Welcome!

Open Source Authors: Liz McMillan, Maureen O'Gara, Jeremy Geelan, Reuven Cohen, Lavenya Dilip

Related Topics: SOA & WOA, Security

SOA & WOA: Blog Post

Federal Government Releases Guide to Enterprise IT Security

One of the major issues outlined in the guide is the lack of interoperability across system security tools
By Reuven Cohen
Article Rating:
May 27, 2009 08:45 AM EDT
Reads:
 2,931

The National Institute of Standards and Technology (NIST) recently released a draft "Guide to Adopting and Using the Security Content Automation Protocol" (SCAP) for public review. The guide takes a close look at what they describe as "the need for a comprehensive, standardized approach to overcoming security challenges found within a modern enterprise IT environment". In case you're not familiar with SCAP, it comprises a suite of specifications for organizing and expressing security-related information in standardized ways, as well as related reference data, such as identifiers for software flaws and security configuration issues, mostly geared toward federal government agencies. Although SCAP can be used for maintaining the security of enterprise systems, such as automatically verifying the installation of patches, checking system security configuration settings, and examining systems for signs of compromise.

I haven't done too much digging through the specification, but at first glance a lot of the security concepts seem fairly well suited to both governmental and enterprise infrastructure as a service / private cloud deployments such as at Amazon Ec2.

Interesting to note, one of the major issues outlined in the guide is the lack of interoperability across system security tools; for example, the use of proprietary names for vulnerabilities or platforms creates inconsistencies in reports from multiple tools, which can cause delays in security assessment, decision-making, and vulnerability remediation. The guide recommends that organizations should to demonstrate compliance with security requirements in mandates such as the Federal Information Security Management Act (FISMA).


The guide goes onto outline; "Many tools for system security, such as patch management and vulnerability management software, use proprietary formats, nomenclatures, measurements, terminology, and content. For example, when vulnerability scanners do not use standardized names for vulnerabilities, it might not be clear to security staff whether multiple scanners are referencing the same vulnerabilities in their reports. This lack of interoperability can cause delays and inconsistencies in security assessment, decision-making, and remediation."

Direct Link > http://csrc.nist.gov/publications/drafts/800-117/draft-sp800-117.pdf

NIST requests comments on the new publication, 800-117, "Guide to Adopting and Using the Security Content Automation Protocol." E-mail comments to 800-117comments@nist.gov by Friday, June 12.

Published May 27, 2009 – Reads 2,931
Copyright © 2009 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.

More Stories By Reuven Cohen

Reuven Cohen is Founder & CTO for Toronto based Enomaly Inc. - leading developer of Cloud Computing products and solutions focused on enterprise businesses. Enomaly's products include the Enomaly elastic computing platform, an open source cloud platform that enables a scalable enterprise IT and local cloud infrastructure platform. Cohen is a thought leader in the emerging cloud computing industry and maintains a blog at www.elasticvapor.com.

Reuven is also founder of several technology organizations;
 Enomaly.com - Elastic Computing Platform (Cloud Computing),
Cloud Camp - Local Cloud Computing events,
the Unified Cloud Interface Project - Semantic Cloud Abstraction API
Cloud Interoperability Forum - Cloud Standards Group.

(twitter @ruv : Linkedin : RSS Feed)