Security and privacy – a conflict of interest?

By Nigel Hawthorn, VP EMEA Marketing, Blue Coat Systems

Many risks of Internet activity by corporate users are well-known, albeit in a constant state of change as new technologies are introduced. From the receipt of inappropriate materials to spyware and viruses, users can request data that fails security policies. The sending out of confidential information can have large financial consequences and even the sharing of jokes and images usually breaks policies in most organizations. The infrastructure can be impacted by peer-to-peer applications and streaming requests stopping key data from using the network. The growth in web sites such as YouTube and social networking sites are the next area that management needs to consider. For an organization, the largest cost is probably productivity loss, as it is so easy to waste time in front of a PC.

Privacy is a complex subject and there are lots of different opinions. Laws in different countries are not uniform; however, there’s a general set of norms that cover countries where users are connecting across private networks.

In a private network, the network owner has the right to safeguard their infrastructure and this can include any monitoring of traffic that they deem necessary as long as the user is made aware. Making the user aware is crucial and it’s always my recommendation to go out of your way to tell the users in as many ways as possible. Firstly, have formal policies that users sign and return, but also use the technology itself to remind users of their rights and responsibilities, for example using a “splash page” on initial access and warning or coaching pages when a user attempts to access potentially unproductive sites or technologies.

Encrypted traffic is probably the area where there is the most divergence between what users believe and the technology available to IT managers. Many users expect that when they are accessing a web site over SSL (using the HTTPS protocol) that there is no chance of the data being unencrypted by anyone other than the destination web site. They therefore think that everything they do at this point is free from prying eyes. This is not the case. There are a number of companies providing technology that will decrypt and inspect SSL traffic over a network. This is a good thing for the IT department and management as many viruses and spyware are attempting to enter via SSL tunnels and users may attempt to send out confidential information using SSL-encrypted web-based email.

The danger is that devices that decrypt SSL data could also decrypt personal information; do you want your organization to have the power to see all the users’ credit card details and banking information when they buy or access shopping and banking sites from the office? Technology allows that content to be intercepted. It’s my recommendation therefore that SSL encrypted traffic is dealt with even more carefully than standard web protocols, with organizations taking the following actions.

1. Check the current internet acceptable use policy and ensure that it makes clear to the user that the organization reserves the right to inspect all traffic transmitted and received, even encrypted traffic.
2. When deploying devices to intercept SSL traffic, set as many exceptions as you can to ensure that private data is not decrypted. (Setting exceptions should also increase the performance of the SSL intercept, as the less a computer or network needs to do, the faster it is). For example, this may be to omit all internal, shopping and financial sites from the decryption technology.
3. Remind the users in the start-up splash page each time that they open a browser that encrypted traffic is inspected along with everything else.
4. When a user starts using the SSL protocol, display another warning that reminds them of the capabilities and gives them the option to abort the transaction.
5. Deploy high performance appliances to perform the SSL interception and then ensure that the system checks the unencrypted traffic for web viruses, spyware, phishing sites and inappropriate content.
6. Ensure that IT staff that may have access to logs are vetted and understand the confidential nature of the content.

In this way, the organization can ensure that data inspection and privacy work alongside each other and are not in conflict.