An Invitational Virtual Workshop on Challenges with Compliance, Operations, and Security with Encrypted Protocols, in Particular TLS 1.3

Thursday, August 13, 2020

Workshop Objectives

The National Institute of Standards and Technology (NIST) will host an invitational virtual workshop to discuss compliance, operations, and security challenges with modern encrypted protocols on Thursday, August 13, 2020. Deployment of these protocols, in particular TLS 1.3, can impact some organizations ability to meet their regulatory, security, and operational requirements. The workshop will investigate the practical and implementable approaches to help those industries adopt them in their private data centers and the hybrid cloud without impacting regulatory compliance, security, or operations. Invitations will be extended to parties that submit brief descriptions of their interest in this topic.

The workshop will identify various approaches and practices to meet common compliance, operations, and security requirements. The findings from this workshop will inform the development of a potential National Cybersecurity Center of Excellence (NCCoE) demonstration project to implement one or more of the proposed approaches while meeting the business use cases, the security capabilities, and supporting technologies. 

Background

The workshop will focus on enterprise data center environments which include on-premise data center and hybrid cloud deployment hosted by a third-party data center or a public cloud provider. The public Internet is out of scope. When enterprises deploy network security protocols within the data center to provide integrity and confidentiality, the amount of encrypted data in the enterprise data center increases, and visibility decreases. Enterprises have traditionally depended upon visibility into data in transit within their networks to implement critical cybersecurity and operational controls (e.g., intrusion detection, malware detection, fraud monitoring, and troubleshooting). These cybersecurity controls support both enterprise security and regulatory requirements. For example, some industries are required to monitor transactions for fraud, a task made more difficult if network traffic cannot be decrypted. In particular, enterprise architectures facilitate comprehensive inspection, collection, and analysis of data (i.e., both enterprise and personal data) through a small number of passive or active monitoring devices. To maintain visibility, these cybersecurity controls are provided with cryptographic keying material needed to decrypt the traffic. However, in many widely deployed protocols, this deviates from the original trust model because the keys needed to decrypt traffic are also used to authenticate the server, making the control devices indistinguishable from the authentic server.

Recent enhancements to these security protocols have made visibility in the enterprise data center more challenging—TLS 1.3 and QUIC are examples. While these protocol enhancements increase performance and address security concerns on the public internet, they also reduce visibility. In addition, emerging deployment models leverage encrypted transport to protect protocols that were previously in the clear (e.g., DoT (DNS over TLS) and DoH (DNS over HTTPS)). DoT and DoH are out of scope for the current project, but may be the subject of future NCCoE work. Enhanced security protocols and deployment models were not designed to accommodate decryption of traffic flows by passive monitoring devices, creating potential compliance, security and operational impacts in enterprises.

Consequently, enterprises have raised questions about how to implement critical services, meet enterprise security, operational, and regulatory requirements, use the enhanced security protocols, and leverage new deployment models all at the same time. Such enterprises may need to consider applying new architectures and novel techniques to augment or replace traditional monitoring devices while satisfying their business, regulatory, and network operations requirements.

NIST invites industry subject matter experts and practitioners to present their views related to challenges to compliance, operations, and security with the modern encrypted protocols, in particular TLS 1.3, as well as proposed solutions. The workshop provides an opportunity for participants to provide feedback on all aspects of the planned activities to include: challenges, impacted protocols, relevant standards, guidelines, recommended practices, use cases and technologies to be considered, and sources of specifications and guidance. NIST will use the resulting prioritized list of activities to develop an NCCoE project to help accelerate the investigation and demonstration of proposed approaches along with their supporting technologies that can be deployed and operated securely by default.

Call for Participation 

To apply for participation in this free workshop, the NIST NCCoE is requesting submission of a brief (2 page maximum) position paper from each interested party or organization. Expectations and suggested topics for position papers are described in the following paragraphs. Position papers submitted on behalf of organizations may support the participation of up to three employees or affiliates of that organization. Applicants should be prepared to submit email addresses for all three participants along with the position paper. The NCCoE will publish a summary of these contributions (without attribution) before the workshop to maximize the exchange of ideas.

Applicants are encouraged to focus on operational, security and/or compliance challenges encountered or anticipated in (1) the deployment experience with TLS 1.3, (2) deployment models that introduce encryption for protocols associated with historically clear text services, or (3) describe the capabilities and limitations of solutions. Applicants are encouraged to address both challenges and solutions where appropriate.

Position papers that cite operational challenges should clearly identify the operational requirements, how those requirements have been achieved in the past, and the impact (experienced or anticipated) of deploying more recent protocols or service models. Similarly, position papers that cite security challenges should clearly identify enterprise security objectives, the controls your organization relies upon, and the impact (experienced or anticipated) of deploying more recent protocols or service models. Position papers that address compliance challenges should cite the compliance regime and identify problematic requirements.

Position papers must be submitted for consideration by July 14, 2020.  The workshop will be limited to 200 participants. 

The workshop will be recorded and the content will be made available after the event. Please join the community of interest by sending an email to applied-crypto-visibility@nist.gov to get the latest updates on the activities related to Challenges with Compliance, Operations, and Security with Encrypted Protocols.


Agenda

 12:00 – 12:10

 NIST and NCCoE Overview

 12:10 – 12:25

 Workshop Overview & Background

 12:25 – 12:45

 IETF Principles for Encrypted Protocols

 12:45 – 12:55

 Moderated Q&A

 12:55 – 13:00

 Break

 13:00 – 13:15

 Compliance Challenges

 13:15 – 13:30

 Operations Challenges

 13:30 – 13:45

 Security Challenges

 13:45 – 14:00

 Instructive Scenarios for Demonstration Projects

 14:00 – 14:10

 Moderated Q & A

 14:10 – 14:15

 Break

 14:15 – 15:00

 Proposed Approaches

 15:00 – 15:15

 Moderated Q & A

 15:15 – 15:30

 Next Steps/Wrap-up (NCCoE)

 

Additional Resources

A read-ahead white paper will be released before the workshop to provide additional details and context about the challenges to be discussed at the workshop.

In Fall 2019, NIST participated in an invitational workshop on Enterprise visibility hosted by the Center for Cybersecurity Policy and Law at Venable. The workshop report is available here (https://centerforcybersecuritypolicy.org/enterprise-data-center-transparency-and-security-initiative).

 
Questions? 

Please send an email to applied-crypto-pqc@nist.gov