Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/29/2010
01:03 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Trusted Computing Group Integrates TNC With SCAP

SCAP-validated scanners can now be used with TNC network security gear to identify and quarantine unhealthy devices

BALTIMORE, Md., Sept. 28, 2010 - Trusted Computing Group (TCG), which develops industry standards for security, announced today that its Trusted Network Connect (TNC) standards have been integrated with the Security Content Automation Protocol (SCAP) standards developed by the Commerce Department's National Institute of Standards and Technology (NIST).

SCAP-validated scanners can now be used with TNC network security gear to identify and quarantine unhealthy devices. This will improve compliance with less cost by automating compliance checking and network enforcement on millions of PCs and other systems.

Products that implement TNC-SCAP integration are being demonstrated at the Security Automation Conference in Baltimore this week and have been tested by the South Carolina state government in a pilot deployment. Several TCG member company representatives are speaking at the conference today about TNC and SCAP.

"To address the information security threats of the 21st century, we must integrate and automate our defenses - especially the way that information flows across the defensive enterprise," said Tony Sager, Chief of the Vulnerability Analysis and Operations Group at the National Security Agency (NSA). "Using the TNC and SCAP standards together is a great step forward in this integration effort, and this also demonstrates the power of public-private collaboration."

TNC-SCAP Integration Boosts Trend Toward Security Automation To reduce the costs of managing security and compliance, NIST has collaborated with other organizations, such as the NSA, to develop the SCAP standards for measuring compliance. In 2007, the Office of Management and Budget issued a memo requiring that federal CIOs use SCAP-validated tools for verifying compliance with the Federal Desktop Core Configuration. In parallel, the TCG developed the TNC specifications, which enable administrators to quarantine or block non-compliant devices from the network until they can be remediated.

With the integration, TNC specifications can provide enforcement of SCAP compliance criteria. The integration of SCAP with TNC combines the automated enforcement of TNC with SCAP's ability to express compliance checklists in a standard format, providing fine-grained control.

"TNC and SCAP are complementary standards that create real value for organizations in both the government and commercial sectors," said Tim Grance, Program Manager for NIST's Cyber and Network Security Program. "Integrating these standards enables organizations to deploy pragmatic solutions that directly address critical IT security problems in a very tangible way." TNC-SCAP Integration Easy to Implement

TCG members have already implemented the TNC-SCAP integration.

"Implementing TNC-SCAP integration was a logical extension of our SCAP capabilities," said Jim Ivers, chief security strategist, Triumfant. "We were able to readily combine the compliance checking and real-time analysis of our SCAP-validated Triumfant Resolution Manager product with the TNC network enforcement provided by the Unified Access Control solution from Juniper Networks. The combination worked together seamlessly."

The South Carolina Department of Probation, Parole, and Pardon Services is currently testing the new TNC-SCAP integration.

Notes David O'Berry, IT director for the department, "We've been using the Triumfant and Juniper products for several years, but only now have we been able to realize our vision of an open standards-based, fully integrated security automation environment with two companies that only recently started working together. These types of integrations not only reduce staff time to deal with compliance management and malware, they also go a long way towards ensuring organizations do not make exclusive bets on single companies or products. That agility is mandatory if we have any hope of keeping up with the threat cycle."

Next Steps for TNC-SCAP Integration The TNC and SCAP standards will retain their separate, complementary identities under the development authority of the TCG and NIST, respectively, but work integrating the standards will continue. TCG has published a white paper describing the integration of the TNC and SCAP standards to automate compliance-based network connections.

The Trusted Computing Group (TCG) provides open standards that enable a safer computing environment across platforms and geographies. Benefits of Trusted Computing include protection of business-critical data and systems, secure authentication and strong protection of user identities, and the establishment of strong machine identity and network integrity. Organizations using built-in, widely available trusted hardware and applications reduce their total cost of ownership. TCG technologies also provide regulatory compliance that is based upon trustworthy hardware. More information and the organization's specifications and work groups are available at the Trusted Computing Group's website, www.trustedcomputinggroup.org.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27218
PUBLISHED: 2020-11-28
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is ...
CVE-2020-29367
PUBLISHED: 2020-11-27
blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow when there is a lack of space to write compressed data.
CVE-2020-26245
PUBLISHED: 2020-11-27
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sani...
CVE-2017-15682
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
CVE-2017-15683
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.