2 Replies Latest reply on Nov 1, 2012 8:06 AM by itsec

    Privacy Laws & SSL Scanning

    itsec

      Hi,

       

      I'm currently working on a global implementation of v7.3 and would like to find out more about how SSL Scanning satisfies various countries privacy laws.

      Does anyone have any whitepapers/ recommended settings etc?  Or am I better off speaking to our commercial ISR?

       

      I found an older article which describes webwasher SSL so I'm presuming that there's not much difference with the newer version however it doesn't give much depth.

       

      There are some other posts on the subject such as whitelisting banking/ finance etc

      See these links:

      https://community.mcafee.com/message/151408#151408

      http://jonsnetwork.com/2007/04/how-to-solve-the-ssl-security-problem-using-webwa sher-jons-network-podcast-1/

       

      But other than that I've not found much.

      Thanks

        • 1. Re: Privacy Laws & SSL Scanning
          btlyric

          Caveat: I am not a lawyer.

           

          SSL Scanning in and of itself doesn't satisfy any privacy laws.

           

          How you configure it + your corporate policies may or may not satisfy your local/global privacy laws.

           

          If you are going to implement SSL interception, I recommend having a very explicit corporate Acceptable Use Policy that states that all transactions on the network are monitored and logged and ensure that all employees have accepted that AUP as well as a plan and/or policies as to how the decrypted data will be handled/used and have approval/buy-in from your Legal department/corporate counsel.

           

          Web Gateway itself can be configured to bypass SSL interception for specific categories, specific destinations, specific sources, etc.

           

          You could do a Google search for the legal ramifications or implications of SSL interception to get a better feel for what you're looking at, but ultimately if this is a global deployment, the legal aspects need to be examined for each location and that's where the Legal department/corporate counsel/other legal resources come into play

          • 2. Re: Privacy Laws & SSL Scanning
            itsec

            thanks, will pass the buck then to the legal eagles!

            Cound't really find much legal info on ssl interception on the net.

            Cheers