As the impact and frequency of enterprise data breaches intensifies, the regulatory controls and costs imposed on enterprises are rising. Since coming into force in May 2018, GDPR in the EU has been responsible for significant fines to companies such as Google, British Airways, and most recently PWC.
These incidents and similar regulations in Australia and elsewhere are impacting on enterprise businesses and technology companies. There is now a race to implement Transport Layer Security (TLS) 1.3 to improve network communications security. These TLS updating projects are causing significant challenges to IT and Security Teams.
Understanding and managing these challenges is crucial for all leaders responsible for their organisation’s security practices and implementations.
The TLS standard defines the cryptographic protocols that provide encryption for data being transferred over networks, including the Internet. Finalised in August 2018, TLS 1.3 is designed to solve many of the vulnerabilities that led to attacks on previous TLS versions, as well as to improve the performance of encrypted communications.
These improvements seem perfect for enterprises and service providers looking to secure their communications and data, but this added security protection comes at a price.
There are multiple changes in TLS 1.3 compared to TLS 1.2. The one causing most concern is that Perfect Forward Secrecy (PFS) will now be enforced rather than being optional. Earlier versions of TLS and SSL 3.0 don’t support PFS and contain multiple known vulnerabilities. For these reasons, predecessors of TLS 1.2 are generally unsupported by most application and service providers.
Although there is much detailed technical information available on the topic, the concept and impact of PFS is relatively simple. Using PFS means that a unique, one-time key will protect every new connection between users and an application.
Before PFS, every connection to an application was secured with the same key. Anyone who gained access to the application’s secret key, was able to decrypt all the other connections to that application. PFS isolates every connection. Even if a key is compromised, it can only be used to decrypt that one connection, limiting the data that is vulnerable.
Just as PFS makes listening to every connection harder for the bad guys, it also makes it more difficult for enterprise IT and security teams. Using a single secret key is very helpful for devices used by the IT and security operations teams needing visibility over network traffic to perform their responsibilities. Also for tasks such as scanning traffic for malicious files, or investigating application performance problems.
Once PFS is enabled, many devices and systems will lose the ability to decrypt traffic and inspect it. Systems that operate as a proxy and provide TLS services themselves, such as a load balancer, aren’t impacted. However, systems that work transparently inline or out-of-band may need to be upgraded or have a configuration change to deal with PFS.
Before rolling out TLS 1.3 for an organisation, it’s essential to understand fully which operations and systems may be impacted. It is possible that attempts to protect against a future attack may risking non-compliance with other regulations as a result of important security controls no longer functioning correctly.
Alternatively such attempts might create performance issues and new availability risks for critical applications.
Opportunity for enterprise security
The highly public nature of data security breaches and the fines associated with new security regulations has created an opportunity. Enterprise security leaders can educate their executive management about the realities of modern IT systems, what is an acceptable risk, and the critical role security teams play in the organisation.
Often enterprise security is seen as a roadblock to productivity and agility. It is also increasingly treated as a form of in-house insurance - how do we get the most coverage for the lowest cost?
TLS 1.3 and its mandatory use of PFS provides the perfect catalyst for a detailed review of how encryption, security and management technologies are used throughout the enterprise.
Enterprise security leaders have a unique and timely opportunity to reset expectations with their C-suite leadership. How? By showing them how security engages with the rest of the organisation, and how they can actively enable it to thrive in the modern, and expanding, threat landscape.