PRESS RELEASE. Companies in major industries such as finance and health care must follow best practices for monitoring incoming data for cyberattacks.
The latest internet security protocol, known as TLS 1.3, provides state-of-the-art protection, but complicates the performance of these required data audits.
The National Institute of Standards and Technology has released a practice guide describing methods that are intended to help these industries implement TLS 1.3 and accomplish the required network monitoring and auditing in a safe, secure and effective fashion.
The new draft practice guide, Addressing Visibility Challenges with TLS 1.3 within the Enterprise 1800-37), was developed over the past several years at the NIST National Cybersecurity Center of Excellence with the extensive involvement of technology vendors, industry organizations and other stakeholders who participate in the Internet Engineering Task Force.
The guidance offers technical methods to help businesses comply with the most up-to-date ways of securing data that travels over the public internet to their internal servers, while simultaneously adhering to financial industry and other regulations that require continuous monitoring and auditing of this data for evidence of malware and other cyberattacks.
NIST is requesting public comments on the draft practice guide by April 1, 2024.
TLS allows us to send data over the vast collection of publicly visible networks we call the internet with the confidence that no one can see our private information, such as a password or credit card number, when we provide it to a site.
TLS maintains web security by protecting the cryptographic keys that allow authorized users to encrypt and decrypt this private information for secure exchanges, all while preventing unauthorized individuals from using the keys.
TLS has been highly successful at maintaining internet security, and its previous updates up through TLS 1.2 enabled organizations to keep these keys on hand long enough to support auditing incoming web traffic for malware and other attempted cyberattacks.
The most recent iteration - TLS 1.3, released in 2018 - has challenged the subset of businesses that are required by law to perform these audits, because the 1.3 update does not support the tools the organizations use to access the keys for monitoring and audit purposes.
Businesses have raised questions about how to meet enterprise security, operational, and regulatory requirements for critical services while using TLS 1.3.
That's where NIST's new practice guide comes in.
The guide offers six techniques that offer organizations a method to access the keys while protecting the data from unauthorized access.
TLS 1.3 eliminates keys used to protect internet exchanges as the data is received, but the practice guide's approaches essentially allow an organization to retain the raw received data and the data in decrypted form long enough to perform security monitoring.
This information is retained within a secure internal server for audit and forensics purposes and is destroyed when the security processing is completed.
While there are risks associated with storing the keys even in this contained environment, NIST developed the practice guide to demonstrate several secure alternatives to homegrown approaches that might heighten these risks.
The NCCoE is developing what will eventually be a five-volume practice guide.
Currently available are the first two volumes - the executive summary and a description of the solution's implementation.
Of the three planned volumes, two will be geared toward IT professionals who need a how-to guide and demonstrations of the solution, while the third will focus on risk and compliance management, mapping components of the TLS 1.3 visibility architecture to security characteristics in well-known cybersecurity guidelines.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 01 Feb 2024 22:40:25 +0000