The Transport Layer Security (TLS) protocol enables us to send data securely over the Internet, and protects passwords and credit card numbers when we provide them to a website. A new practice guide will help industries perform the required monitoring of incoming data for malware while using TLS 1.3, the protocol’s latest version.
Credit: N. Hanacek/NIST
Companies in large industries such as finance and healthcare must follow best practices to monitor incoming data for cyber attacks. The latest internet security protocol, known as TLS 1.3, offers the latest protection, but complicates the performance of these required data audits. The National Institute of Standards and Technology (NIST) has released a practice guide that describes methods intended to help these industries implement TLS 1.3 and accomplish the required network monitoring and auditing in a safe, secure, and effective manner.
The new draft practice guide, Addressing Visibility Challenges with TLS 1.3 within the Enterprise (NIST Special Publication (SP) 1800-37), was developed over the past several years at the NIST National Cybersecurity Center of Excellence (NCCoE) with the extensive involvement of technology vendors, industry organizations and other stakeholders participating in the Internet Engineering Task Force (IETF). The guidance provides technical methods to help businesses comply with the most up-to-date ways to secure data moving across the public Internet to their internal servers, while at the same time complying with financial industry and other regulations that require continuous monitoring and auditing of this data required. for evidence of malware and other cyber attacks.
“TLS 1.3 is an important encryption tool that brings increased security and will be able to support post-quantum cryptography,” said Cherilyn Pascoe, director of the NCCoE. “This collaborative project focuses on ensuring that organizations can use TLS 1.3 to protect their data while meeting auditing and cybersecurity requirements.”
NIST is requesting public comment on the draft practice guide by April 1, 2024.
The TLS protocol, developed by the IETF in 1996, is an essential component of Internet security: In a web link, when you see the “s” at the end of “https” indicating that the site is secure, it means it that TLS its working. TLS allows us to send data across the vast collection of publicly visible networks we call the Internet with the confidence that no one can see our private information, such as a password or credit card number, when we provide it to a website.
TLS maintains web security by protecting the cryptographic keys that allow authorized users to encrypt and decrypt this private information for secure exchanges, all while preventing unauthorized individuals from using the keys. TLS has been very successful in maintaining Internet security, and its previous updates through TLS 1.2 have allowed organizations to keep these keys on hand long enough to support auditing incoming web traffic for malware and other cyber attack attempts.
However, the most recent iteration – TLS 1.3, released in 2018 – challenged the subset of businesses required by law to perform these audits, because the 1.3 update did not support the tools that the organizations use to access to obtain the keys for monitoring and auditing. purposes. As a result, businesses have raised questions about how to meet enterprise security, operational and regulatory requirements for critical services while using TLS 1.3. That’s where NIST’s new practice guide comes in.
The guide offers six techniques that provide organizations with a method to access the keys while protecting the data from unauthorized access. TLS 1.3 eliminates keys used to protect Internet exchanges as the data is received, but the practice guide’s approaches essentially allow an organization to retain the raw data received and the data in decrypted form long enough to exclude security monitoring to feed. This information is kept in a secure internal server for audit and forensic purposes and is destroyed when the security processing is complete.
Although there are risks associated with storing the keys, even in this restricted environment, NIST has developed the practice guide to demonstrate several secure alternatives to homegrown approaches that may increase these risks.
“NIST is not changing TLS 1.3. But if organizations are going to find a way to hold these keys, we want to provide them with secure methods,” says Murugiah Souppaya of NCCoE, one of the guide’s authors. “We demonstrate to organizations that have this use case how to do it in a secure way. We explain the risk of storing and reusing the keys, and show people how to use them safely, while still staying on top of the latest protocol.”
The NCCoE is developing what will eventually be a five-volume practice guide. Currently available are the first two volumes — the executive summary (SP 1800-37A) and a description of the solution’s implementation (SP 1800-37B). Of the three planned volumes, two (SP 1800-37C and D) will be aimed at IT professionals who need a how-to guide and demonstrations of the solution, while the third (SP 1800-37E) will focus on risk and compliance management will focus , mapping components of the TLS 1.3 visibility architecture to security features in known cybersecurity guidelines.
An FAQ is available to answer common questions. To submit comments on the draft or other questions, contact the practice guide’s authors at applied-crypto-visibility [at] nest.gov (applied-crypto-visibility[at]nest[dot]government). Comments can be submitted until 1 April 2024.
Disclaimer for Uncirculars, with a Touch of Personality:
While we love diving into the exciting world of crypto here at Uncirculars, remember that this post, and all our content, is purely for your information and exploration. Think of it as your crypto compass, pointing you in the right direction to do your own research and make informed decisions.
No legal, tax, investment, or financial advice should be inferred from these pixels. We’re not fortune tellers or stockbrokers, just passionate crypto enthusiasts sharing our knowledge.
And just like that rollercoaster ride in your favorite DeFi protocol, past performance isn’t a guarantee of future thrills. The value of crypto assets can be as unpredictable as a moon landing, so buckle up and do your due diligence before taking the plunge.
Ultimately, any crypto adventure you embark on is yours alone. We’re just happy to be your crypto companion, cheering you on from the sidelines (and maybe sharing some snacks along the way). So research, explore, and remember, with a little knowledge and a lot of curiosity, you can navigate the crypto cosmos like a pro!
UnCirculars – Cutting through the noise, delivering unbiased crypto news
