Group releases draft specs on ID tools for network devices
- By William Jackson
- Aug 29, 2013
The Trusted Computing Group has released a draft of specifications for automating the task of identifying and analyzing the configuration of all devices connecting to a network.
The Endpoint Compliance Profile builds on TCG’s network security architecture and provides a standardized way for security and access control products to interoperate and share data. The U.S. government was active in development of the profile.
“I was really impressed with the number and diversity of the government participants we had,” said Steve Hanna, distinguished engineer at Juniper Networks and co-chair of the TCG Trusted Network Connect working group. At least six federal workers contributed to the specifications.
The object of the profile is to improve awareness of the health of the entire enterprise by enabling analysis of the state of each endpoint in a way that data can be shared across applications. Compliance information would be gathered by a client running on the endpoint and forwarded to a server, which stores it in a configuration management database.
Products that enable this kind of activity are available today, but generally lack the ability to share information and work together, Hanna said. Standards for interoperability are needed, he said, “otherwise we’re left with silos.”
The document has been released for a 60-day comment period. When finalized, which is expected early in 2014, the specifications could be incorporated into commercial products to automate the task of monitoring of the security status of all devices connecting to a network, either remotely or within the enterprise, and to enforce access and configuration policies.
The Trusted Computing Group is an industry security standards organization formed in 2003 and best known for the Trusted Platform Module (TPM) security chip. It also has published specifications for integrating network security information into the government’s Security Content Automation Protocol using its Trusted Network Connect architecture.
The Endpoint Compliance Profile is part of what Hanna called a holistic approach to IT security that goes beyond TPM and encryption to address endpoint security. The profile addresses the first four of the 20 Critical Security Controls identified by the SANS Institute. They are:
- inventory of authorized and unauthorized devices;
- inventory of authorized and unauthorized software;
- secure configurations for hardware and software on mobile devices, laptops, workstations and servers; and
- continuous vulnerability assessment and remediation.
Comments on the Endpoint Compliance Profile should be sent to ECP-Comments@trustedcomputinggroup.org by October 22.
William Jackson is freelance writer and the author of the CyberEye blog.