Cybersecurity gets faster with blending of two protocols

Combination of unrelated protocols now being tested in South Carolina

A suite of automated network access control standards from the Trusted Computing Group has been integrated with the government’s Security Content Automation Protocols to enable automated policy enforcement on networks. The South Carolina Department of Probation, Parole and Pardon Services is testing the combination in a pilot program.

The integration of the Trusted Network Connect standards with SCAP was announced Tuesday at a NIST security automation workshop in Baltimore.

Steve Hanna, co-chairman of the TCG’s TNC Working Group and distinguished engineer at Juniper Networks, said the two standards offer “a complementary set of capabilities,” each valuable in its own right but much more powerful when combined.

“What we are getting is automation,” Hanna said. “We can take the human out of the loop now,” so that security tools can operate at the speed of the increasingly sophisticated and automated attacks they must counter.

Tony Sager, chief of the National Security Agency’s Vulnerability Analysis and Operations Group, said automation is an imperative for IT security and called the combination of the protocols “a great step forward.”

TNC and SCAP will remain separate sets of standards developed under the auspices of their own organizations. The initial pilot integration is being tested in Juniper’s TNC network enforcement tool called Unified Access Control, and the SCAP-validated Resolution Manager from Triumfant.

Related coverage:

NIST releases guide to security automation protocol

NIST out to ensure security products comply with vulnerability assessment language

SCAP is a specification for expressing and manipulating security data in standardized ways, developed under the authority of the National Institute of Standards and Technology in cooperation with other organizations including the NSA, MITRE Corp., and the Forum for Incident Response and Security Teams.

The protocols address the challenge of managing the configurations and security settings of information systems manually. A wide variety of hardware and software platforms typically are used for many purposes, with differing levels of risk in a single environment. Security is further complicated by the fact that these platforms and the threats they face are constantly evolving. Agencies are supposed to conduct continuous monitoring of security configurations and be able to determine the security posture of IT systems at any time. SCAP was developed to provide a standardized, automated approach to help agencies overcome these difficulties.

The Office of Management and Budget requires agencies to use products that have been validated as capable of using the protocols for checking compliance with Federal Desktop Core Configuration Settings. The protocols enumerate hardware and software product names and vulnerabilities, including software flaws and configuration issues. They also identify the presence of vulnerabilities and assign severity scores to software flaws.

TNC was created separately by Trusted Computing Group, an industry organization developing standardized and interoperable security platforms and schemes. The TNC architecture integrates the collection of pertinent security data from devices requesting access to or already on a network with the enforcement of security policies for the network based on that data. It combines network access control—the ability to control who can access a network and what resources they can use—with coordinated security, which correlates data from a variety of security systems for decision-making.

The use of SCAP data for decision-making and enforcement by TNC grew out of a meeting of the TCG with NIST, MITRE and NSA in June, Hanna said.

“It’s not so difficult,” he said of the integration. “It turns out the specifications fit together quite well.”

Prototype tools were available by July and demonstrated in August, and the South Carolina pilot now is under way. The development reflects the maturity of the SCAP and TNC schemes, Hanna said.

“Great ideas seem obvious in retrospect,” he said. But until recently both teams have been focused on developing their own sets of protocols and ensuring that they work as intended. “It is only in the last year or two that we’ve reached that level of capability” that would allow the integration.

Fully functional production products integrating the two suites are expected to be available by year’s end.

About the Author

William Jackson is a Maryland-based freelance writer.


  • People
    Dr. Ronny Jackson briefs the press on President Trump

    Uncertainty at VA after nominee withdraws

    With White House physician Adm. Ronny Jackson's withdrawal, VA watchers are wondering what's next for the agency and its planned $16 billion health IT modernization project.

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.