’s macro.
Privacy is an important part of business strategy. It’s critical for companies to balance user privacy concerns and regulations with the need for data, and a desire to provide a customized browsing experience. Businesses that successfully manage this can improve customer satisfaction, build trust, and avoid negative press coverage and the costs of legal action.
F5 SSL Orchestrator can help by enhancing your organization’s privacy and security with improved efficiencies—plus features that lower total cost of ownership, eliminate security blind spots, comply with privacy laws, and meet the performance challenges of today’s encrypted world.
But technology is only half the solution. Privacy and encryption laws vary by region, and you need to know which ones apply to your organization and which ones don’t. As technology evolves over time, it’s also important to keep up to date with changes and amendments to these laws. Noncompliance can be quite costly—in money and reputation. It’s better for the bottom line to stay on the right side of regulations.
Learn more about F5 SSL Orchestrator.
LEARN MORE ABOUT THE THREAT OF ENCRYPTED TRAFFIC
