The hidden threat in GDPR’s encryption push

Organisations are, quite rightly, increasingly deploying encryption solutions to secure their data, particularly since the introduction of GDPR. Encryption is the process of encoding data so that it is meaningless to any anyone accessing it without authorisation. Using complex mathematical algorithms, information is converted into unintelligible content that can only be decrypted with the use of secret keys. To the unauthorised third party, encrypted data appears simply as gobbledegook.

The ICO’s own website states quite clearly that encryption is an important measure to be used to protect data under GDPR recommendations:

“The ICO has seen numerous incidents of personal data being subject to unauthorised or unlawful processing, loss, damage or destruction. In many cases, the damage and distress caused by these incidents may have been reduced or even avoided had the personal data been encrypted.

It is also the case that encryption solutions are widely available and can be deployed at relatively low cost.

It is possible that, where data is lost or destroyed and it was not encrypted, regulatory action may be pursued (depending on the context of each incident).”

The increased use of encryption makes sense and seems perfectly logical except for one rapidly growing problem; malware can itself be encrypted and hidden to avoid detection. Because encrypted data can only be seen by the intended recipient, it cannot be accessed by existing security systems. This means that security tools can’t inspect encrypted traffic for malware, making it the perfect place for a threat actor to hide any kind of malicious traffic.

This is not just a theoretic or future problem, far from it.  Driven in large part by GDPR, it is estimated that over 80% of traffic will be encrypted in 2019 and, most worryingly, 60% of attacks will happen over that encrypted traffic. A recent Vanson Bourne survey of 500 CIOs backs this up, finding that 90 percent of organisations had experienced – or expected to experience – a network attack using the commonly deployed Secure Sockets Layer (SSL) encryption or indeed its successor, Transport Layer Security (TLS) encryption.

The challenge for organisations is how to follow GDPR recommendations and still detect this encrypted malware without decrypting the traffic – which opens a whole new can of worms about privacy. Indeed, decryption represents a huge breach in data privacy – not to mention a transgression of GDPR – as it gives organisations access to private customer and user data in plain text.

What’s more, decryption also has a massive impact on network performance. Decrypting and re-encrypting SSL or TLS traffic increases processing requirements, in many cases beyond the functional performance of applications used for attack mitigation. As a result, many security practitioners are unconvinced about the technical ability of current solutions to decrypt, inspect and then re-encrypt traffic.

Fortunately, there is a new, emerging solution to this problem that involves not looking at the encrypted traffic itself but, instead inspecting the metadata associated with the traffic flows. Metadata is essentially information about the SSL and the data, so rather than look at the data itself (which is of course impossible if it is encrypted) this new technique, known as Encrypted Cognitive Analytics, looks at information about the SSL flow combined with traffic flow. By using artificial intelligence and sophisticated behavioural analytics, this makes it possible to detect attacks hidden in encrypted traffic in real-time without the need for decryption.

This approach works because every attack has its own SSL metadata signature between the user and the server. By continually collecting and analysing the correct data and unique behaviours, it is possible to identify and block abnormalities with very high degrees of accuracy. This approach is innovative and unique, and is opening a new era of threat detection and protection against encrypted threats.

Most importantly for business leaders and for data controllers, this new approach enables their organisations to thwart potentially damaging malware without falling foul of GDPR and other data privacy laws.


By Omar Yaacoubi, CEO, Barac

The largest data protection, privacy and security event of 2020, now available on-demand!

Featuring four whole days of keynote sessions, panel debates, and an opportunity to network and chew over all things data-related through discussions in public boards and virtual booths, PrivSec Global is now available to watch on-demand.

You can access the content from all four days, by registering for access to our PrivSec Global platform below.

Learn More and Register

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.