NIST has released a new practice guide to help industries use the latest internet security protocol, TLS 1.3, while still being able to monitor incoming data for cyber threats. TLS 1.3 provides strong security for online communications, but it makes it harder for organizations—especially in finance and healthcare—to perform required data audits. The guide, developed by NIST’s National Cybersecurity Center of Excellence (NCCoE) with input from industry experts, offers six secure methods for organizations to access and store decryption keys temporarily for monitoring purposes. These methods allow companies to keep data secure while still meeting regulatory requirements for cybersecurity and data auditing.
The guide is part of a larger five-volume series, with the first two volumes already available. The remaining volumes will provide more detailed technical guidance for IT professionals and help organizations understand the risks and compliance aspects of using TLS 1.3. NIST is currently accepting public comments on the draft guide until April 1, 2024. The goal is to ensure that businesses can use TLS 1.3 safely and effectively, even as they continue to monitor for malware and other cyber threats.
Keywords: post-quantum cryptography, TLS 1.3, cryptographic keys
