Deploy Decryption in Stages
Focus
Focus
Network Security

Deploy Decryption in Stages

Table of Contents

Deploy Decryption in Stages

Roll out decryption in stages to prepare users and tech support for website and application access changes and for ease in evaluating how different changes affect applications.
Where Can I Use This?What Do I Need?
No separate license required for decryption when using NGFWs or Prisma Access.
Note: The features and capabilities available to you in Strata Cloud Manager depend on your active license(s).
Plan to roll out decryption in a controlled manner, piece by piece. Don’t roll out your entire decryption deployment at once. Test and ensure that decryption is working as planned and that users understand what you're doing and why. Rolling out decryption in this manner makes it easier to troubleshoot in case anything doesn’t work as expected and helps users adjust to the changes.
Educating stakeholders, employees, and other users such as contractors and partners is critical because decryption settings may change their ability to access some websites, especially risky or nonbusiness critical ones. Users should understand how to respond to situations in which previously reachable websites become unreachable and what information to give to technical support. Support should understand what is being rolled out when and how to help users who encounter issues.
Before you roll out decryption to the general population:
  • Identify early adopters to help champion decryption and who will be able to help other employees who have questions during the full rollout. Enlist the help of department managers and help them understand the benefits of decrypting traffic.
  • Set up proof of concept (PoC) trials in each department with early adopters and other employees who understand why decrypting traffic is important. Educate PoC participants about the changes and how to contact technical support if they run into issues. In this way, a decryption PoC becomes an opportunity to work with technical support to PoC how to support decryption and develop the most painless method for supporting the general rollout. The interaction between PoC participants and technical support also allows you to fine-tune decryption policy rules and how to communicate with users.
    The PoC enables you to experiment with prioritizing what to decrypt first, so that when you phase in decryption in the general population, you understand how to phase in decryption of different URL categories. Measure the way decryption affects Next-Generation Firewall (NGFW) CPU and memory utilization to help understand if the NGFW sizing is correct or if you need to upgrade. The PoC can also reveal applications that break decryption technically (decrypting them blocks their traffic) and should be added to the SSL Decryption Exclusion List.
    When you set up proof of concepts, also set up a user group that can certify the operational readiness and procedures prior to the general rollout.
  • Educate the user population before the general rollout, and plan to educate new users as they join the company. This is a critical phase of deploying decryption because the deployment may affect websites that users previously visited but are not safe, so those sites are no longer reachable. The PoC experience helps identify the most important points to communicate.
  • Phase in decryption. You can accomplish this in several ways:
    • Decrypt the highest priority traffic first (for example, the URL categories most likely to harbor malicious traffic, such as gaming) and then decrypt more as you gain experience.
    • Take a more conservative approach and decrypt the URL categories that don’t affect your business first (for example, news feeds), so if something goes wrong, no issues occur that affect your business.
      In all cases, the best way to phase in decryption is to do the following:
      • Decrypt a few URL categories
      • Take user feedback into account
      • Run reports to ensure that decryption is working as expected (if possible)
      • Gradually decrypt a few more categories, verify, and so on
    Additional Considerations:
    • Plan to make decryption exclusions for traffic you can’t decrypt for technical reasons or that you choose not to decrypt.
    • If you enable users to opt out of SSL decryption (users see a response page that allows them either to opt out of decryption and end the session without going to the site or to proceed to the site and agree to have the traffic decrypted), educate them about what it is, why they’re seeing it, and what their options are.
  • Create realistic deployment schedules that allow time to evaluate each stage of the rollout.
Place NGFWs in positions where they can see all network traffic so that no encrypted traffic inadvertently gains access to your network because it bypasses the NGFW.