National Institute of Standards and Technology (NIST) has recently published a practice guide called “Addressing Visibility Challenges with TLS 1.3 within the Enterprise,” geared towards companies in the finance and health care industries. With the constant threat of cyberattacks, it’s essential for these industries to monitor incoming data effectively. However, the latest internet security protocol, TLS 1.3, has posed challenges in the performance of data audits.
Developed by the NIST National Cybersecurity Center of Excellence (NCCoE) over the past several years, the practice guide aims to help these industries implement TLS 1.3 in a safe, secure, and effective manner. It offers technical methods designed to assist businesses in complying with the most up-to-date ways of securing data over the public internet while also adhering to regulations that require continuous monitoring and auditing for evidence of malware and other cyberattacks. This collaborative project involved the extensive input of technology vendors, industry organizations, and other stakeholders involved in internet security.
It’s important to note that TLS 1.3, while providing improved encryption and support for post-quantum cryptography, has presented challenges for organizations that are legally obligated to perform ongoing data audits. The 1.3 update does not support the tools used by these organizations to access the keys for monitoring and audit purposes, leading to significant questions about how to meet enterprise security, operational, and regulatory requirements for critical services while using TLS 1.3. In response to this, NIST has introduced the draft practice guide with techniques for organizations to access the keys while maintaining the security and integrity of the data.
The guide introduces six techniques aimed at allowing organizations to retain and secure the raw received data and decrypted data long enough to perform security monitoring, while also ensuring that unauthorized access is prevented. While there are inherent risks associated with storing the keys, NIST has developed the practice guide to demonstrate secure alternatives to homegrown approaches that might heighten these risks. The NCCoE is also developing a full five-volume practice guide with the aim of addressing various aspects of internet security.
NIST is now seeking public comments on the draft practice guide until April 1, 2024. Additionally, an FAQ is available for common questions about the guide. For those interested in submitting comments or seeking further information, the practice guide’s authors can be reached via email. Comments may be submitted directly to the authors until the April 1 deadline. It is important for companies within finance and health care sectors to take note of these developments and provide input to help shape these important cybersecurity guidelines.