Industry, Feds Integrate on Security Standards

Thursday, October 7, 2010 @ 08:10 AM gHale

Trusted Computing Group (TCG), which develops industry standards for security, said its Trusted Network Connect (TNC) standards have integrated with the Security Content Automation Protocol (SCAP) standards developed by the Commerce Department’s National Institute of Standards and Technology (NIST).
SCAP-validated scanners can now work with TNC-certified network security gear to identify and quarantine unhealthy devices. This will improve compliance with less cost by automating compliance checking and network enforcement on millions of PCs and other systems.
Products that implement TNC-SCAP underwent testing in a pilot program with the South Carolina state government.
“To address the information security threats of the 21st century, we must integrate and automate our defenses especially the way that information flows across the defensive enterprise,” said Tony Sager, Chief of the Vulnerability Analysis and Operations Group at the National Security Agency (NSA). “Using the TNC and SCAP standards together is a great step forward in this integration effort, and this also demonstrates the power of public-private collaboration.”
To reduce the costs of managing security and compliance, NIST collaborated with other organizations, such as the NSA, to develop the SCAP standards for measuring compliance. In 2007, the Office of Management and Budget issued a memo requiring federal CIOs use SCAP-validated tools for verifying compliance with the Federal Desktop Core Configuration. In parallel, the TCG developed the TNC specifications, which enable administrators to quarantine or block non-compliant devices from the network until they can remediate them.
With the integration, TNC specifications can provide enforcement of SCAP compliance criteria. The integration of SCAP with TNC combines the automated enforcement of TNC with SCAP’s ability to express compliance checklists in a standard format, providing fine-grained control.
“TNC and SCAP are complementary standards that create real value for organizations in both the government and commercial sectors,” said Tim Grance, Program Manager for NIST’s Cyber and Network Security Program. “Integrating these standards enables organizations to deploy pragmatic solutions that directly address critical IT security problems in a very tangible way.”
TCG members have already implemented the TNC-SCAP integration.
“Implementing TNC-SCAP integration was a logical extension of our SCAP capabilities,” said Jim Ivers, chief security strategist, Triumfant. “We were able to readily combine the compliance checking and real-time analysis of our SCAP-validated Triumfant Resolution Manager product with the TNC network enforcement provided by the Unified Access Control solution from Juniper Networks. The combination worked together seamlessly.”
The South Carolina Department of Probation, Parole, and Pardon Services is currently testing the new TNC-SCAP integration.
“We’ve been using the Triumfant and Juniper products for several years, but only now have we been able to realize our vision of an open standards-based, fully integrated security automation environment with two companies that only recently started working together,” said David O’Berry, IT director for the SC department of probation, parole and pardon services. “These types of integrations not only reduce staff time to deal with compliance management and malware, they also go a long way towards ensuring organizations do not make exclusive bets on single companies or products. That agility is mandatory if we have any hope of keeping up with the threat cycle.”

Leave a Reply

You must be logged in to post a comment.