Global Protect @ SLCC

Uploaded Image (Thumbnail)

Palo Alto GlobalProtect Always-On VPN: Security, Privacy, and In-Flight Decryption 

Overview

Salt Lake Community College is implementing Palo Alto GlobalProtect as an Always-On VPN to provide continuous, secure connectivity for all institutional devices. In addition to being always on, GlobalProtect performs in‑flight SSL decryption on certain network traffic. This allows the College to inspect traffic for known threats, protect sensitive institutional data, and meet security and compliance requirements. In simple terms, this helps ensure that malicious or risky activity cannot be hidden inside encrypted connections, while maintaining a secure and trusted computing environment for students, faculty, and staff.

Why Always-On VPN is a Best Practice

  • Continuous Protection: Devices remain connected to SLCC’s secure network whenever they have internet access, reducing exposure to unsecured networks.
  • Zero Trust Alignment: Enforces authentication and policy controls regardless of user location.
  • Data Integrity and Confidentiality: Encrypts traffic to prevent interception and tampering.

Why In-Flight Decryption Is Important

In-flight decryption (also called SSL/TLS inspection) allows SLCC to detect and block malicious activity hidden inside encrypted traffic. This is widely recognized as a best practice because:

  • Threat Visibility: Most modern attacks use encrypted channels to bypass traditional security tools. Decryption ensures these threats are detected.
  • Compliance and Risk Reduction: Helps SLCC meet regulatory and institutional security requirements by preventing data exfiltration and malware delivery.
  • Zero Trust Enforcement: Enables granular policy controls on encrypted traffic without compromising security posture.

Industry Context: Gartner and NIST recommend SSL/TLS inspection as part of layered security strategies to address encrypted threat vectors.

Privacy and Transparency

SLCC is committed to balancing security with user privacy:

  • Scope of Inspection: Only traffic necessary for threat detection and compliance will be inspected.
  • Data Handling: Logs and decrypted content are stored securely, with access limited to authorized personnel.
  • Transparency: Users will be informed about what is inspected and why.

Exemptions

Certain categories of traffic will be excluded from decryption to protect privacy and comply with regulations:

  • Video/Streaming to avoid latency and other issues. Text on those sites may be encrypted.
  • Financial and Payment Processing Traffic — Online banking, credit card processing, payment gateways, tax and financial services.
  • Healthcare and Medical Information (PHI) — Patient portals, electronic health records, telehealth platforms, insurance systems.
  • Authentication, Identity, and Credential Services — Identity providers, MFA services, OAuth/SAML/OpenID Connect flows, certificate enrollment.
  • Legal, Human Resources, and Confidential Advisory Services — Legal counsel, employee relations, whistleblower systems, employee assistance programs.
  • Government and Public Sector Services — Federal, state, and local government websites and regulatory or law‑enforcement portals.
  • Personal Privacy and Consumer Services — Personal email, personal cloud storage, and non‑business user services where privacy concerns outweigh inspection value.

 

 

Print Article

Related Articles (1)