Will a New Security Protocol Also Mean New Security Worries?
Symantec’s Mark Urban says organizations should prepare for the arrival of the new TLS 1.3 standard now to avoid having to make difficult trade-offs later on
Are you ready for the latest version of Transport Layer Security? You better be because after 4 years of fits and starts, the internet’s most important security protocol is about to win ratification by the Internet Engineering Task Force.
The TLS protocols were put in place years ago to secure network communications and support everything from e-commerce to email. The arrival of a new encryption standard should offer substantially more security and performance benefits.
But TLS 1.3, as it’s called, also raises myriad questions for IT. In fact, as Symantec’s vice president of product strategy and operations, Mark Urban, warns, better encryption could also mean weaker security - if you're not careful.
Writing recently in Dark Reading, Urban says “the time to prepare for the new standard is now” in order to “avoid having to make trade-offs involving user experience, encryption strength, and inspection capabilities” down the road.
Urban notes that adoption will vary by geography, industry, and business model. He wrote that industries relying on high Web traffic may be slower to adopt the new standard out of concern not to turn away site visitors using unsupported browsers. By contrast, he wrote, other companies, particularly in highly regulated industries, may insist on higher levels of security protection when their employees interact with external sites, send email, or transfer files.
At the same time, there are also other factors to consider before adopting the standard, according to Urban. "In fact, many organizations already have existing network security architectures in place that are fine-tuned to deal with current conditions and changing the strength of encryption can create challenges.”
But pulling off secure sessions without compromising protections offered by existing network security tools gets tricky. Urban noted that encryption hides the traffic it is designed to inspect. Unfortunately, that also presents potential vulnerability since encrypted traffic, whether it is private data or malware, is all hidden from most standard security systems.
Any companies with network security tools in place that are not inspecting traffic should be candidates for risk assessments.
“A straightforward and effective way to avoid being blinded to malicious traffic is with an encrypted traffic management application that physically (or virtually) resides within the network and facilitates a view of decrypted traffic to a wide variety of security tools. However, what many have found is that the security solutions that allow SSL visibility and enable security inspection vary greatly in their ability to provide visibility while simultaneously maintaining the privacy and security integrity of the session.”
Any companies with network security tools in place that are not inspecting traffic should be candidates for risk assessments. According to Urban, they ought to “develop a plan to create secure and compliant inspection of potential hidden threats. It's also important to engage cross-functional partners early (including network, security, and compliance teams) to be sure that the plan addresses any encryption blind spots.”
And if your organization already has an inspection capability in place?
“Determine if the current solution meets requirements for secure decryption for earlier SSL/TLS protocols. Organizations will need to inspect less-secure traffic (e.g., TLS 1.2), and it's important they do so without introducing new security risks.”
You can read Urban’s full post here.
We encourage you to share your thoughts on your favorite social platform.