TNC integrates SWID tag data into network access control process

The Trusted Network Connect (TNC) is an open architecture for Network Access Control as defined by a working group of the Trusted Computing Group (TCG).  On the 3rd of August, 2015, TCG published the document, “SWID Message and Attributes for IF-M”.  The description of this as written on the TCG/TNC blog –

The Trusted Network Connect (TNC) Work Group defines an open solution architecture that enables network operators to enforce policies regarding endpoint integrity when granting access to a network infrastructure. Software Identification tags (SWID tags) are XML documents that identify a specific software product.

Organizations interested in learning more about how SWID tags are used within the TNC architecture can go here to get more information – http://www.trustedcomputinggroup.org/resources/tnc_swid_messages_and_attributes_for_ifm_specification

US Gov & Industry Working to Automate IT Administration

 

NIST is working on an internal report (NISTIR) focused on the guidelines for the creation of interoperable Software Identification (SWID) Tags.  This publication is focused on how SWID tags will be used from an operational perspective and provides a number of use cases focused on end-user scenarios.  The overarching goal is to ensure that publishers understand end-user requirements to ensure SWID tags can provide the data required to automate IT Administrative processes that today are largely manual.

The report is focused on both Cybersecurity and Software Asset Management requirements.

The report can be found here – http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8060

NIST is looking for your help!  Please review the document and provide your feedback on how these requirements meet your operational needs, or if there are requirements or scenarios that are not yet defined that should be added to the document – let them know!

Comments should be sent to NISTIR8060-comments@nist.gov – with the subject “Comments Draft NISTIR 8060”.  Comments should be provided by August 7, 2015.

ISO/IEC 19770-2 Revision Moving to Publication

The ISO/IEC 19770-2 standard that defines the structure of SWID tags has taken a major step forward.  The document went through its final review with all the participating countries and achieved unanimous approval.

With such strong country and organizational support behind the revision, the document has moved forward to the publication phase.  At this point, ISO editors take over and ensure that t’s are crossed, i’s are dotted and that the document meets the editorial requirements specified by ISO/IEC.

The revision is a relative major revision and addresses scalability issues that limited software vendors from fully embracing the 2009 version.  The way the scalability issues were addressed, it also improves the ability for tool vendors to consume and interpret the data.

Additionally, changes were made to the location where SWID tags are installed.  These changes made it easier for software vendors to integrate tags into their solution regardless of the installation model they choose.  The revised standard indicates that the SWID tag will be located in a directory named “swidtag” that is in the same directory tree as the products installation directory.  This allows copy installs, web component and other sandboxed software installs and installations by systems that otherwise might be restricted from writing into the common system locations that were specified in the 2009 revision.

You can download and review the XSD for this revision from ISO – http://standards.iso.org/iso/19770/-2/2015-current/schema.xsd.

You may also be able to download a NIST document that discusses usage scenarios and guidelines for creating SWID tags here – http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8060.  Be aware, however that the NIST document is currently available for public review and may be removed while the document is going through an editing process.  If the link does not work, search for NIST-IR-8060.

NIST Looking for Public Comment on SWID Tag Guidelines

NIST has release NIST-IR-8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags for public comment.  The following is the abstract from the document:

This guidance provides an overview of the capabilities and usage of Software Identification (SWID) tags as part of a comprehensive software life cycle. As instantiated in the ISO/IEC 19770-2 standard, SWID tags support numerous applications for software asset management and information security management. This publication introduces SWID tags in an operational context, provides guidance for the creation of interoperable SWID tags, and highlights key usage scenarios for which SWID tags are applicable.

Download the document here – http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8060

The document will go through numerous rounds of public review, and this particular review period closes June 15th, 2015.  I would encourage anyone who’s interested in learning about SWID tags, or knowing more about some of the usage scenarios, to download and read this document – if you find issues, please provide feedback to NIST.

TagVault.org is also working to develop a SWID Tag Interoperability Requirements document that will work in concert with the NIST-IR to make the development of SWID tags easier and more automated for software vendors while providing the data required in the NIST-IR.  TagVault.org member organizations can be involved in the development efforts to create the document which will be publically available and which will form the requirements for any future certification requirements (note certification will be optional and will generally be of interest to large software vendors who automate their software release process).

Review the Trusted Computing Group SWID Message and Attributes Specification

The Trusted Computing Group (TCG) has developed a number of standards around the Trusted Network Computing (TNC) architecture.  The latest of these standards that’s open for public review is the SWID Message and Attributes specification.  The review window is open until May 31, 2015

This is a fairly vertically focused specification and will be primarily of interest if you understand, use, or develop products around the TNC architecture.  The specification accommodates both the 2009 as well as the soon to be published 2015 revisions of the ISO/IEC 19770-2 SWID specification.

SWID tags are gaining significant traction in the industry as IBM now deploys all their non-mainframe software with SWID tags, and Microsoft, Symantec and other large commercial entities are also deploying SWID tags with their software titles.  SWID tags allow significantly more automation of organizational IT Asset Management, Security and Logistics processes, and will make these processes significantly more accurate and less costly to manage.

The web page provided above gives the details on how to download the specification and report any issues/problems you discover.

Companies Supporting SWID Tags

Tool vendors are joining TagVault.org because they recognize that their application recognition libraries will never be completely accurate.  There are too many software publishers, too many releases and too many platforms for any tool vendor to even have a chance of getting to a reasonable level of accuracy.

HP, IBM, Microsoft Symantec are all members of TagVault.org – these are all organizations with the ability to fund the development of an identification library, but they are supportive of SWID tags – why is that?  The reason seems clear – if you expect your identification data to be accurate, you need to get that data directly from the publisher, not from a “best guess” from someone who is trying to second guess what the publisher has released.

Imagine a security system that attempts to patch the wrong product, or that reports a different version, edition or service pack for a product – could you trust that your approach to security in depth was done properly – no.  The same is true for software asset management (SAM) and any other IT tool that requires discovery data.

The vendors below are working with TagVault.org to make IT management easier, faster and less expensive for their user community.  Anyone who may be looking for a SAM or discovery tool would benefit from working with the organizations listed below!

 

eracent

Eracent

Gothaer-Systems-GmbH1

Gothaer Systems GmbH

HP-logo

Hewlett Packard Corporation

ibm

IBM Corporation

iQuate

iQuate

Microsoft SAM

Microsoft

scalable

Scalable Software, Inc.

open-it-logo

OpenIT

symantec

Symantec

 

Scalable Software

 Scalable Software, Inc.

scalable

 

 

Overview of Company and Product

Scalable Software, founded in 2008 provides, a unified, customizable product-set that aggregates information from a variety of sources to present a coherent view of an organizations investment in IT; including actionable intelligence, supported by industry expertise, to optimize that investment.

Hundreds of enterprise-class organizations worldwide rely on Scalable Software to optimize IT expenditure. Our customers’ changing needs inspire and challenge us; our employees’ and partners’ agility in meeting those needs is unparalleled.

Category of Software Supporting SWID Tags

Software Tools that create, manage and use SWID Tags

  • Inventory and discovery tools

AssetVision_image

Product Name:  Asset Vision

URL:  http://www.scalable.com/it-asset-management-products/asset-vision/

Systems Supported

Server Operating Systems

  • Windows
  • OS X
  • Linux
  • ESX
  • AIX
  • Solaris
  • HP-UX

Databases Supported

  • SQL Server
  • Oracle

Client Operating Systems

  • iOS
  • Windows
  • OS X
  • Linux

Databases Supported

  • SQL Server, Oracle
  • Client Operating Systems
  • iOS, Windows, OS X, Linux

High Level Overview of Product

Asset Vision is purpose-built to help customers meet the cost optimization challenges of next-generation IT asset management, which stretch from mobile devices to the Cloud. Asset Vision is a tightly integrated modular SaaS products-suite, with integrated Business Intelligence capability, which focuses on measurable outcomes.  Information is enriched with such data elements as location data and end of life dates, and backed by a team of Scalable data researchers who ensure unprecedented data quality.

Asset Vision® Registry™ is designed to be the single source of truth for IT Assets. Integrate data from common sources of information such as SCCM, AD and ILMT and Asset Vision’s own integrated, class-leading discovery capabilities. Easily correlate the discovered information with imported procurement data such as Warranties, and Invoices.

Asset Vision® License Manager™ enables IT to prepare an accurate picture of license complianceAsset Vision License Manager maintains license information imported from many sources. An upgrade-processing engine ensures all entitlements and use rights are correctly captured to ensure the maximum license position is used as the basis of license allocation and compliance reporting.

Asset Vision® – Optimize™ is the ultimate in software usage metering technology. It offers forensic-level usage analysis of traditional and virtual applications, virtual desktops, web/SaaS applications, and high-value server resources such as Oracle and SQL Server databases. Asset Vision Optimize can dramatically drive down IT costs by rapidly identifying those hardware and software assets that can be reconfigured, recycled, or retired.

US Government Security Automation Conference Update

A number of US Government agencies  held a security automation conference in August to work through a variety of issues that are limiting the ability for agencies to track and compare how well they are handling security issues.  The minutes from this meeting, though long, are worth a read as they detail quite a few areas where SWID tags will help support security automation efforts.  Download the minutes and have a read.