NIST NCCoE Guide Helps Major Industries Observe Incoming Data
A new practice guide describes the advantages of TLS 1.3 with solutions to manage keys and shows how affected industries can develop a solution to meet requirements using the new protocol.
The new draft practice guide, “Addressing Visibility Challenges with TLS 1.3 Within the Enterprise (NIST Special Publication (SP) 1800-37),” was developed over the past several years at the NIST National Cybersecurity Center of Excellence (NCCoE) with the extensive involvement of technology vendors, industry organizations, and other stakeholders who participate in the Internet Engineering Task Force (IETF). The guidance offers technical methods to help businesses comply with the most up-to-date ways of securing data that travel over the public internet to their internal servers while simultaneously adhering to financial industry and other regulations that require continuous monitoring and auditing of these data for evidence of malware and other cyberattacks.
“NIST is not changing TLS 1.3. But if organizations are going to find a way to keep these keys, we want to provide them with safe methods,” said NCCoE’s Murugiah Souppaya, one of the guide’s authors. “We are demonstrating to organizations who have this use case how to do it in a secure manner. We explain the risk of storing and reusing the keys, and show people how to use them safely while still staying up to date with the latest protocol.”
An FAQ is available to answer common questions. To submit comments on the draft or other questions, contact the practice guide’s authors at [email protected]. Comments may be submitted until April 1, 2024.
Customer Care
NIST NCCoE Guide Helps Major Industries Observe Incoming Data
For companies using TLS 1.3 while performing required audits on incoming internet traffic
TLS maintains web security by protecting the cryptographic keys that allow authorized users to encrypt and decrypt this private information for secure exchanges, all while preventing unauthorized individuals from using the keys. TLS has been highly successful at maintaining internet security, and its previous updates up through TLS 1.2 enabled organizations to keep these keys on hand long enough to support auditing incoming web traffic for malware and other attempted cyberattacks.
However, someone has to pay for this content. And that’s where advertising comes in. Most people consider ads a nuisance, but they do serve a useful function besides allowing media companies to stay afloat. They keep you aware of new products and services relevant to your industry. All ads in Quality Digest apply directly to products and services that most of our readers need. You won’t see automobile or health supplement ads.
However, the most recent iteration—TLS 1.3, released in 2018—has challenged the subset of businesses that are required by law to perform these audits, because the 1.3 update does not support the tools the organizations use to access the keys for monitoring and audit purposes. Consequently, businesses have raised questions about how to meet enterprise security, operational, and regulatory requirements for critical services while using TLS 1.3.
The Transport Layer Security (TLS) protocol allows us to send data over the internet securely, protecting passwords and credit card numbers when we provide them to a site. A new practice guide will help industries perform required monitoring of incoming data for malware while using TLS 1.3, the protocol’s latest version. Credit: N. Hanacek/NIST
Quality Digest does not charge readers for its content. We believe that industry news is important for you to do your job, and Quality Digest supports businesses of all types.
Our PROMISE: Quality Digest only displays static ads that never overlay or cover up content. They never get in your way. They are there for you to read, or not.
Published: Thursday, February 15, 2024 – 12:00
NIST is requesting public comments on the draft practice guide by April 1, 2024.
That’s where NIST’s new practice guide comes in. It offers six techniques that offer organizations a method to access the keys while protecting the data from unauthorized access. TLS 1.3 eliminates keys used to protect internet exchanges as the data is received, but the practice guide’s approaches essentially allow an organization to retain the raw received data and the data in decrypted form long enough to perform security monitoring. This information is retained within a secure internal server for audit and forensics purposes and is destroyed when the security processing is completed.
“TLS 1.3 is an important encryption tool that brings increased security and will be able to support post-quantum cryptography,” says Cherilyn Pascoe, director of the NCCoE. “This collaborative project focuses on ensuring that organizations can use TLS 1.3 to protect their data while meeting requirements for auditing and cybersecurity.”
(NIST: Gaithersburg, MD) — Industries such as finance and healthcare need to monitor incoming internet data for evidence of malware and insider cyberattacks. The latest internet security protocol, known as TLS 1.3, makes it more challenging to comply with these requirements while maintaining web traffic security.
So please consider turning off your ad blocker for our site.
While there are risks associated with storing the keys even in this contained environment, NIST developed the practice guide to demonstrate several secure alternatives to homegrown approaches that might heighten these risks.
The NCCoE is developing what will eventually be a five-volume practice guide. Currently available are the first two volumes—the executive summary (SP 1800-37A) and a description of the solution’s implementation (SP 1800-37B). Of the three planned volumes, two (SP 1800-37C and D) will be geared toward IT professionals who need a how-to guide and demonstrations of the solution, while the third (SP 1800-37E) will focus on risk and compliance management, mapping components of the TLS 1.3 visibility architecture to security characteristics in well-known cybersecurity guidelines.
The TLS protocol, developed by the IETF in 1996, is an essential component of internet security: In a web link, whenever you see the “s” at the end of “https” indicating the website is secure, it means TLS is doing its job. TLS allows us to send data over the vast collection of publicly visible networks we call the internet with the confidence that no one can see our private information, such as a password or credit card number, when we provide it to a site.
Finance and healthcare companies must follow best practices for monitoring incoming data for cyberattacks. The latest internet security protocol, known as TLS 1.3, provides state-of-the-art protection, but it complicates the performance of these required data audits. The National Institute of Standards and Technology (NIST) has released a practice guide describing methods that are intended to help these industries implement TLS 1.3 and accomplish the required network monitoring and auditing in a safe, secure, and effective fashion.