TLS 1.3 Adoption in the Enterprise

F5 Thumbnail
Published May 21, 2019

With the new Transport Layer Security (TLS) 1.3 specification published by the IETF last August, many organizations are considering adoption plans for the new standard. F5 commissioned a research project with Enterprise Management Associates to better understand how enterprises are adapting to the growing use of encryption overall. While some industry groups have expressed serious reservations over the ability to decrypt and inspect traffic for troubleshooting and possible malware using TLS 1.3, the good news is that a healthy percentage of respondents in the survey are either already in the process of enabling TLS 1.3 or plan to enable it soon. Another good sign is that a clear majority of the respondents in the survey indicated familiarity with TLS 1.3 on a technical level.

Multiple factors have driven the quick adoption plans for the new standard. That major web server and browser vendors have already implemented TLS 1.3 within their products is one. Another is the perceived benefits in improved privacy and end-to-end data security that come with the TLS 1.3 enhancements. Cryptographic protocols like TLS exist to help prevent adversaries from eavesdropping and tampering with data. However, concerns around application security monitoring are giving caution.

The use of encryption over the internet has grown significantly over the last few years. F5 Labs 2017 TLS Telemetry Report notes that 81% of web pages are now loading via HTTPS. While the use of encryption for the data center and enterprise networks increased the most over the last 18 months, enterprises will turn their attention to internally developed applications and web services in the next 18 months.

Given the implications of the TLS 1.3 specification, a clear majority of respondents expressed both operational and security concerns over implementing TLS 1.3 within their organizations. The survey found that 56% of all respondents expressed either some or significant operational concerns, while 61% expressed either some or significant security concerns.

Figure 1: Level of Operational and Security Concerns for Implementing TLS 1.3

The top security concern was Visibility into Application Security and the Data Center with 57% of respondents indicated the inability to monitor application security was their top concern.   

Figure 2: Lost Visibility into Application Security is the Biggest Concern

What are they afraid of?

Missing malicious behavior hidden in legitimate traffic. Only 6% were not at all concerned.

Figure 3: As more network traffic is encrypted, how concerned is your organization that your existing security monitoring practices/techniques will miss malware hidden in encrypted files?

Despite those concerns, there is no going back. From a policy perspective, enterprises are clearly mandating the use of transport encryption to protect data, and TLS is the protocol of choice.

To understand how organizations are going to handle TLS 1.3 deployments along with strategies, policies, practices and concerns, access the full TLS 1.3 Adoption in the Enterprise Report here.