NIST NCCoE Guide Helps Major Industries Observe Incoming Data

A new practice guide describes the advantages of TLS 1.3 with solutions to manage keys and shows how affected industries can develop a solution to meet requirements using the new protocol.

The new draft practice guide, “Addressing Visibility Challenges with TLS 1.3 Within the Enterprise (NIST Special Publication (SP) 1800-37),” was developed over the past several years at the NIST National Cybersecurity Center of Excellence (NCCoE) with the extensive involvement of technology vendors, industry organizations, and other stakeholders who participate in the Internet Engineering Task Force (IETF). The guidance offers technical methods to help businesses comply with the most up-to-date ways of securing data that travel over the public internet to their internal servers while simultaneously adhering to financial industry and other regulations that require continuous monitoring and auditing of these data for evidence of malware and other cyberattacks.

“NIST is not changing TLS 1.3. But if organizations are going to find a way to keep these keys, we want to provide them with safe methods,” said NCCoE’s Murugiah Souppaya, one of the guide’s authors. “We are demonstrating to organizations who have this use case how to do it in a secure manner. We explain the risk of storing and reusing the keys, and show people how to use them safely while still staying up to date with the latest protocol.”

An FAQ is available to answer common questions. To submit comments on the draft or other questions, contact the practice guide’s authors at [email protected]. Comments may be submitted until April 1, 2024.

منبع: https://www.qualitydigest.com/inside/customer-care-news/nist-nccoe-guide-helps-major-industries-observe-incoming-data-021524.html

Quality Digest does not charge readers for its content. We believe that industry news is important for you to do your job, and Quality Digest supports businesses of all types.

Our PROMISE: Quality Digest only displays static ads that never overlay or cover up content. They never get in your way. They are there for you to read, or not.

Published: Thursday, February 15, 2024 – 12:00

NIST is requesting public comments on the draft practice guide by April 1, 2024.

That’s where NIST’s new practice guide comes in. It offers six techniques that offer organizations a method to access the keys while protecting the data from unauthorized access. TLS 1.3 eliminates keys used to protect internet exchanges as the data is received, but the practice guide’s approaches essentially allow an organization to retain the raw received data and the data in decrypted form long enough to perform security monitoring. This information is retained within a secure internal server for audit and forensics purposes and is destroyed when the security processing is completed.

“TLS 1.3 is an important encryption tool that brings increased security and will be able to support post-quantum cryptography,” says Cherilyn Pascoe, director of the NCCoE. “This collaborative project focuses on ensuring that organizations can use TLS 1.3 to protect their data while meeting requirements for auditing and cybersecurity.”

(NIST: Gaithersburg, MD) — Industries such as finance and healthcare need to monitor incoming internet data for evidence of malware and insider cyberattacks. The latest internet security protocol, known as TLS 1.3, makes it more challenging to comply with these requirements while maintaining web traffic security.

So please consider turning off your ad blocker for our site.

While there are risks associated with storing the keys even in this contained environment, NIST developed the practice guide to demonstrate several secure alternatives to homegrown approaches that might heighten these risks.

The NCCoE is developing what will eventually be a five-volume practice guide. Currently available are the first two volumes—the executive summary (SP 1800-37A) and a description of the solution’s implementation (SP 1800-37B). Of the three planned volumes, two (SP 1800-37C and D) will be geared toward IT professionals who need a how-to guide and demonstrations of the solution, while the third (SP 1800-37E) will focus on risk and compliance management, mapping components of the TLS 1.3 visibility architecture to security characteristics in well-known cybersecurity guidelines.

The TLS protocol, developed by the IETF in 1996, is an essential component of internet security: In a web link, whenever you see the “s” at the end of “https” indicating the website is secure, it means TLS is doing its job. TLS allows us to send data over the vast collection of publicly visible networks we call the internet with the confidence that no one can see our private information, such as a password or credit card number, when we provide it to a site.

Finance and healthcare companies must follow best practices for monitoring incoming data for cyberattacks. The latest internet security protocol, known as TLS 1.3, provides state-of-the-art protection, but it complicates the performance of these required data audits. The National Institute of Standards and Technology (NIST) has released a practice guide describing methods that are intended to help these industries implement TLS 1.3 and accomplish the required network monitoring and auditing in a safe, secure, and effective fashion.