TLS 1.3: Expert Advice to Modernize Your Security and Decryption Practices

Paula Musich
Research Director
Enterprise Management Associates
TLS 1.3: Expert Advice to
Modernize Your Security and
Decryption Practices
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Scott Register
VP, Product Management
Ixia, a Keysight business

Watch On-Demand Webinar
• TLS 1.3: Expert Advice to Modernize Your Security and
Decryption Practices On-Demand webinar is available here:
http://info.enterprisemanagement.com/tls-1.3-expert-advice-to-
modernize-your-security-and-decryption-practices-webinar-ws
• Check out upcoming webinars from EMA here:
http://www.enterprisemanagement.com/freeResearch

IT & DATA MANAGEMENT RESEARCH, INDUSTRY
ANALYSIS & CONSULTING3 © 2019 Enterprise Management Associates
Today’s Speakers
Paula Musich, Research Director, EMA
Paula brings over 30 years of experience covering the IT
security and networking technology markets. She has been
an IT security analyst for over nine years, most recently as a
research director at NSS Labs, and earlier as principal
analyst for enterprise security for Current Analysis.
Scott Register, VP, Product Management, Ixia, a Keysight business
Scott has more than 15 years of experience leading product
management operations for global technology companies. He holds
B.S. and M.S. degrees in computer science from Georgia Institute of
Technology and also served as a member of the research faculty.

Paula Musich
Research Director
Enterprise Management Associates
TLS 1.3: Expert Advice to
Modernize Your Security and
Decryption Practices

Introduction and Methodology
TLS 1.3 Finally Debuts
• 10 years in the making
• The benefits:
• Reduced latency
• End-to-end privacy
• Better end-user experience
• The downsides
• Lost visibility for security and
troubleshooting
Methodology
• Surveyed 249 IT pros involved in
security and IT management
• 67% security is primary role
• 40% IT
Director/Manager/Supervisor
• 15% CIO/CTO/VP IT
• 12% CSO/CISO/IT Security
Director
5 © 2019 Enterprise Management Associates

Current State of Encryption
in the Enterprise

Heightened visibility concerns, but no alarm bells
over potentially missed encrypted malware
Slide 7© 2019 Enterprise Management Associates, Inc.
As more network traffic is encrypted, how concerned is your organization that your existing security
monitoring practices/technologies will miss malware hidden in encrypted files?
6%
36%
23%
17%
18%
Not at all concerned
Somewhat concerned
Concerned
Very concerned
Extremely concerned

How Much Traffic Decrypted for Analysis Varies
by Organization Size
TLS 1.3
6%
11%
38%
35%
9%
0%
0%
43%
50%
7%
3%
11%
44%
35%
6%
13%
14%
28%
33%
13%
28%
10%
14%
28%
21%
Don’t know
76%-100%
51%-75%
26%-50%
0%-25%
VL Enterprise Enterprise (All) Midsized SMB Total

Current Decryption Methods
25%
23%
18%
16%
15%
3%
1%
0% 5% 10% 15% 20% 25% 30%
Decrypt using a web proxy
Decrypt in an inline security device
Decrypt in an out-of-band security device
Decrypt in inline load balancer
Decrypt using an inline-dedicated decryption device
We are not currently decrypting any of our traffic
Other (Please describe)

Where Encryption is Enabled
TLS 1.3
34%
55%
58%
71%
76%
For internally-developed applications
For web services
For email services
Within the data center
Within the enterprise network

Where, if at all, does your organization intend to implement
encryption over the following timeframes?
4%
3%
5%
11%
34%
44%
4%
2%
4%
14%
30%
45%
7%
3%
3%
17%
29%
40%
4%
2%
2%
14%
29%
49%
6%
2%
4%
10%
29%
50%
We don’t intend to implement additional encryption
2 years or more
19 to 24 months
13 to 18 months
7 to 12 months
0 to 6 months
Total
For internally-developed applications For web services For email services
Within the enterprise network Within the data center

Drivers and Concerns Behind
TLS 1.3 Enablement

Yes, There are Concerns…
Security and Operational Concerns for Enabling TLS 1.3
7%
37%
34%
22%
9%
30%
40%
21%
We are not at all
concerned
We are only slightly
concerned
We have some concerns
We have significant
concerns
Operational concerns Security concerns

Enablement is Moving Full Steam Ahead
The big surprise is that enablement/adoption of TLS 1.3 is moving quickly for inbound
connections and internal traffic
2%
32%
41%
17%
6%
3%
40%
34%
14%
6%
Not planning to enable TLS 1.3
at this time
Already underway
Within 6 months
7-12 months
13-18 months
Inbound connections Internal traffic

Top Motivations for Enabling TLS 1.3
67%
73%
44%
55%
52%
51%
50%
Very Important
Improved privacy for end-to-end security Improved data security
Decreased latency/TLS session setup time Better user experience
To be seen as following industry standards Industry moving away from earlier versions
To meet the supplier requirements of our customers

Keeping up with Top Web Server Vendors Comes at
a Cost for Internal Web Application Development
Top Three Concerns on Internal Web Application Development Driven by Web
Server Vendor Adoption of TLS 1.3
21%
21%
21%
17%
11%
7%
2%
Increase development lifecycle time/cost
Increase operations lifecycle time/cost
Increase development training time/costs
Increase operations training time/cost
Impact customers' access to goods and services
Impact customer satisfaction
No significant impact
% Total Mentions

How much will it cost to adapt security
architectures to TLS 1.3?
TLS 1.3
4%
13%
27%
35%
17%
4%
0%
17%
25%
42%
17%
0%
2%
10%
25%
42%
18%
4%
10%
16%
30%
22%
16%
5%
29%
10%
24%
10%
19%
10%
Over $1 Million
$501,000 to $1 Million
$251,000 to $500,000
$101,000 to $250,000
$51,000 to $100,000
Less than $50,000
VL Enterprise Enterprise (All) Midsized SMB Total

Strategies for Regaining Visibility
How does your organization intend to address the security visibility issue TLS 1.3 caused?
26%
22%
21%
21%
9%
0% 5% 10% 15% 20% 25% 30%
Maintain existing firewalls at earlier versions of TLS for as long as
possible
Look for inline alternatives that enable decryption and
inspection by existing security controls without exacting a
significant performance penalty
Replace existing stateful inspection firewalls with proxy-based
firewalls
Enable decryption and re-encryption on existing inline security
devices and hope that it doesn't add too much latency,
complexity, or security vulnerability
Look for out-of-band decryption solutions that enable decryption
and inspection without exacting a significant performance
penalty

How Different-Sized Organizations Intend to
Approach TLS 1.3 Enablement
46%
8%
31%
15%
23%
40%
33%
3%
24%
12%
53%
7%
Enable for all traffic at once
Enable for critical traffic only
Enable for critical traffic first, then other traffic if convenient
Enable only where required for regulatory compliance
SMB Midsized Large Enterprise

Key Findings Summary
• The spreading use of encryption in the enterprise is growing rapidly, but
introduces some concerns over the ability to inspect for malware hidden in
encrypted files
• TLS 1.3 enablement is happening much faster than expected
• There is an apparent disconnect between enablement plans and what’s
required to achieve that while maintaining visibility for troubleshooting and
security monitoring
• Greater education is required to bridge that gap

22© 2019 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
ENCRYPTION: THE DOUBLE-EDGED SWORD
• Data visibility is a problem when encrypted –
many devices cannot inspect encrypted data
• Encryption and TLS 1.3 are a good thing
• You will be forced to change your network
• You must set the right expectations for
privacy, security and visibility
Expect improved
privacy*
Expect improved
data security*
Expect improved
user experience*
*Source = Report Summary: TLS 1.3 Adoption In The Enterprise by EMA, 2019
67% 73%
55%

Version Released Deprecated
SSL1.0 1995 (Oops) Immediately
SSL2.0 1995 2011
SSL3.0 1996 2015
TLS1.0 1999 Upcoming
TLS1.1 2006 Upcoming
TLS1.2 2008
TLS1.3 2018
• Encryption is used to secure connections
between web browsers and servers
• Transport Layer Security (TLS) is the new
term for Secure Sockets Layer (SSL), but
the two are often lumped together as “SSL”
• TLS1.3 is the newest encryption standard
• Improves privacy
• Removes old less-secure algorithms
• Big changes for many IT teams
• Decreases setup latency
SSL ENCRYPTION: A QUICK OVERVIEW

Static Keys Ephemeral Keys
One for each client/server pair Session Key New key every session
If you have session key, you can
read all sessions Forward secrecy
Having the key for one session
doesn’t let you see others
OK Privacy Much better
Straightforward Legitimate monitoring Problematic
Can listen passively How to monitor? Must participate in session
Only option up to TLS1.1
What TLS versions?
Optional in TLS1.2
Mandatory in TLS1.3
STATIC VS. EPHEMERAL KEYS
“Session keys” are used to encrypt data in transit.
Older standards used the same “static” key every time for a given client/server.
TLS1.3 requires “ephemeral” keys, new every time.
The Good, The Bad, The Ugly

Monitoring ephemeral key TLS/SSL
• Must be inline
• Must be an active part of the SSL connection
– a “proxy”
• Adds some latency / potential failure point
• Clients must trust SSL inspection device
Monitoring static key TLS/SSL
• Can attach to a Tap or SPAN port
• Stream directly to disk and decrypt later
• No impact on original encrypted connection
• Requires monitoring device to have a copy of
server’s encryption keys
MONITORING WILL BE VERY DIFFERENT WITH TLS1.3
Major Redesign Required

• Common to have multiple layers of security – firewall, IPS, DLP, etc.
• Bad idea to have each of them do independent encrypt/decrypt
• Much better to have a single SSL proxy provide “decrypt once, inspect many”
service
• Dedicated SSL appliance or Network Packet broker feature
SSL PROXIES AND DEFENSE IN DEPTH

DEPLOYMENT OPTION #1 – APPLIANCE-BASED SSL
• NPBs allow for distribution of encrypted data to decryption devices and then the distribution of the now
unencrypted data to various tools (NGFW, IPS, DLP, etc.)
Firewall Switch ServersBypass
Switch
Network
Packet Broker
Encrypted traffic
SSL Decrypt
IPS
Other tools
Deployment Scenario: Inline

DEPLOYMENT SCENARIO #2 – NPB USING
INTEGRATED SSL
• SSL inspection generates a significant performance overhead on security tools
• An NPB with integrated SSL/TLS decryption capability offloads this burden without impact
Firewall Switch ServersBypass
Switch
Encrypted traffic
Network Packet
Broker
SSL Decrypt
IPS Other toolsDeployment Scenario: Inline

• Hardware and software solutions for Passive
SSL monitoring (pre-1.3)
• High-performance options for Active SSL
monitoring
• Dedicated hardware acceleration
• Integrated into industry-leading Vision ONE
network packet broker and bypass switches
• Point-and-click UI for management
• Data Masking, NetFlow, Load Balancing, and
other great features built-in
• Test solutions for validating TLS1.3
performance and compliance
IXIA IS HERE TO HELP
We have a range of deployment and performance options

DOWNLOAD FREE WHITEPAPER
https://www.ixiacom.com/resources/report-summary-tls-13-adoption-enterprise

TLS 1.3: Expert Advice to Modernize Your Security and Decryption Practices

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to TLS 1.3: Expert Advice to Modernize Your Security and Decryption Practices

Similar to TLS 1.3: Expert Advice to Modernize Your Security and Decryption Practices (20)

More from Enterprise Management Associates

More from Enterprise Management Associates (20)

Recently uploaded

Recently uploaded (20)

TLS 1.3: Expert Advice to Modernize Your Security and Decryption Practices