TLS 1.3 Adoption in the Enterprise

by Paula Musich, Research Director, Security and Risk Management

Typically, when new technology standards are ratified that require changes in existing architectures to work with those new standards, most enterprises take a slower, measured approach to adopting the newly completed standards (think IP V6), but not always.

When it comes to the IETF’s new TLS 1.3 transport encryption standard, 40% of North American enterprises have already begun to enable the new encryption standard for internal traffic, according to EMA’s new study, “TLS 1.3 Adoption in the Enterprise: Growing Encryption Use Extends to New Standard.” Another 41% plan to enable it for inbound connections by June of this year.

The study, which surveyed about 250 IT and IT security practitioners in North America in late 2018, sought to gauge awareness of the new standard as well as its implications for existing security architectures, and assess enablement plans. The standard’s mandated use of the Diffie Helman Ephemeral perfect forward secrecy key exchange breaks existing security controls that rely on the use of a private, static key to decrypt traffic to examine it for malware and signs of malicious activity.

Although 61% of the respondents expressed either some or significant security concerns about TLS 1.3 due to these changes, adoption is already underway. The benefits apparently outweigh the concerns, and the most important benefits respondents see in TLS 1.3 are improved data security and improved privacy.

However, there is a disconnect between enterprise plans for enablement and the way respondents’ organizations intend to go about it. When asked about five possible strategies for dealing with the visibility issues caused by TLS 1.3’s PFS mandate, 56% of large enterprises and 63% of midsized enterprises selected the option to maintain existing firewalls at earlier versions of TLS for as long as possible. This begs the question: What’s the point of enabling TLS 1.3 when the enterprise’s firewalls force the connection to revert to an earlier version of TLS that uses a static, private key? To be fair, respondents’ organizations are evaluating multiple strategies and 55% of large enterprise respondents indicated they were considering enabling decryption and re-encryption on existing inline security devices. They hope that it doesn’t add too much latency, complexity, or security vulnerability. Fifty-three percent of midsized enterprise respondents said they would look for inline alternatives that enable decryption and inspection by existing security controls without exacting a significant performance penalty. The least popular choices among respondents included replacing existing stateful inspection firewalls with proxy-based firewalls (although this was popular among SMB respondents) and look for out-of-band decryption solutions that enable decryption and inspection without exacting a significant performance penalty.

How costly the changes will be for enterprises depends on the approaches enterprises take to enabling TLS 1.3 while maintaining the visibility needed for malware and malicious behavior inspection. Forty-two percent of both SMB and midsized enterprise respondents expect the cost to fall between $100,000 and $250,000. Thirty percent of large enterprises expect that it will cost between $250,000 and $500,000. Twenty-nine percent of very large enterprises expect it will cost over $1 million, which is really just a drop in the bucket for enterprises that have annual IT security budgets in the hundreds of millions of dollars. For example, JP Morgan Chase spends $600 million on cyber security each year.

TLS 1.3 comes at a time when the use of encryption within the enterprise is growing, and that trend mirrors greater use of encryption across the Internet. Over the last 18 months, nearly one-third of respondents in the study indicated that the use of encryption in their organizations grew 26-50%, while 30% said that it grew 1-25% in that same timeframe. Looking out over the next 18 months, 35% of respondents expect encryption usage will grow 26-50%.

As enterprises continue to expand their use of encryption and embrace new standards, such as TLS 1.3, IT security practitioners will be challenged to upgrade their security architectures to maintain much needed visibility for malware and malicious behavior detection inside the enterprise network. To ensure a smooth transition, it will be necessary to work across different teams, including networking, security, compliance, and data owners.

How does your organization intend to address the security visibility issue introduced by expanded encryption usage and TLS 1.3?

Are you TLS 1.3 ready? Watch the “Expert Advice to Modernize Your Security and Decryption Practices” on-demand webinar