Trusted Network Connect and Security Content Automation Protocol (SCAP) FAQ

FAQ

What does TNC have to do with SCAP? What are TNC and SCAP? Why would I want to use TNC and SCAP together? What are the benefits of using open security standards instead of proprietary systems?

Q. What does TNC have to do with SCAP?

A. This month, we are announcing that TCG’s Trusted Network Connect (TNC) specification has been integrated with the Security Content Automation Protocol developed by the U.S. Commerce Department’s National Institute of Standards and Technology (NIST).

Q. What are TNC and SCAP?

A. TNC is the Trusted Network Connect standards for network security, created by Trusted Computing Group. SCAP is the Security Content Automation Protocol, standards for security automation and endpoint compliance developed by the U.S. Commerce Department’s National Institute of Standards and Technology (NIST).

Q. Why would I want to use TNC and SCAP together?

A. The TNC standards handle network security. The SCAP standards focus more on endpoint compliance. By using these standards together, customers can ensure that only properly configured endpoints are allowed to connect to the enterprise network. Other endpoints can be quarantined and remediated.

Q. What are the benefits of using open security standards instead of proprietary systems?

A. Open standards are more compatible and interoperable. Customers enjoy more product choices. Suppliers reduce costs by implementing one set of standards instead of supporting multiple proprietary integrations. And security is improved since open standards are reviewed carefully by many experts.

Q. What does “TNC-SCAP integration” mean and why is it important?

A. By TNC-SCAP integration, we mean that scanners based on SCAP can be used with network security gear based on the TNC specifications to identify and quarantine unhealthy devices. This will automate checking and compliance for millions of PCs and other devices.

Q. Who is using SCAP and TNC today?

A. SCAP usage is quite high within the U.S. Government today since the U.S. Office of Management and Budget has mandatedusage of SCAP-validated tools to verify compliance to the Federal Desktop Core Configuration. Customers using the TNC standards are spread across a variety of sectors, including government, finance, health care, and higher education.

Q. Are vendors supporting this integration?

A. In just a few short months, several vendors have demonstrated SCAP and TNC products working together successfully. More details of this are available in a white paper from TCG member Triumfant, a vendor of SCAP tools. One user, the South Carolina Department of Probation, Parole and Pardon Services, has been testing this integration. We anticipate seeing additional support in coming months from other SCAP and TNC vendors.

Q. How will the integration evolve and which group will be responsible for future changes?

A. TNC and SCAP will each be managed independently by their respective standards bodies but work will continue on integration. The growing capabilities of the TNC and SCAP standards should allow additional forms of integration with additional features and benefits.

Q. Is there more information available?

A. In addition to the white paper mentioned previously, TCG has published a short white paper on the integration.

Q. What are some of the anticipated uses and applications for IF-MAP?

A. Some current applications include:

  • Federation between remote access and network access control (NAC)
  • Integration of NAC with endpoint profiling and behavior monitoring,
  • data leak detection and enforcement for unmanaged devices
  • Integration of physical access control and NAC

Potential applications include:

  • Industrial control and security: enabling efficient communication of data among systems so action can be taken in event of problems or breaches
  • Smart grid: enabling more efficient and robust power systems by aggregating, correlating and distributing from generating systems, transmission systems, distribution systems, meters, electrical loads and other devices in real time
  • Cloud security: enabling independent providers and consumers of cloud resources to discover and declare their requirements and capacities, allocate cloud resources, enforce policies, and prove compliance
  • Unified communications security: Providing limitless flexibility for using a variety of parameters – including user location, time of day, device type, available networks, user preferences and more – to deliver optimal voice, data and video services to users at all times

Q. Are any enterprises using IF-MAP now?

A. Yes, a number of customers have piloted and/or deployed production
systems using IF-MAP, with applications including network security and access control, industrial automation, and federated security. Many customers are reluctant to talk publicly about their security measures, but we should have some case studies soon.

Q. Which vendors support IF-MAP?

A. Products we know about include Great Bay’s Beacon endpoint profiler; Juniper Networks’ Unified Access Control (UAC) and SSL VPN appliances (SA); Infoblox’ Core Network Services Appliances and Orchestration (IF-MAP) Server; Insightix’ BSA Business Security Assurance suite; Lumeta’s IPsonar network discovery solutions; Hirsch Electronics’ Velocity Physical Access Control System and Byres Security’s Tofino industrial security gateways.

Q. Is certification planned for IF-MAP?

A. Yes, certification is planned for 2011. Watch for developments. You can read more about the current Trusted Network Connect and Trusted Platform Module certification programs at http://www.trustedcomputinggroup.org/certification.