In the nearly two years since the IETF ratified the new TLS 1.3 standard for encrypting data, adoption of the standard has ticked up steadily, but many enterprises are still holding off. They fear that this new, strong encryption standard will negatively impact their ability to monitor their own environments for security threats, especially via common passive modes of decryption for traffic analysis.
his fear is well founded. TLS 1.3 does away with static keys and RSA key exchange—and makes perfect forward secrecy and ephemeral session keys a default requirement, rather than an optional setting as they were in TLS 1.2 and earlier versions. Many passive security monitoring technologies will be made more cumbersome or even completely nonviable by this change. The same businesses feeling this pain are also experiencing mounting pressure to encrypt more data, in motion and at rest, to protect sensitive data in case of a breach. This presents enterprises with a difficult choice between using the best available encryption versus maintaining the visibility their security teams need to conduct investigations and resolve potential threats. ...read more!
