Messaging News - June 2008 - (Page 35) he Security Content Automation Protocol (SCAP) defines open, standardized methods that measure, remediate, and continuously monitor adherence to security policies and approved configurations. These open standards enable, for the first time, products from different vendors to work together to automate the entire vulnerability management lifecycle. This includes vulnerability scanning; patch management and remediation; and changing security settings to be compliant with various security regulations and policies. While SCAP began as a U.S. government multiagency initiative to help government agencies meet regulatory requirements such as FISMA and FDCC, the gains in operational efficiency and cost savings can also provide substantial benefits for the commercial sector. T process. For example, a vulnerability scanner can team with Shavlik’s products to provide remediation. Conversely, a reporting product can use SCAP output from NetChk to generate reports showing scanning, remediation, and configuration settings. Customers can buy the best-of-breed solution and know that it will work with all SCAP-compliant products. SCAP and FDCC Compliance FDCC is an example of how SCAP protocols are currently being leveraged. The U.S. government has mandated that all cabinet level agencies deploy a single Federal Desktop Core Configuration (FDCC). The FDCC scanners identify non-compliant systems, but do not offer a way to automatically bring those systems into compliance. However, by leveraging the SCAP compatibility, products like Shavlik NetChk can import standards-based data for compliance and configuration settings, such as those defined by SCAP Standard Benefits Both Government and Commercial Space Be our Guest About Mark Shavlik Mark Shavlik founded Shavlik Technologies in 1993 to offer a unique, market-driven approach to security application design and development. Mark has over 20 years experience in successfully identifying market needs and building, marketing and selling innovative products and solutions. He has tenure as a senior systems designer and Windows NT kernel development project leader in the Microsoft Systems group, and as an original member of the Windows NT development team under David Cutler. Guest columnist: Mark Shavlik, President and CEO, Shavlik Technologies Growth and Success of SCAP Several factors are driving the success of SCAP. This includes government mandates that created a demand; use of open and accepted standards, such as OVAL (Open Vulnerability and Assessment Language); vendor neutrality; a third-party certification program; and substantial cost savings for commercial enterprises. We expect the major security vendors to quickly adopt SCAP. This has already started with vendors catering to government agencies. Multi Product Collaboration The real power of SCAP is that SCAP-compliant products like Shavlik NetChk can read the results from other SCAP-compliant products to drive NetChk’s actions. Likewise, any SCAP-compliant product can read output from NetChk to drive their FDCC, and automatically deploy fixes to bring errant systems into compliance. Additionally, other analysis tools can accept the SCAP-standard output from the Shavlik NetChk assessment and remediation scans to generate full-view reports. Commercial Benefits Too The commercial sector also stands to gain from SCAP standardization. First, enterprises are not dependent on a single vender. Second, they can achieve operational efficiency by using best-of-breed products all working together from a single, well-defined security policy that extends across the entire organization. Finally, costs are reduced, because there are fewer configurations to maintain and test when deploying new software or patching critical applications. By mid-2009 I expect to see a large number of products targeting the commercial sector. MS/TMP messagingnews.com 35 http://www.messagingnews.com
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.