SCAP-validated scanners can now be used with TNC network security gear to identify and quarantine unhealthy devices. This will improve compliance with less cost by automating compliance checking and network enforcement on millions of PCs and other systems.
Products that implement TNC-SCAP integration are being demonstrated at the Security Automation Conference in Baltimore this week and have been tested by the South Carolina state government in a pilot deployment. Several TCG member company representatives are speaking at the conference today about TNC and SCAP.
"To address the information security threats of the 21st century, we must integrate and automate our defenses - especially the way that information flows across the defensive enterprise," said Tony Sager, Chief of the Vulnerability Analysis and Operations Group at the National Security Agency (NSA). "Using the TNC and SCAP standards together is a great step forward in this integration effort, and this also demonstrates the power of public-private collaboration."
TNC-SCAP Integration Boosts Trend Toward Security Automation To reduce the costs of managing security and compliance, NIST has collaborated with other organizations, such as the NSA, to develop the SCAP standards for measuring compliance. In 2007, the Office of Management and Budget issued a memo requiring that federal CIOs use SCAP-validated tools for verifying compliance with the Federal Desktop Core Configuration. In parallel, the TCG developed the TNC specifications, which enable administrators to quarantine or block non-compliant devices from the network until they can be remediated.
With the integration, TNC specifications can provide enforcement of SCAP compliance criteria. The integration of SCAP with TNC combines the automated enforcement of TNC with SCAP's ability to express compliance checklists in a standard format, providing fine-grained control.
"TNC and SCAP are complementary standards that create real value for organizations in both the government and commercial sectors," said Tim Grance, Program Manager for NIST's Cyber and Network Security Program. "Integrating these standards enables organizations to deploy pragmatic solutions that directly address critical IT security problems in a very tangible way." TNC-SCAP Integration Easy to Implement
TCG members have already implemented the TNC-SCAP integration.
"Implementing TNC-SCAP integration was a logical extension of our SCAP capabilities," said Jim Ivers, chief security strategist, Triumfant. "We were able to readily combine the compliance checking and real-time analysis of our SCAP-validated Triumfant Resolution Manager product with the TNC network enforcement provided by the Unified Access Control solution from Juniper Networks. The combination worked together seamlessly."
The South Carolina Department of Probation, Parole, and Pardon Services is currently testing the new TNC-SCAP integration.
Notes David O'Berry, IT director for the department, "We've been using the Triumfant and Juniper products for several years, but only now have we been able to realize our vision of an open standards-based, fully integrated security automation environment with two companies that only recently started working together. These types of integrations not only reduce staff time to deal with compliance management and malware, they also go a long way towards ensuring organizations do not make exclusive bets on single companies or products. That agility is mandatory if we have any hope of keeping up with the threat cycle."
Next Steps for TNC-SCAP Integration The TNC and SCAP standards will retain their separate, complementary identities under the development authority of the TCG and NIST, respectively, but work integrating the standards will continue. TCG has published a white paper describing the integration of the TNC and SCAP standards to automate compliance-based network connections.
The Trusted Computing Group (TCG) provides open standards that enable a safer computing environment across platforms and geographies. Benefits of Trusted Computing include protection of business-critical data and systems, secure authentication and strong protection of user identities, and the establishment of strong machine identity and network integrity. Organizations using built-in, widely available trusted hardware and applications reduce their total cost of ownership. TCG technologies also provide regulatory compliance that is based upon trustworthy hardware. More information and the organization's specifications and work groups are available at the Trusted Computing Group's website, www.trustedcomputinggroup.org.