“There’s no question that security practitioners are concerned about the security implications of TLS 1.3 and the potential to miss malware and attackers hidden in encrypted traffic, but that’s not stopping enterprises from enabling TLS 1.3 in the near term,” said EMA Research Director Paula Musich. Her statement relates to EMA’s newly released research report titled ‘TLS 1.3 Adoption In the Enterprise: Growing Encryption Use Extends to New Standard.’
The new Enterprise Management Associates (EMA) research examines the adoption of TLS 1.3 in the enterprise. This report sought to gauge awareness of and adoption plans for the new TLS 1.3 specification published by the IETF in August, 2018 as RFC 8446, and to better understand how enterprises are adapting to the growing use of encryption overall.
Some industry groups have expressed serious reservations over the ability to decrypt and inspect traffic for troubleshooting and possible malware using TLS 1.3.
The good news with regards to TLS 1.3 enterprise adoption, is that a healthy percentage of respondents in the EMA conducted survey are either already in the throes of enabling TLS 1.3 or plan to enable it in the near future, with 73 percent of respondents indicating that they have already begun enabling TLS 1.3 for inbound connections or are planning to enable it within the next six months. At the same time, 74 percent of respondents have either begun TLS 1.3 enablement for internal connections or plan to enable it for internal traffic within the next six months.
Malware, Data Breaches, Malicious Activity
The TLS 1.3 specification was published in August 2018, ten years after its predecessor 1.2 became an IETF standard. The new standard lowers latency and improve the privacy of end-to-end communication, but it would come at a cost for enterprises. This is because it replaces the existing static RSA key exchange with the Diffie Helman Ephemeral (DHE) perfect forward secrecy key exchange, which requires that a monitoring solution has access to the ephemeral key for each session, rather than a static key per server.
Although perfect forward secrecy existed in TLS 1.2, it was optional. In TLS 1.3, it is required. This would make it much harder for enterprises to passively monitor traffic to inspect for malware, data breaches, and malicious activity, as well as troubleshoot availability or performance issues on the network.
Despite publicized concerns about its implications for existing security architectures and the operational constraints it puts on troubleshooting problems on the network, however, security practitioners appear to be ready to embrace the new TLS 1.3 standard. The report published by EMA delves into the strategies enterprises are implementing or plan to implement to enable this new standard.
Some other key data points this research by EMA sheds light on includes:
- One of the biggest drivers behind the quick enablement of the new TLS 1.3 standard is the early adoption of TLS 1.3 by major web services, web server, and browser vendors, including Apple, CloudFlare, Google, and Microsoft.
- When asked what their top three concerns were over the adoption of TLS 1.3 by major web server and browser vendors with respect to their effect on internal web application and services development, 21 percent indicated they were most concerned about the increased development lifecycle time and cost.
- In terms of top security worries, twenty-seven percent of respondents indicated they were most concerned about losing visibility into the data center, while 24 percent were most concerned about losing visibility into the core of the network.
- Ninety-five percent of respondents indicated that their security architectures will need to change in order to accommodate TLS 1.3 and its perfect forward secrecy mandate.
- The survey asked respondents how concerned their organizations were that their existing security monitoring practices/technologies will miss malware hidden in encrypted files. Thirty-five percent of all respondents said they were either very or extremely concerned, while 36 percent said they were somewhat concerned.
A detailed analysis of Enterprise Management Associates’ research findings are available in the report, ‘TLS 1.3 Adoption In the Enterprise: Growing Encryption Use Extends to New Standard.’