In our previous blog, you read about “Performance Visibility and Software-Defined Technology” and about “NPM and the Cloud”. In this blog, take a look at how TLS encryption can be a roadblock to NPM visibility.
NPM Visibility Roadblock: TLS Encryption
On the subject of network security, EMA sees an emerging visibility challenge with TLS 1.3 encryption. This standard, which will be adopted by 98% of enterprises by 2022, uses perfect forward secrecy (PFS), which replaces shared keys with a per-session key exchange mechanism. This means that visibility tools can’t rely on a shared encryption key to decrypt all data generated by a web server.
Eighty-nine percent of enterprises expect TLS 1.3 to degrade their visibility into inbound and internal traffic, since they often use passive decryption on a visibility tool to get inside encrypted packets. With TLS 1.3, enterprises will need to use an active decryption proxy, which decrypts production traffic. This will add latency, and it will break the end-to-end encryption, which in turn will violate a variety of compliance regimes.
Enterprises will have to shift expectations for visibility. They can limit their NPM insights to NetFlow or Layer 4 packet headers, which is better than nothing. Or, they can shift gears and use an active monitoring tool that injects synthetic traffic into the network. Naturally, packet-based NPM vendors will innovate to get around TLS 1.3, but those solutions are mostly still emerging. EMA recommends that enterprises have conversations with their NPM vendors to find out how they provide visibility into this new encryption protocol.
In conclusion, software-defined technologies, the cloud, and TLS 1.3 encryption are all challenging today’s NPM tools. However, there are solutions out there to help enterprises maintain operational visibility. With proper planning, most enterprises should be able to adapt.