Cybersecurity gets faster with blending of two protocols

Combination of unrelated protocols now being tested in South Carolina

A suite of automated network access control standards from the Trusted Computing Group has been integrated with the government’s Security Content Automation Protocols to enable automated policy enforcement on networks. The South Carolina Department of Probation, Parole and Pardon Services is testing the combination in a pilot program.

The integration of the Trusted Network Connect standards with SCAP was announced Tuesday at a NIST security automation workshop in Baltimore.

Steve Hanna, co-chairman of the TCG’s TNC Working Group and distinguished engineer at Juniper Networks, said the two standards offer “a complementary set of capabilities,” each valuable in its own right but much more powerful when combined.

“What we are getting is automation,” Hanna said. “We can take the human out of the loop now,” so that security tools can operate at the speed of the increasingly sophisticated and automated attacks they must counter.

Tony Sager, chief of the National Security Agency’s Vulnerability Analysis and Operations Group, said automation is an imperative for IT security and called the combination of the protocols “a great step forward.”

TNC and SCAP will remain separate sets of standards developed under the auspices of their own organizations. The initial pilot integration is being tested in Juniper’s TNC network enforcement tool called Unified Access Control, and the SCAP-validated Resolution Manager from Triumfant.

Related coverage:

NIST releases guide to security automation protocol

NIST out to ensure security products comply with vulnerability assessment language

SCAP is a specification for expressing and manipulating security data in standardized ways, developed under the authority of the National Institute of Standards and Technology in cooperation with other organizations including the NSA, MITRE Corp., and the Forum for Incident Response and Security Teams.

The protocols address the challenge of managing the configurations and security settings of information systems manually. A wide variety of hardware and software platforms typically are used for many purposes, with differing levels of risk in a single environment. Security is further complicated by the fact that these platforms and the threats they face are constantly evolving. Agencies are supposed to conduct continuous monitoring of security configurations and be able to determine the security posture of IT systems at any time. SCAP was developed to provide a standardized, automated approach to help agencies overcome these difficulties.

The Office of Management and Budget requires agencies to use products that have been validated as capable of using the protocols for checking compliance with Federal Desktop Core Configuration Settings. The protocols enumerate hardware and software product names and vulnerabilities, including software flaws and configuration issues. They also identify the presence of vulnerabilities and assign severity scores to software flaws.

TNC was created separately by Trusted Computing Group, an industry organization developing standardized and interoperable security platforms and schemes. The TNC architecture integrates the collection of pertinent security data from devices requesting access to or already on a network with the enforcement of security policies for the network based on that data. It combines network access control—the ability to control who can access a network and what resources they can use—with coordinated security, which correlates data from a variety of security systems for decision-making.

The use of SCAP data for decision-making and enforcement by TNC grew out of a meeting of the TCG with NIST, MITRE and NSA in June, Hanna said.

“It’s not so difficult,” he said of the integration. “It turns out the specifications fit together quite well.”

Prototype tools were available by July and demonstrated in August, and the South Carolina pilot now is under way. The development reflects the maturity of the SCAP and TNC schemes, Hanna said.

“Great ideas seem obvious in retrospect,” he said. But until recently both teams have been focused on developing their own sets of protocols and ensuring that they work as intended. “It is only in the last year or two that we’ve reached that level of capability” that would allow the integration.

Fully functional production products integrating the two suites are expected to be available by year’s end.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • blockchain (whiteMocca/

    What legislators are learning about blockchain

Reader Comments

Thu, Oct 7, 2010 Earth

A suite of automated network access control standards … has been integrated with … Security Content Automation Protocols to enable automated policy enforcement on networks. …each valuable in its own right but much more powerful when combined. …We can take the human out of the loop now.
…who called cyberspace the fourth area of warfare along with land, sea and air.

A virus of unusual complexity, indicating a state sponsor, has been unleashed with the assumed intent to infect Iran’s nuclear power plant and give the attacker the ability to cause it to destroy itself.

And so begins the birth of “Sky Net”. For all automated protocols, lacking human oversight, are fodder for self-attack. Guns don’t shoot children, children shoot children.

Wed, Sep 29, 2010 Linda Joy Adams

Does this mean that the 17 medicare numbers created to steal my id and cliams info will now be shut down and monies returned inside the Medciare contractors on their offline systems. And the offline system at ACS-Xerox for Federal workers comp will now have to use the offical data from the US Dept of labor's computer and can't alter the info on their offline system so my bills can get paid? instead of using a 'dummy' file? Unless these systems inside the contractors ( business associates) are secured, does little good whe so much of the govt's biz is done inside contractors. Madoff went to jail for such shenaighans, but Congress made contractors immune from prosecutions and internal audits. Why the double standard? Linda Joy Adams can't stop it alone

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group