Enterprise Management Associates (EMA™), a leading IT and data management research and consulting firm, has released a new research report titled “TLS 1.3 Adoption In the Enterprise: Growing Encryption Use Extends to New Standard,” based on criteria defined by Paula Musich, research director of security and risk management at EMA. This report sought to gauge awareness of and adoption plans for the new TLS 1.3 specification published by the IETF in August, 2018 as RFC 8446, and to better understand how enterprises are adapting to the growing use of encryption overall.
The TLS 1.3 specification was published in August 2018, ten years after its predecessor 1.2 became an IETF standard. The new standard lowers latency and improves the privacy of end-to-end communication, but it comes at a cost for enterprises. This is because it replaces the existing static RSA key exchange with the Diffie Helman Ephemeral (DHE) perfect forward secrecy key exchange, which requires that a monitoring solution has access to the ephemeral key for each session, rather than a static key per server. Although perfect forward secrecy existed in TLS 1.2, it was optional. In TLS 1.3, it is required. This makes it much harder for enterprises to passively monitor traffic to inspect for malware, data breaches, and malicious activity, as well as troubleshoot availability or performance issues on the network.
Read More: Athena Software Releases New and Enhanced Electronic Health Documentation Feature
Some industry groups have expressed serious reservations over the ability to decrypt and inspect traffic for troubleshooting and possible malware using TLS 1.3. The good news, however, is that a healthy percentage of respondents in the survey are either already in the throes of enabling TLS 1.3 or plan to enable it in the near future, with 73 percent of respondents indicating that they have already begun enabling TLS 1.3 for inbound connections or are planning to enable it within the next six months. At the same time, 74 percent of respondents have either begun TLS 1.3 enablement for internal connections or plan to enable it for internal traffic within the next six months.
“There’s no question that security practitioners are concerned about the security implications of TLS 1.3 and the potential to miss malware and attackers hidden in encrypted traffic, but that’s not stopping enterprises from enabling TLS 1.3 in the near term,” said Musich.
Leave a Reply