Wave Systems Corp. (fka WAVXQ)

[Fullmoon]

TCG Extends Standards for Endpoint Security

Technology Executive Alert By Linda Musthaler and Brian Musthaler , Network World , 05/12/2008

http://www.networkworld.com/newsletters/techexec/2008/051208techexec1.html

At times it seems the endpoint device is the scourge of the network – at least from a security administrator’s viewpoint. Endpoints come in a variety of devices, from a variety of vendors, and by their nature, many of them can come and go almost as they please. In response, network and security administrators attempt to restore order by managing the process by which an endpoint is admitted onto the corporate network.

But with threats to networks becoming more frequent and sophisticated; the corresponding increase in regulations to assure data privacy; and the continual pressure to reduce costs, there is a real need for integrated security beyond endpoint admission control.

The Trusted Computing Group (TCG) provides a blueprint for this integrated security called Trusted Network Connect (TNC). TNC is an open architecture and set of standards for network access control (Compare NAC products). These standards facilitate the creation and enforcement of security requirements for endpoint devices that connect to corporate networks by collecting endpoint configuration data; comparing this data against policies set by the network owner; and providing an appropriate level of network access based on the detected level of policy compliance (along with instructions on how to fix compliance failures). The standards ensure multi-vendor interoperability across a wide variety of endpoints, network technologies, and policies.

More than likely the endpoint and NAC solutions you have implemented today to access and control your network are based on the TNC protocol/standard. Numerous hardware and software vendors support the standard in their networking products.

On April 28, TCG published extensions to the current TNC standard that address the following problems:

* There are more unmanaged network endpoints than managed endpoints, including, for example, factory automation components, inventory control devices, and RFID-enabled assets.
* There’s a need to manage the entire life-cycle of a network endpoint, not just the admission process.
* It’s hard to manage increasingly complex security solutions.

The TNC extension is called IF-MAP (Interface for Metadata Access Point). With IF-MAP, various devices can be integrated into the network infrastructure, enabling real-time monitoring of the security status of an endpoint by a network operator. By doing so, the management of security risk can move from point security to a holistic approach, as well as from passive protection to active protection.

The heart of IF-MAP is the MAP database. This database contains records for each of the endpoints on your network, including information on the user, the health of the device, the device’s port or MAC address, how the user came onto the network, and other pertinent real-time information. Various vendors like Infoblox and Juniper have already signaled their intentions to provide MAP database servers.

Which vendor provides the database isn’t as important as the fact that the database provides a standard way for network security components to securely share information about users, devices, and security incidents on the network. By sharing information, security components can act in a more intelligent manner. For example, peer-to-peer file sharing may be normal and permitted for one group of users but not for another.

The value of IF-MAP is that the network can be made more secure yet less restrictive by tuning protection for each user or group of users. Companies can reduce operating costs by minimizing false alarms, enabling automated response, and making policies and reports more useful by using usernames and roles instead of IP addresses.

If you think that this is vaporware, think again. At Interop 2008, the TCG and a number of supporting vendors demonstrated TNC/MAP in action. The first products supporting IF-MAP should be commercially available in 6 to 12 months.

The IF-MAP specifications don’t require the logging of data in the MAP database. However, we can see this type of feature as a value-add provided by the MAP database vendors. Logs of all the endpoints’ activities can be invaluable for forensic analysis and for maintaining compliance with regulations like SOX and PCI.