PRESS RELEASE
Companies in major industries such as finance and healthcare must follow best practices to monitor incoming data for cyber attacks. The latest Internet security protocol, known as TLS 1.3, provides cutting-edge protection, but makes it difficult to perform these required data checks. The National Institute of Standards and Technology (NIST) has published a practical guide describing methods intended to help these industries implement TLS 1.3 and achieve the required network monitoring and control in a secure and effective manner.
The new draft practical guide, Address visibility challenges with TLS 1.3 across the enterprise (NIST Special Publication (SP) 1800-37), has been developed over the past few years at NIST’s National Center of Excellence for Cybersecurity (NCCoE) with extensive involvement from technology vendors, industry organizations, and other stakeholders participating in the project Internet Engineering Task Force (IETF). The guide offers technical methods to help companies comply with the most up-to-date ways of protecting data traveling over the public internet to their internal servers, while simultaneously complying with financial industry and other regulations that require ongoing monitoring and auditing of this data for evidence of malware and other cyber attacks.
“TLS 1.3 is an important encryption tool that offers greater security and will be able to support post-quantum cryptography,” said Cherilyn Pascoe, director of the NCCoE. “This collaborative project aims to ensure that organizations can use TLS 1.3 to protect their data while meeting audit and cybersecurity requirements.”
NIST requests public comments on the draft practice guidance by April 1, 2024.
The TLS protocol, developed by the IETF in 1996, is an essential component of Internet security: in a web link, whenever you see the “s” at the end of “https” indicating that the website is secure, it means that TLS it’s doing its job. Work. TLS allows us to send data over the vast collection of publicly visible networks we call the Internet safe in the knowledge that no one can see our private information, like a password or credit card number, when we provide it to a site.
TLS maintains web security by protecting cryptographic keys that allow authorized users to encrypt and decrypt this private information for secure exchanges, all while preventing unauthorized people from using the keys. TLS has been very successful in maintaining Internet security, and its previous updates up to TLS 1.2 have allowed organizations to keep these keys on hand long enough to support checking incoming web traffic for malware and other attempted cyberattacks .
However, the most recent iteration – TLS 1.3, released in 2018 — took issue with the subset of companies required by law to perform these audits, because the 1.3 update does not support the tools organizations use to access keys for monitoring and audit purposes. As a result, companies have raised concerns about how to meet regulatory, operational, and enterprise security requirements for critical services when using TLS 1.3. That’s where NIST’s new practice guide comes in.
The guide offers six techniques that give organizations a way to access keys while protecting data from unauthorized access. TLS 1.3 eliminates the keys used to secure Internet exchanges when data is received, but the practical guide’s approaches essentially allow an organization to retain the raw data received and the data in decrypted form long enough to perform security monitoring. This information is held within a secure internal server for auditing and forensic purposes and is destroyed once security processing is complete.
While there are risks associated with storing keys even in this confined environment, NIST has developed practical guidance to demonstrate several secure alternatives to internal approaches that may increase these risks.
“NIST will not change TLS 1.3. But if organizations want to find a way to store these keys, we want to provide them with secure methods,” said Murugiah Souppaya of NCCoE, one of the authors of the guide. “We are demonstrating to organizations that have this use case how to do it securely. We explain the risk of storing and reusing keys and show people how to use them safely, while staying up to date with the latest protocol.”
The NCCoE is developing what will ultimately be a five-volume field guide. The first two volumes are currently available: the executive summary (SP 1800-37A) and a description of the solution implementation (SP 1800-37B). Of the three planned volumes, two (SP 1800-37C and D) will be aimed at IT professionals who need practical guidance and demonstrations of the solution, while the third (SP 1800-37E) will focus on risk and compliance management, mapping components of the TLS 1.3 visibility architecture to security features found in popular cybersecurity guidelines.
There is an FAQ available to answer the most common questions. To submit comments on the draft or other questions, contact the authors of the how-to guide at [email protected]. Comments can be submitted until April 1, 2024.