The National Institute of Standards and Technology (NIST) has recently released a guide to help industries implement the Transport Layer Security (TLS) 1.3 protocol while monitoring incoming data.
Overview
TLS 1.3 came out in August of 2018, and according to the NIST, provided some of the latest state-of-the-art protection for network encryption. While TLS is used by nearly all modern web pages to prevent nefarious actors from viewing sensitive data like passwords, it does come with some drawbacks.
In a recent report by the NIST, the organization explains that TLS 1.3 can complicate the ability for website security operators to perform data audits, which are necessary for many healthcare and financial institutions to prevent cyberattacks.
In response, the NIST National Cybersecurity Center of Excellence (NCCoE) released what is described as a practice guide. The guide provides methods that can help industries implement TLS 1.3 and accomplish the necessary network monitoring safely and securely.
The draft, titled Addressing Visibility Challenges with TLS 1.3 within the Enterprise, was a several years-long process that is now nearing completion. It is now published and available for review and public comment.
TLS Background
To understand the current conundrum between data auditing and the use of TLS 1.3, it’s imperative to understand why TLS is so important.
Transport Layer Security is used to secure networks. Many browsers utilize it, including Chrome and Firefox, to help keep imputed data, like usernames, passwords, and more, secure. Many websites and browsers like Chrome have it automatically enabled. Some websites still use an older version, TLS 1.2, but only with older algorithms that are still supported.
TLS 1.3 is currently the gold standard of network safety; it supports modern encryption, improves website performance, and has no known vulnerabilities. TLS is able to maintain website security by protecting cryptographic keys–characters that are used to encrypt and decrypt data for secure exchanges.
While more network security is always a good thing, TLS 1.3 comes with some drawbacks. Its security benefits are strong, and as a result, security operation teams are often unable to monitor malware or phishing attack attempts.
Security teams operating behind the scenes may not be able to see all of the traffic coming in and out of the network, which could lead to malicious actor interference.
The New Guidance
According to the NIST’s press release, the new document “offers technical methods to help businesses comply with the most up-to-date ways of securing data that travels over the public internet to their internal servers, while simultaneously adhering to financial industry and other regulations that require continuous monitoring and auditing.”
The guide provides six unique techniques that can allow organizations to access cryptographic keys while still maintaining security. The NCCoE hopes that the techniques can help with several specific scenarios: operational troubleshooting, performance monitoring, threat triage, and cybersecurity forensics.
The executive summary explains that the techniques include server-based key-management solutions as well as network architecture combined with key-management solutions. They are designed to be utilized by enterprise data center environments, making them server-based instead of client-based.
The solutions outlined will be voluntary and are designed to be scalable, relatively simple to implement, usable for different application protocols, usable in real-time, effective for troubleshooting and security, and widely available and supported by various products and services.
The draft document provides a full breakdown of threats, vulnerabilities, useful technologies and their applications, and more.
What the Experts Say
Director of the NCCoE, Cherilyn Pascoe, restated the necessity of TLS 1.3, “[it] is an important encryption tool that brings increased security and will be able to support post-quantum cryptography,” she said. When discussing the draft paper, she added “This collaborative project focuses on ensuring that organizations can use TLS 1.3 to protect their data while meeting requirements for auditing and cybersecurity.”
Despite some security risks with keeping keys for monitoring, NCCoE hopes to encourage the safe auditing of keys and traffic. “NIST is not changing TLS 1.3. But if organizations are going to find a way to keep these keys, we want to provide them with safe methods,” said one of the document authors, Murugiah Souppaya. “We are demonstrating to organizations who have this use case how to do it in a secure manner. We explain the risk of storing and reusing the keys, and show people how to use them safely, while still staying up to date with the latest protocol,” Souppaya added.
What’s Next
The draft document will continue to be available for the public to view and comment on. The NIST is requesting any comments on the guide be submitted by April 1st, 2024 when the NCCoE hopes to begin finalizing the document.
The draft guide is part of a larger set of guides the NCCoE is currently developing. They hope to execute a total of five volumes. Currently, the executive summary volume and the description of the solution’s implementation have been released. Two more volumes will be aimed at IT professionals, providing how-to guides and demonstrations. The third volume will focus on risk management and compliance.
Why Use Cloudticity for Healthcare Cloud Managed Services
Cloudticity was the first ever provider to deploy protected health information to workloads on the public cloud. With a HITRUST CSF certified solutiony, Cloudticity helps organizations align with regulatory requirements including HIPAA, FISMA High, and NIST 800-53.
With a focus on security and compliance, Cloudticity is able to keep up with regulatory trends and security updates. Cloudticity also provides incident management and anomaly detection through managed cloud security services, allowing you to feel confident in the security of your data.
While healthcare data breaches are skyrocketing, Cloudticity has never experienced a breach. We keep your cloud-native workloads secure and compliant so that your company can focus internal bandwidth on solving healthcare problems.
Reach out for a free consultation.
