Cybersecurity gets faster with blending of two protocols

Combination of unrelated protocols now being tested in South Carolina

A suite of automated network access control standards from the Trusted Computing Group has been integrated with the government’s Security Content Automation Protocols to enable automated policy enforcement on networks. The South Carolina Department of Probation, Parole and Pardon Services is testing the combination in a pilot program.

The integration of the Trusted Network Connect standards with SCAP was announced Tuesday at a NIST security automation workshop in Baltimore.

Steve Hanna, co-chairman of the TCG’s TNC Working Group and distinguished engineer at Juniper Networks, said the two standards offer “a complementary set of capabilities,” each valuable in its own right but much more powerful when combined.

“What we are getting is automation,” Hanna said. “We can take the human out of the loop now,” so that security tools can operate at the speed of the increasingly sophisticated and automated attacks they must counter.

Tony Sager, chief of the National Security Agency’s Vulnerability Analysis and Operations Group, said automation is an imperative for IT security and called the combination of the protocols “a great step forward.”

TNC and SCAP will remain separate sets of standards developed under the auspices of their own organizations. The initial pilot integration is being tested in Juniper’s TNC network enforcement tool called Unified Access Control, and the SCAP-validated Resolution Manager from Triumfant.


Related coverage:

NIST releases guide to security automation protocol

NIST out to ensure security products comply with vulnerability assessment language


SCAP is a specification for expressing and manipulating security data in standardized ways, developed under the authority of the National Institute of Standards and Technology in cooperation with other organizations including the NSA, MITRE Corp., and the Forum for Incident Response and Security Teams.

The protocols address the challenge of managing the configurations and security settings of information systems manually. A wide variety of hardware and software platforms typically are used for many purposes, with differing levels of risk in a single environment. Security is further complicated by the fact that these platforms and the threats they face are constantly evolving. Agencies are supposed to conduct continuous monitoring of security configurations and be able to determine the security posture of IT systems at any time. SCAP was developed to provide a standardized, automated approach to help agencies overcome these difficulties.

The Office of Management and Budget requires agencies to use products that have been validated as capable of using the protocols for checking compliance with Federal Desktop Core Configuration Settings. The protocols enumerate hardware and software product names and vulnerabilities, including software flaws and configuration issues. They also identify the presence of vulnerabilities and assign severity scores to software flaws.

TNC was created separately by Trusted Computing Group, an industry organization developing standardized and interoperable security platforms and schemes. The TNC architecture integrates the collection of pertinent security data from devices requesting access to or already on a network with the enforcement of security policies for the network based on that data. It combines network access control—the ability to control who can access a network and what resources they can use—with coordinated security, which correlates data from a variety of security systems for decision-making.

The use of SCAP data for decision-making and enforcement by TNC grew out of a meeting of the TCG with NIST, MITRE and NSA in June, Hanna said.

“It’s not so difficult,” he said of the integration. “It turns out the specifications fit together quite well.”

Prototype tools were available by July and demonstrated in August, and the South Carolina pilot now is under way. The development reflects the maturity of the SCAP and TNC schemes, Hanna said.

“Great ideas seem obvious in retrospect,” he said. But until recently both teams have been focused on developing their own sets of protocols and ensuring that they work as intended. “It is only in the last year or two that we’ve reached that level of capability” that would allow the integration.

Fully functional production products integrating the two suites are expected to be available by year’s end.

About the Author

William Jackson is a Maryland-based freelance writer.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Thu, Oct 7, 2010 Earth

A suite of automated network access control standards … has been integrated with … Security Content Automation Protocols to enable automated policy enforcement on networks. …each valuable in its own right but much more powerful when combined. …We can take the human out of the loop now.
…who called cyberspace the fourth area of warfare along with land, sea and air.

A virus of unusual complexity, indicating a state sponsor, has been unleashed with the assumed intent to infect Iran’s nuclear power plant and give the attacker the ability to cause it to destroy itself.

And so begins the birth of “Sky Net”. For all automated protocols, lacking human oversight, are fodder for self-attack. Guns don’t shoot children, children shoot children.

Wed, Sep 29, 2010 Linda Joy Adams

Does this mean that the 17 medicare numbers created to steal my id and cliams info will now be shut down and monies returned inside the Medciare contractors on their offline systems. And the offline system at ACS-Xerox for Federal workers comp will now have to use the offical data from the US Dept of labor's computer and can't alter the info on their offline system so my bills can get paid? instead of using a 'dummy' file? Unless these systems inside the contractors ( business associates) are secured, does little good whe so much of the govt's biz is done inside contractors. Madoff went to jail for such shenaighans, but Congress made contractors immune from prosecutions and internal audits. Why the double standard? Linda Joy Adams can't stop it alone

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group