How to Ensure Data Privacy and Organizational Security
Today—January 28th—is known as Data Privacy Day (or, in the European Union, Data Protection Day) in the United States, Canada, Israel, and the 47 EU countries in which it is observed.
Privacy—especially data privacy—is vital. Many national constitutions—in fact, over 150 of them—mention the “right to privacy.” It’s also been mentioned in the United Nations' Universal Declaration of Human Rights, and is protected under the European Convention on Human Rights. There have been a number of privacy regulations enacted in many countries, regions, and states, including the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
The focus of Data Privacy Day is to raise awareness for businesses and consumers on the importance of protecting the privacy of users and their personal information. It’s meant to educate and encourage the development of tools for businesses and consumers to better manage and control user personal information. It’s also meant to drive increased or enhanced compliance with existing privacy laws and regulations, like GDPR and CCPA. Many international and national agencies, ministries, and councils, as well as educational institutions and industry consortiums, recognize Data Privacy Day as a time to commence or continue discussions on how to better protect the privacy of consumer and user data.
Putting it into Practice
One of the most popular and best ways to increase privacy for consumer and user data, whether at rest or in transit, is via encryption. Encrypting consumer and user data and the methods of transmitting this data, is vital to keeping private personally identifiable information.
Today, encryption is ubiquitous. The attention on user and data privacy has helped to drive the explosion in encrypted traffic. In addition, there are many vendors now providing free or low-cost certificates in an effort to improve online security, which would benefit users, consumers, and businesses. In essence, they are trying to encrypt the entire web! According to F5 Labs, 86% of web page loads are new encrypted with SSL or TLS. And Advanced Encryption Standard (AES) cipher accounts for over 96% of today’s encrypted web traffic. The aforementioned privacy regulations and requirements like GDPR, CCPA, and others are driving the adoption of encryption, even if most of these regulations and requirements do not mandate encryption of user and personal data. However, many organizations will use encryption for user data and communications so that they don’t infringe upon those same regulations and requirements.
The Inevitable Downsides
While encryption is excellent at delivering privacy for users and their data, there is at the same time a problem with encryption, creating a serious conundrum for users and businesses alike: Attackers and hackers also love to use encryption to mask malware, ransomware, and other attack vectors. Encryption enables a security blind spot, unfortunately.
For instance, fraudulent websites used in phishing and spearphishing campaigns are increasingly using HTTPS to appear genuine in order to trick unsuspecting users into clicking on malware-infected links or to insert their username and password into convincing but phony login pages—and they even dupe users who have accepted the appearance of the little padlock in the address bar as being indicative of a safe, secure website. According to F5 Labs, 72% of phishing sites now use encryption. But, to make matters worse, not only are attackers, hackers, and other bad actors using encryption to hide threats; they’re also taking advantage of the privacy cryptography enables to evade detection from post-mortem forensics simply by using a specific threat campaign that includes malware and phishing sites only one time per victim.
Phishing is a very difficult attack to defend against because it exploits human psychology, leveraging social engineering, and mis- and dis-information. Phishing leverages human nature and emotions, such as fear. This is especially true during the coronavirus pandemic. And attackers know this and use it to their advantage. F5 Labs found that new HTTPS certificates containing the words “covid” or “corona” increased at the same time as spikes in COVID-19 cases. Even well-known healthcare sources like the World Health Organization (WHO) and the U.S. Centers for Disease Control and Prevention (CDC) have been and continue to be impersonated by attackers in targeted phishing campaigns that attempt to lure victims to malicious domains and download malware or other malicious attacks, or to trick them into typing in their user credentials into fake login pages.
What You Can Do about It
So, how can an organization today defend the privacy of user and consumer data and personal information, while protecting itself from various attacks and breaches?
Organizations should employ a solution that can decrypt at scale the onslaught of encrypted traffic required daily for incoming and outgoing traffic. With the level of encrypted traffic today, the need to ensure user and consumer data privacy, and the computationally intensive task of decryption and re-encryption, leveraging an existing security solution to pull double-duty to deliver security and decrypt and re-encrypt traffic is a bad idea. An overloaded, overworked security device may simply begin bypassing encrypted traffic or not perform the security duties for which it was deployed.
To ensure the privacy and security of user and consumer data, and in an effort not to impinge on privacy regulations and requirements, organizations should employ a solution that intelligently enables user and consumer traffic that is private—such as financial or healthcare data—to bypass decryption. That traffic shouldn’t get a free pass, though, but should be inspected by a limited set of solutions in the security stack. However, this can only be achieved if the solutions in the security stack are not in a static daisy-chain, but are allowed to participate in dynamic security service chains, leveraging context-aware policies to route incoming encrypted traffic, once decrypted, to the appropriate security service chain.
This is called SSL orchestration and the description above (hopefully) illustrates why it is so necessary today, not only to ensure organizational security, but to also confirm that user and consumer information is protected and kept private.
For more information on F5 SSL Orchestrator, please click here.