SSL Inspection is Imperative Under GDPR

The European Union (EU) is set to enact the General Data Protection Regulation (GDPR) in just a couple of months, and now is the time for any organization that does business with residents of the EU to ensure they’re in compliance, lest they face heavy fines.

GDPR is a set of mandatory regulations governing security breaches and businesses’ responses to them. It goes into effect May 25 and organizations not in compliance could face hefty penalties of up to 20 million euros, or 4 percent of their worldwide annual turnover, whichever is higher. Read more about GDPR in our blog.

Inspecting Encrypted Traffic
With 64 to 74 percent of web traffic encrypted, approximately three quarters of all traffic is encrypted. Encrypted traffic covers many areas, personal information such as financial data and health records to more common information such as email, online music, and your Facebook page.

Encryption has been proven to protect data privacy. But as more traffic is encrypted, more threats can hide under the same cloak. Threat actors can conceal malware and other nefarious files inside encrypted traffic in an attempt to infect your network and steal data.

According to a Ponemon Institute survey, 41 percent of all cyberattacks are concealed in encrypted traffic yet 64 percent of respondents say they cannot detect malicious SSL traffic. The three key reasons cited for not inspecting SSL traffic were lack of enabling security tools, insufficient resources and concerns about performance degradation.

GDPR Makes SSL Inspection Critical
GDPR is sure to light a fire under organizations that aren’t inspecting SSL traffic. Why? Failure to inspect traffic could result in data loss, which opens your organization up to GDPR fines.

Imagine a threat actor hides data exfiltration malware files in traffic that enters your network. Those files are then executed and data is stolen. Under the regulations set forth by GDPR, an organization must report the data breach within 72 hours of becoming aware of it and individuals, or customers, must be notified if any adverse impact is determined.

Adding the ability to create a secure decrypt zone, decrypting and inspecting encrypted traffic, is one method to protect against data loss while still gaining visibility into encrypted traffic. Protecting against data loss can help avoid the potentially costly fines of suffering a breach under GDPR.

A10 Thunder SSLi enables organizations to break and inspect SSL traffic and provide visibility. And with SSLi companies can opt to bypass certain types of traffic that should remain encrypted and anonymized, such as personal data.

With A10 Thunder SSLi, you can prevent data loss and the hefty fines associated with GDPR non-compliance.

Add new comment