| draft-ietf-sacm-terminology-11.txt | draft-ietf-sacm-terminology-12.txt | |||
|---|---|---|---|---|
| SACM Working Group H. Birkholz | SACM Working Group H. Birkholz | |||
| Internet-Draft Fraunhofer SIT | Internet-Draft Fraunhofer SIT | |||
| Intended status: Informational J. Lu | Intended status: Informational J. Lu | |||
| Expires: March 16, 2017 Oracle Corporation | Expires: September 14, 2017 Oracle Corporation | |||
| J. Strassner | J. Strassner | |||
| Huawei Technologies | Huawei Technologies | |||
| N. Cam-Winget | N. Cam-Winget | |||
| Cisco Systems | Cisco Systems | |||
| September 12, 2016 | March 13, 2017 | |||
| Secure Automation and Continuous Monitoring (SACM) Terminology | Security Automation and Continuous Monitoring (SACM) Terminology | |||
| draft-ietf-sacm-terminology-11 | draft-ietf-sacm-terminology-12 | |||
| Abstract | Abstract | |||
| This memo documents terminology used in the documents produced by | This memo documents terminology used in the documents produced by | |||
| SACM (Security Automation and Continuous Monitoring). | SACM (Security Automation and Continuous Monitoring). | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| skipping to change at page 1, line 36 ¶ | skipping to change at page 1, line 36 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on March 16, 2017. | This Internet-Draft will expire on September 14, 2017. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2016 IETF Trust and the persons identified as the | Copyright (c) 2017 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 2 | 2. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 2 | |||
| 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 | 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 19 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 21 | |||
| 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19 | 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 6. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 19 | 6. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 22 | 7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 8. Informative References . . . . . . . . . . . . . . . . . . . 23 | 8. Informative References . . . . . . . . . . . . . . . . . . . 25 | |||
| Appendix A. The Attic . . . . . . . . . . . . . . . . . . . . . 24 | Appendix A. The Attic . . . . . . . . . . . . . . . . . . . . . 26 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27 | |||
| 1. Introduction | 1. Introduction | |||
| Our goal with this document is to improve our agreement on the | Our goal with this document is to improve our agreement on the | |||
| terminology used in documents produced by the IETF Working Group for | terminology used in documents produced by the IETF Working Group for | |||
| Security Automation and Continuous Monitoring. Agreeing on | Security Automation and Continuous Monitoring. Agreeing on | |||
| terminology should help reach consensus on which problems we're | terminology should help reach consensus on which problems we're | |||
| trying to solve, and propose solutions and decide which ones to use. | trying to solve, and propose solutions and decide which ones to use. | |||
| 2. Terms and Definitions | 2. Terms and Definitions | |||
| This section describes terms that have been defined by other RFC's | This section describes terms that have been defined by other RFC's | |||
| and defines new ones. The predefined terms will reference the RFC | and defines new ones. The predefined terms will reference the RFC | |||
| and where appropriate will be annotated with the specific context by | and where appropriate will be annotated with the specific context by | |||
| which the term is used in SACM. | which the term is used in SACM. | |||
| Assertion: Defined by the ITU in [X.1252] as "a statement made by an | Assertion: Defined by the ITU in [X.1252] as "a statement made by an | |||
| entity without accompanying evidence of its validity". In the | entity without accompanying evidence of its validity". In the | |||
| context of SACM, an assertion is a collection result that includes | context of SACM, an assertion is the output of a SACM component in | |||
| metadata about the data source (and optionally a timestamp | the form of a statement (including metadata about the data source | |||
| indicating the point in time the assertion was created at). The | and data origin, e.g. time stamps). While the validity of an | |||
| validity of an assertion cannot be verified. | assertion cannot be verified without, for example, an additional | |||
| attestation protocol, an assertion (and therfore a statement, | ||||
| respectivly) can be accompanied by evidence of the validity of its | ||||
| metadata provided by a SACM component. | ||||
| Assessment: Defined in [RFC5209] as "the process of collecting | Assessment: Defined in [RFC5209] as "the process of collecting | |||
| posture for a set of capabilities on the endpoint (e.g., host- | posture for a set of capabilities on the endpoint (e.g., host- | |||
| based firewall) such that the appropriate validators may evaluate | based firewall) such that the appropriate validators may evaluate | |||
| the posture against compliance policy." | the posture against compliance policy." | |||
| Assessment is a specifc workflow that incorporates the SACM tasks | An assessment is a specifc workflow that incorporates the SACM | |||
| discovery, collection and evaluation. A prominent instance of the | tasks discovery, collection and evaluation. A prominent instance | |||
| assessment workflow is illustrated in the Vulnerability | of the assessment workflow is illustrated in the Vulnerability | |||
| Assessement Scenario [I-D.ietf-sacm-vuln-scenario] | Assessement Scenario [I-D.ietf-sacm-vuln-scenario]. | |||
| Asset: Defined in [RFC4949] as "a system resource that is (a) | Asset: Defined in [RFC4949] as "a system resource that is (a) | |||
| required to be protected by an information system's security | required to be protected by an information system's security | |||
| policy, (b) intended to be protected by a countermeasure, or (c) | policy, (b) intended to be protected by a countermeasure, or (c) | |||
| required for a system's mission". In the scope of SACM, an asset | required for a system's mission". In the scope of SACM, an asset | |||
| can be composed of other assets. Examples of Assets include: | can be composed of other assets. Examples of Assets include: | |||
| Endpoints, Software, Guidance, or X.509 public key certificates. | Endpoints, Software, Guidance, or X.509 public key certificates. | |||
| An asset is not necessarily owned by an organization. | An asset is not necessarily owned by an organization. | |||
| Asset Management: The process by which assets are provisioned, | Asset Management: The process by which assets are provisioned, | |||
| updated, maintained and deprecated. | updated, maintained and deprecated. | |||
| Attribute: TODO, Update definition. Defined in [RFC5209] as "data | Attribute: Defined in [RFC5209] as "data element including any | |||
| element including any requisite meta-data describing an observed, | requisite meta-data describing an observed, expected, or the | |||
| expected, or the operational status of an endpoint feature (e.g., | operational status of an endpoint feature (e.g., anti-virus | |||
| anti-virus software is currently in use)." If not indicated | software is currently in use)." In the context of SACM, | |||
| otherwise, attributes in SACM are represented and processed as | attributes are "atomic" information elements and an equivalent to | |||
| attribute value pairs. | attribute-value-pairs. Attributes can be components of Subjects. | |||
| Authentication: Defined in [RFC4949] as "the process of verifying a | Authentication: Defined in [RFC4949] as "the process of verifying a | |||
| claim that a system entity or system resource has a certain | claim that a system entity or system resource has a certain | |||
| attribute value." | attribute value." | |||
| Authorization: Defined in [RFC4949] as "an approval that is granted | Authorization: Defined in [RFC4949] as "an approval that is granted | |||
| to a system entity to access a system resource." | to a system entity to access a system resource." | |||
| Broker: A broker is a specific controller type that contains control | Broker: A broker is a specific controller type that contains control | |||
| plane functions to provide and/or connect services on behalf of | plane functions to provide and/or connect services on behalf of | |||
| skipping to change at page 5, line 13 ¶ | skipping to change at page 5, line 16 ¶ | |||
| discovered by other SACM components. | discovered by other SACM components. | |||
| A collector can be distributed across multiple endpoints, e.g. | A collector can be distributed across multiple endpoints, e.g. | |||
| across a target endpoint and a SACM component. The separate parts | across a target endpoint and a SACM component. The separate parts | |||
| of the collector can communicate with a specialized protocol, such | of the collector can communicate with a specialized protocol, such | |||
| as PA-TNC [RFC5792]. At least one part of a distributed collector | as PA-TNC [RFC5792]. At least one part of a distributed collector | |||
| has to take on the role of a provider of information by providing | has to take on the role of a provider of information by providing | |||
| SACM interfaces to propagate capabilities and to provide SACM | SACM interfaces to propagate capabilities and to provide SACM | |||
| content in the form of collection results. | content in the form of collection results. | |||
| Configuration Drift: The discrepancy of endpoint attributes | Configuration: A non-volatile subset of the endpoint attributes of a | |||
| representing the actual composition of a target endpoint (is- | (target) endpoint that is intended to be uneffected by a normal | |||
| state) and its intended composition (should-state) in the scope of | reboot-cylce. Configuration is a type of imperative guidance that | |||
| a valid target endpoint composition (could-state) due to | is stored in files (files dedicated to contain configuration and/ | |||
| continuous alteration of a target endpoint's composition over | or files that are software components), directly on block devices, | |||
| or on specific hardware components that can be accessed via | ||||
| corresponding software components. Modification of configuration | ||||
| can be conducted manually or automatically via management (plane) | ||||
| interfaces that support management protocols, such as SNMP or WMI. | ||||
| A change of configuration can occur during both run-time and down- | ||||
| time of an endpoint. It is common practive to scheduled a change | ||||
| of configuration during or directly after the completion of a | ||||
| boot-cycle via corresponding software components located on the | ||||
| target endpoint itself. | ||||
| Exmaples: The static association of an IP address and a MAC | ||||
| address in a DHCP server configuration, a directory-path that | ||||
| identifies a log-file directory, a registry entry. | ||||
| Configuration Drift: The discrepancy of a target endpoint's endpoint | ||||
| attributes representing the actual composition of a target | ||||
| endpoint (is-state) and its intended composition (should-state) in | ||||
| the scope of a valid target endpoint composition (could-state) due | ||||
| to continuous alteration of a target endpoint's composition over | ||||
| time. Configuration drift exists for both hardware components and | time. Configuration drift exists for both hardware components and | |||
| software components. Typically, the frequency and scale of | software components. Typically, the frequency and scale of | |||
| configuration drift of software components is significantly higher | configuration drift of software components is significantly higher | |||
| than the configuration drift of hardware components. | than the configuration drift of hardware components. | |||
| Consumer: A consumer is a SACM role that is assigned to a SACM | Consumer: A consumer is a SACM role that is assigned to a SACM | |||
| component that contains functions to receive information from | component that contains functions to receive information from | |||
| other SACM components. | other SACM components. | |||
| Content Element: Content elements constitute the payload data | Content Element: Content elements constitute the payload data (SACM | |||
| (content) transfered via statement Subjects emitted by providers | content) transfered via statement Subjects emitted by providers of | |||
| of information. Every content element Subject includes a specific | information. Every content element Subject includes a specific | |||
| content Subject and a corresponding content metadata Subject. | content Subject and a corresponding content metadata Subject. | |||
| Content Metadata: Data about content Subjects. Every content- | Content Metadata: Data about content Subjects. Every content- | |||
| element includes a content metadata Subject. The Subject can | element includes a content metadata Subject. The Subject can | |||
| include any information element that can annotate the content | include any information element that can annotate the content | |||
| transefered. Examples include time stamps or data provenance | transefered. Examples include time stamps or data provenance | |||
| Subjects. | Subjects. | |||
| Control Plane: Typically used as a term in the context of routing, | Control Plane: Typically used as a term in the context of routing, | |||
| e.g. [RFC6192]. In the context of SACM, the control plane is an | e.g. [RFC6192]. In the context of SACM, the control plane is an | |||
| architectural component providing common control functions to all | architectural component providing common control functions to all | |||
| SACM components, including authentication, authorization, | SACM components, including authentication, authorization, | |||
| capability discovery or negotiation, and registration. The | (capability) discovery or negotiation, registration and | |||
| control plane orchestrates the flow on the data plane according to | subscription. The control plane orchestrates the flow on the data | |||
| guidance received via the management plane. SACM components with | plane according to imperative guidance (i.e. configuration) | |||
| received via the management plane. SACM components with | ||||
| interfaces to the control plane have knowledge of the capabilities | interfaces to the control plane have knowledge of the capabilities | |||
| of other SACM components within a SACM domain. | of other SACM components within a SACM domain. | |||
| Controller: A controller is a SACM role that is assigned to a SACM | Controller: A controller is a SACM role that is assigned to a SACM | |||
| component containing control plane functions that manage and | component containing control plane functions that manage and | |||
| facilitate information sharing or execute on security functions. | facilitate information sharing or execute on security functions. | |||
| There are three types of SACM controllers: Broker, Proxy, and | There are three types of SACM controllers: Broker, Proxy, and | |||
| Repository. Depending on its type, a controller can also contain | Repository. Depending on its type, a controller can also contain | |||
| functions that have interfaces on the data plane. | functions that have interfaces on the data plane. | |||
| Data Confidentiality: Defined in [RFC4949] as "the property that | Data Confidentiality: Defined in [RFC4949] as "the property that | |||
| data is not disclosed to system entities unless they have been | data is not disclosed to system entities unless they have been | |||
| authorized to know the data." | authorized to know the data." | |||
| Data In Motion: Data that is being transported via a network; also | Data In Motion: Data that is being transported via a network; also | |||
| referred to as Data in transit. Data in motion requires a data | referred to as "Data in Transit" or "Data in Flight". Data in | |||
| model to encode the data to be transferred. Typically, data in | motion requires a data model to transfer the data using a specific | |||
| motion is serialized (marshalling) into a transport encoding by a | encoding. Typically, data in motion is serialized (marshalling) | |||
| provider of information and deserialized (unmarshalling) by a | into a transport encoding by a provider of information and | |||
| consumer of information. | deserialized (unmarshalling) by a consumer of information. The | |||
| termination points of provider of information and consumer of | ||||
| information data is transferred between are interfaces. In regard | ||||
| to data in motion, the interpretation of the roles consumer of | ||||
| information and provider of information depends on the | ||||
| corresponding OSI layer (e.g. on layer2: between interfaces | ||||
| connected to a broadcast domain, on layer4: between interfaces | ||||
| that maintain a TCP connection). In the context of SACM, consumer | ||||
| of information and provider of information are SACM components. | ||||
| SACM architecture and corresponding models focus on data in | The SACM architecture and corresponding models focus on data in | |||
| motion. | motion. | |||
| Data At Rest: Data that is stored in a repository. Data at rest | Data At Rest: Data that is stored in a repository. Data at rest | |||
| requires a data model to encode the data to be stored. In the | requires a data model to encode the data to be stored. In the | |||
| context of SACM, data at rest located on a SACM component can be | context of SACM, data at rest located on a SACM component can be | |||
| provided to other SACM components via discoverable capabilities. | provided to other SACM components via discoverable capabilities. | |||
| In the context of SACM, data models for data at rest are out of | In the context of SACM, data models for data at rest are out of | |||
| scope. | scope. | |||
| Data Integrity: Defined in [RFC4949] as "the property that data has | Data Integrity: Defined in [RFC4949] as "the property that data has | |||
| not been changed, destroyed, or lost in an unauthorized or | not been changed, destroyed, or lost in an unauthorized or | |||
| accidental manner." | accidental manner." | |||
| Data Origin: One or more properties that enable a SACM component to | Data Origin: One or more properties (i.e. endpoint attributes) that | |||
| identify the SACM component that initially acquired or produced | enable a SACM component to identify the SACM component that | |||
| data about a (target) endpoint (e.g. via collection from a data | initially acquired or produced data about a (target) endpoint | |||
| source). Data Origin is expressed by an endpoint label. | (e.g. via collection from a data source) and made it available to | |||
| a SACM domaini via a SACM statement. Data Origin can be expressed | ||||
| by an endpoint label information element (e.g. to be used as | ||||
| metadata in statement). | ||||
| Data Plane: Typically used as a term in the context of routing (and | Data Plane (fix statement): Typically used as a term in the context | |||
| used as a synonym for forwarding plane, e.g. [RFC6192]). In the | of routing (and used as a synonym for forwarding plane, e.g. | |||
| context of SACM, the data plane is an architectural component | [RFC6192]). In the context of SACM, the data plane is an | |||
| providing operational functions to enable a SACM component to | architectural component providing operational functions to enable | |||
| provide and consume SACM statements and therefore SACM content | a SACM component to provide and consume SACM statements and | |||
| (the "payload"). The data plane is used to conduct distributed | therefore SACM content (the "payload"). The data plane is used to | |||
| SACM tasks by transporting SACM content using transporting | conduct distributed SACM tasks by transporting SACM content using | |||
| encodings and corresponding operations defined by SACM data | transporting encodings and corresponding operations defined by | |||
| models. | SACM data models. | |||
| Data Provenance: A historical record of the sources, origins and | Data Provenance: A historical record of the sources, origins and | |||
| evolution of data that is influenced by inputs, entities, | evolution of data that is influenced by inputs, entities, | |||
| functions and processes. | functions and processes. In the context of SACM, data provenance | |||
| is expressed as metadata that identifies SACM statements and | ||||
| corresponding content elements a new statement is created from. | ||||
| In a downstream process, this references can cascade, creating a | ||||
| data provenance tree that enables SACM components to trace back | ||||
| the original data sources involved in the creation of SACM | ||||
| statements and take into account their characteristics and | ||||
| trustworthiness. | ||||
| Data Source: One or more properties that enable a SACM component to | Data Source: One or more properties (i.e. endpoint attributes) that | |||
| identify an (target) endpoint that is claimed to be the original | enable a SACM component to identify - and potentially characterize | |||
| source of received data. | - a (target) endpoint that is claimed to be the original source of | |||
| endpoint attributes in a SACM statement. Data Source can be | ||||
| expressed as metadata by an endpoint label information element or | ||||
| a corresponding subject of identifying endpoint attributes. | ||||
| Endpoint: Defined in [RFC5209] as "any computing device that can be | Endpoint: Defined in [RFC5209] as "any computing device that can be | |||
| connected to a network. Such devices normally are associated with | connected to a network. Such devices normally are associated with | |||
| a particular link layer address before joining the network and | a particular link layer address before joining the network and | |||
| potentially an IP address once on the network. This includes: | potentially an IP address once on the network. This includes: | |||
| laptops, desktops, servers, cell phones, or any device that may | laptops, desktops, servers, cell phones, or any device that may | |||
| have an IP address." | have an IP address." | |||
| To further clarify the [RFC5209] definition, an endpoint is any | To further clarify the [RFC5209] definition, an endpoint is any | |||
| physical or virtual device that may have a network address. Note | physical or virtual device that may have a network address. Note | |||
| skipping to change at page 7, line 37 ¶ | skipping to change at page 8, line 33 ¶ | |||
| The SACM architecture differentiates two essential categories of | The SACM architecture differentiates two essential categories of | |||
| endpoints: Endpoints whose security posture is intended to be | endpoints: Endpoints whose security posture is intended to be | |||
| assessed (target endpoints) and endpoints that are specifically | assessed (target endpoints) and endpoints that are specifically | |||
| excluded from endpoint posture assessment (excluded endpoints). | excluded from endpoint posture assessment (excluded endpoints). | |||
| Based on the definition of an asset, an endpoint is a type of | Based on the definition of an asset, an endpoint is a type of | |||
| asset. | asset. | |||
| Endpoint Attribute: In the context of SACM, endpoint attributes are | Endpoint Attribute: In the context of SACM, endpoint attributes are | |||
| information elements that describe a characteristic of a target | information elements that describe an endpoint characteristic of a | |||
| endpoint. Endpoint Attributes typically constitute Attributes | target endpoint. Endpoint Attributes typically constitute | |||
| that can be bundled into Subject (e.g. information about a | Attributes that can be bundled into Subject (e.g. information | |||
| specific network interface can be represented via a set of | about a specific network interface can be represented via a set of | |||
| multiple AVP). | multiple AVP). | |||
| Endpoint Characteristic: The state, configuration and composition an | ||||
| endpoint is in, including observerable behavior, e.g. sys-calls, | ||||
| log-files, or PDU emission on a network. | ||||
| Endpoint Characterization: The task by which a profile is composed | Endpoint Characterization: The task by which a profile is composed | |||
| out of endpoint attributes that describe the desired or expected | out of endpoint attributes that describe the desired or expected | |||
| posture of a type or class of target endpoints or even an | posture of a type or class of target endpoints or even an | |||
| individual target endpoint. The result of this task is an | individual target endpoint. The result of this task is an | |||
| endpoint profile that is required as guidance for the tasks of | endpoint profile that is required as declarative guidance for the | |||
| endpoint classification or posture assessment. | tasks of endpoint classification or posture assessment. | |||
| Endpoint Classification: The task by which a discovered target | Endpoint Classification: The task by which a discovered target | |||
| endpoint is classified. Endpoint classification requires guidance | endpoint is classified. Endpoint classification requires | |||
| in the form of an endpoint profile, discovery results and | declarative guidance in the form of an endpoint profile, discovery | |||
| potentially collection results. Types, classes or the | results and potentially collection results. Types, classes or the | |||
| characteristics of an individual target endpoint are defined via | characteristics of an individual target endpoint are defined via | |||
| endpoint profiles. | endpoint profiles. | |||
| Endpoint Label: In a SACM domain, every endpoint can be identified | Endpoint Label: In a SACM domain, every endpoint can be identified | |||
| by an endpoint label. There are two prominent uses of endpoint | by an endpoint label. There are two prominent uses of endpoint | |||
| labels in a SACM domain: to identify SACM components and to | labels in a SACM domain: to identify SACM components and to | |||
| identify Target Endpoints. Both endpoint labels can be used in | identify Target Endpoints. Both endpoint labels can be used in | |||
| SACM content or in content metadata: | SACM content or in content metadata: | |||
| SACM Components are identified by: SACM component label / Data | SACM Components are identified by: SACM component label / Data | |||
| skipping to change at page 8, line 35 ¶ | skipping to change at page 9, line 35 ¶ | |||
| Endpoint Management Capabilities: An enterprise IT department's | Endpoint Management Capabilities: An enterprise IT department's | |||
| ability to manage endpoint identity, endpoint information, and | ability to manage endpoint identity, endpoint information, and | |||
| associated metadata on an ongoing basis. | associated metadata on an ongoing basis. | |||
| Evaluation Task: The task by which endpoint attributes are | Evaluation Task: The task by which endpoint attributes are | |||
| evaluated. | evaluated. | |||
| Evaluation Result: The resulting value from having evaluated a set | Evaluation Result: The resulting value from having evaluated a set | |||
| of posture attributes. | of posture attributes. | |||
| Event: The change of a target endpoint characteristics at a specific | ||||
| point in time. In the context of SACM, an event is a statement | ||||
| (and therefore data in motion) that includes the new target | ||||
| endpoint characteristics and optional also the past ones, | ||||
| annotated with corresponding metedata (most prominently, the | ||||
| collection time of the data that constitutes the observation of | ||||
| the event regarding te target endpoint). | ||||
| Excluded Endpoint: A specific designation, which is assigned to an | Excluded Endpoint: A specific designation, which is assigned to an | |||
| endpoint that is not supposed to be the subject of a collection | endpoint that is not supposed to be the subject of a collection | |||
| task (and therefore is not a target endpoint). Typically but not | task (and therefore is not a target endpoint). Typically but not | |||
| necessarily, endpoints that contain a SACM component (and are | necessarily, endpoints that contain a SACM component (and are | |||
| therefore part of the SACM domain) are designated as excluded | therefore part of the SACM domain) are designated as excluded | |||
| endpoints. Target endpoints that contain a SACM component cannot | endpoints. Target endpoints that contain a SACM component cannot | |||
| be designated as excluded endpoints and are part of the SACM | be designated as excluded endpoints and are part of the SACM | |||
| domain. | domain. | |||
| Expected Endpoint State: The required state of an endpoint that is | Expected Endpoint State: The required state of an endpoint that is | |||
| to be compared against. Sets of expected endpoint states are | to be compared against. Sets of expected endpoint states are | |||
| transported as guidance in target endpoint profiles via the | transported as declarative guidance in target endpoint profiles | |||
| management plane. This, for example, can be a policy, but also a | via the management plane. This, for example, can be a policy, but | |||
| recorded past state. An expected state is represented can be | also a recorded past state. An expected state is represented can | |||
| represented via an Attribute or an Subject that represents a set | be represented via an Attribute or an Subject that represents a | |||
| of multiple attribute value pairs. | set of multiple attribute value pairs. | |||
| SACM Function: A behavioral aspect or capacity of a particular SACM | SACM Function: A behavioral aspect or capacity of a particular SACM | |||
| component, which belies that SACM component's purpose. For | component, which belies that SACM component's purpose. For | |||
| example, a SACM function with interfaces on the control plane can | example, a SACM function with interfaces on the control plane can | |||
| provide a brokering function to other SACM components. Via data | provide a brokering function to other SACM components. Via data | |||
| plane interfaces, a function can act as a provider and/or as a | plane interfaces, a function can act as a provider and/or as a | |||
| consumer of information. SACM functions can be propagated as the | consumer of information. SACM functions can be propagated as the | |||
| capabilities of a SACM component and can be discovered by or | capabilities of a SACM component and can be discovered by or | |||
| negotiated with other SACM components. | negotiated with other SACM components. | |||
| Guidance: Input instructions to processes and tasks, such as | Guidance: Input instructions to processes, such as automated device | |||
| collection, evaluation or remediation. Guidance influences the | management or remediation, and SACM tasks, such as collection or | |||
| behavior of a SACM component and is considered content of the | evaluation. Guidance influences the behavior of a SACM component | |||
| management plane. In the context of SACM, guidance is machine- | and is considered content of the management plane. In the context | |||
| readable and can be manually or automatically generated or | of SACM, guidance is machine-readable and can be manually or | |||
| provided. Typically, the tasks that provide guidance to SACM | automatically generated or provided. Typically, the tasks that | |||
| components have a low-frequency and tend to be be sporadic. | provide guidance to SACM components have a low-frequency and tend | |||
| to be be sporadic. | ||||
| There are two types of guidance: | There are two types of guidance: | |||
| Declarative Guidance: defines the configuration or state an | Declarative Guidance: defines the configuration or state an | |||
| endpoint is supposed to be in--without providing specific actions | endpoint is supposed to be in--without providing specific actions | |||
| or methods to produce that desired state. Examples include Target | or methods to produce that desired state. Examples include Target | |||
| Endpoint Profiles or network topology based requirements. | Endpoint Profiles or network topology based requirements. | |||
| Imperative Guidance: prescribes specific actions to be conducted | Imperative Guidance: prescribes specific actions to be conducted | |||
| or methods to be used in order to achieve an outcome. Examples | or methods to be used in order to achieve an outcome. Examples | |||
| skipping to change at page 10, line 7 ¶ | skipping to change at page 11, line 17 ¶ | |||
| Hardware Inventory: The list of hardware components that compose a | Hardware Inventory: The list of hardware components that compose a | |||
| specific endpoint representing its hardware configuration. | specific endpoint representing its hardware configuration. | |||
| Hardware Type: Hardware types define specific and distinguishable | Hardware Type: Hardware types define specific and distinguishable | |||
| categories of hardware components that can be part of endpoints, | categories of hardware components that can be part of endpoints, | |||
| e.g. CPU or 802.11p interface. Typically, hardware types can be | e.g. CPU or 802.11p interface. Typically, hardware types can be | |||
| distinguished by their vendor assigned names, names of standards | distinguished by their vendor assigned names, names of standards | |||
| used, or a model name. | used, or a model name. | |||
| Information Element: | Information Element: A representation of information about physical | |||
| and virtual "objects of interests". Information elements are the | ||||
| A representation of information about physical and virtual "objects | building blocks that constitute the SACM information model. In | |||
| of interests". Information elements are the building blocks that | the context of SACM, an information element that expresses a | |||
| constitute the SACM information model. In the context of SACM, an | single value with a specific name is referred to as an Attribute | |||
| information element that expresses a single value with a specific | (analogous to an attribute-value-pair). A set of attributes that | |||
| name is referred to as an Attribute (analogous to an attribute-value- | is bundled into a more complex composite information element is | |||
| pair). A set of attributes that is bundled into a more complex | referred to as a Subject. Every information element in the SACM | |||
| composite information element is referred to as a Subject. Every | information model has a unique name. Endpoint attributes or time | |||
| information element in the SACM information model has a unique name. | stamps, for example, are represented as information elements in | |||
| Endpoint attributes or time stamps, for example, are represented as | the SACM information model. | |||
| information elements in the SACM information model. | ||||
| Information Model: An information model is an abstract | Information Model: An information model is an abstract | |||
| representation of data, their properties, relationships between | representation of data, their properties, relationships between | |||
| data and the operations that can be performed on the data. While | data and the operations that can be performed on the data. While | |||
| there is some overlap with a data model, [RFC3444] distinguishes | there is some overlap with a data model, [RFC3444] distinguishes | |||
| an information model as being protocol and implementation neutral | an information model as being protocol and implementation neutral | |||
| whereas a data model would provide such details. The purpose of | whereas a data model would provide such details. The purpose of | |||
| the SACM information model is to ensure interoperability between | the SACM information model is to ensure interoperability between | |||
| SACM data models (that are used as transport encoding) and to | SACM data models (that are used as transport encoding) and to | |||
| provide a standardized set of information elements for | provide a standardized set of information elements for | |||
| communication between SACM components. | communication between SACM components. | |||
| Interaction Model: For now this is a Place-Holder. Is an | Interaction Model: The definition of specific sequences regarding | |||
| interaction model that defines, for example, the operations on the | the exchange of messages (data in motion), including, for exmaple, | |||
| control plane, such as registration or SACM component discovery, | conditional branching, thresholds and timers. An interaction | |||
| required? | model, for example, can be used to define operations, such as | |||
| registration or discovery, on the control plane. A composition of | ||||
| data models for data in motion and a corresponding interaction | ||||
| model is a protocol. | ||||
| Internal Collector: Internal Collector: a collector that runs on a | Internal Collector: Internal Collector: a collector that runs on a | |||
| target endpoint to acquire information from that target endpoint. | target endpoint to acquire information from that target endpoint. | |||
| (TBD: An internal collector is not a SACM component and therefore | (TBD: An internal collector is not a SACM component and therefore | |||
| not part of a SACM domain). | not part of a SACM domain). | |||
| Management Plane: An architectural component providing common | Management Plane: An architectural component providing common | |||
| functions to steer the behavior of SACM components, e.g. its | functions to steer the behavior of SACM components, e.g. its | |||
| behavior on the control plane. Prominent examples include: | behavior on the control plane. Prominent examples include: | |||
| modification of the configuration of a SACM component or updating | modification of the configuration of a SACM component or updating | |||
| skipping to change at page 13, line 30 ¶ | skipping to change at page 14, line 41 ¶ | |||
| components according to their capabilities or roles on reques. | components according to their capabilities or roles on reques. | |||
| Input: Query | Input: Query | |||
| Output: a list of SACM components including metadata | Output: a list of SACM components including metadata | |||
| SACM Component Label: A specific endpoint label that is used to | SACM Component Label: A specific endpoint label that is used to | |||
| identify a SACM component. In content-metadata, this label is | identify a SACM component. In content-metadata, this label is | |||
| called data origin. | called data origin. | |||
| SACM Content: The payload provided by SACM components to the SACM | ||||
| domain on the data plane. SACM content includes the SACM data | ||||
| models. | ||||
| SACM Domain: Endpoints that include a SACM component compose a SACM | SACM Domain: Endpoints that include a SACM component compose a SACM | |||
| domain. (To be revised, additional definition content TBD, | domain. (To be revised, additional definition content TBD, | |||
| possible dependencies to SACM architecture) | possible dependencies to SACM architecture) | |||
| SACM Interface: An interface is defined in | SACM Interface: An interface is defined in | |||
| [I-D.ietf-i2nsf-terminology] as "A set of operations one object | [I-D.ietf-i2nsf-terminology] as "A set of operations one object | |||
| knows it can invoke on, and expose to, another object. This | knows it can invoke on, and expose to, another object. This | |||
| decouples the implementation of the operation from its | decouples the implementation of the operation from its | |||
| specification. An interface is a subset of all operations that a | specification. An interface is a subset of all operations that a | |||
| given object implements. The same object may have multiple types | given object implements. The same object may have multiple types | |||
| skipping to change at page 14, line 38 ¶ | skipping to change at page 16, line 5 ¶ | |||
| including a unique serial number if present (e.g. a text editor | including a unique serial number if present (e.g. a text editor | |||
| associated with a unique license key). | associated with a unique license key). | |||
| Software Instance: A running instance of the software component | Software Instance: A running instance of the software component | |||
| (e.g. on a multi-user system, one logged-in user has one instance | (e.g. on a multi-user system, one logged-in user has one instance | |||
| of a text editor running and another logged-in user has another | of a text editor running and another logged-in user has another | |||
| instance of the same text editor running, or on a single-user | instance of the same text editor running, or on a single-user | |||
| system, a user could have multiple independent instances of the | system, a user could have multiple independent instances of the | |||
| same text editor running). | same text editor running). | |||
| Statement: An output of a provider, e.g. a report or an assertion | State: A volatile subset endpoint attributes of a (target) endpoint | |||
| about a collection result, that includes content-elements and | that is affected by a reboot-cycle. Local state is created by the | |||
| statement-metadata (e.g. data origin or the point in time at which | interaction of components with other components via the control | |||
| the statement was created). A statement can be accompanied by | plane, via processing data plane payload, or via the functional | |||
| evidence of the validity of its metadata. | properties of local hardware and software components. Dynamic | |||
| configuration (e.g. IP address distributed dynamically via an | ||||
| address distribution and management services, such as DHCP) is | ||||
| considered state that is the result of the interaction with | ||||
| another component that provides configuration via the control | ||||
| plane (e.g. provided by a DHCP server with a specific | ||||
| configuration). | ||||
| The structure of statements is defined in the SACM information | Exmaples: The static association of an IP address and a MAC | |||
| address in a DHCP server configuration, a directory-path that | ||||
| identifies a log-file directory, a registry entry. | ||||
| Statement: A statement is a subject defined in the SACM information | ||||
| model. | model. | |||
| Subject: TODO, incorporate definition from SACM IM | When a statement is used to provide content to a SACM domain, it | |||
| is a top-level subject that bundles Content Elements into one | ||||
| subject and includes metadata about the data origin. | ||||
| Supplicant: The entity seeking to be authenticated by the Management | Subject: A composite information element. Like Attributes, subjects | |||
| Plane for the purpose of participating in the SACM architecture. | have a name and are composed of attributes and/or other subjects. | |||
| Every IE that is part of a subject can have a quantitiy associated | ||||
| with it (e.g. zero-one, none-unbounded). The content IE of a | ||||
| subject can be an unordered or an ordered list. | ||||
| Supplicant: A SACM component seeking to be authenticated via the | ||||
| control plane for the purpose of participating in a SACM domain. | ||||
| System Resource: Defined in [RFC4949] as "data contained in an | System Resource: Defined in [RFC4949] as "data contained in an | |||
| information system; or a service provided by a system; or a system | information system; or a service provided by a system; or a system | |||
| capacity, such as processing power or communication bandwidth; or | capacity, such as processing power or communication bandwidth; or | |||
| an item of system equipment (i.e., hardware, firmware, software, | an item of system equipment (i.e., hardware, firmware, software, | |||
| or documentation); or a facility that houses system operations and | or documentation); or a facility that houses system operations and | |||
| equipment. | equipment. | |||
| Target Endpoint: A target endpoint is an "endpoint under assessment" | Target Endpoint: A target endpoint is an "endpoint under assessment" | |||
| (even if it is not actively under assessment at all times) or | (even if it is not actively under assessment at all times) or | |||
| skipping to change at page 16, line 20 ¶ | skipping to change at page 18, line 7 ¶ | |||
| merging the corresponding records as new or more refined endpoint | merging the corresponding records as new or more refined endpoint | |||
| attributes become available. | attributes become available. | |||
| Input: discovered target endpoint attributes, endpoint attribute | Input: discovered target endpoint attributes, endpoint attribute | |||
| collection, existing characterization records | collection, existing characterization records | |||
| Output: target endpoint characterization records | Output: target endpoint characterization records | |||
| Target Endpoint Classification Task: The task of associating a class | Target Endpoint Classification Task: The task of associating a class | |||
| from an extensible list of classes with an endpoint | from an extensible list of classes with an endpoint | |||
| characterization record. TE classes function as guidance for | characterization record. TE classes function as imperative and | |||
| collection, evaluation, remediation and security posture | declarative guidance for collection, evaluation, remediation and | |||
| assessment in general. | security posture assessment in general. | |||
| Input: endpoint characterization records (without classification), | Input: endpoint characterization records (without classification), | |||
| guidance (how to classify a record) | guidance (how to classify a record) | |||
| Output: endpoint characterization records (with classification) | Output: endpoint characterization records (with classification) | |||
| Target Endpoint Discovery Task: The ongoing task of detecting | Target Endpoint Discovery Task: The ongoing task of detecting | |||
| previously unknown interaction of a potential target endpoint in | previously unknown interaction of a potential target endpoint in | |||
| the SACM domain. TE Discovery is not directly targeted at a | the SACM domain. TE Discovery is not directly targeted at a | |||
| specific target endpoint and therefore an un-targeted task. SACM | specific target endpoint and therefore an un-targeted task. SACM | |||
| skipping to change at page 18, line 38 ¶ | skipping to change at page 20, line 24 ¶ | |||
| of endpoints is vulnerable according to the information contained | of endpoints is vulnerable according to the information contained | |||
| in the vulnerability description information. | in the vulnerability description information. | |||
| Vulnerability Description Information: Information pertaining to the | Vulnerability Description Information: Information pertaining to the | |||
| existence of a flaw or flaws in software, hardware, and/or | existence of a flaw or flaws in software, hardware, and/or | |||
| firmware, which could potentially have an adverse impact on | firmware, which could potentially have an adverse impact on | |||
| enterprise IT functionality and/or security. Vulnerability | enterprise IT functionality and/or security. Vulnerability | |||
| description information should contain enough information to | description information should contain enough information to | |||
| support vulnerability detection. | support vulnerability detection. | |||
| Vulnerability Detection Data: A type of guidance extracted or | Vulnerability Detection Data: A type of imperative guidance | |||
| derived from vulnerability description information that describes | extracted or derived from vulnerability description information | |||
| the specific mechanisms of vulnerability detection that is used by | that describes the specific mechanisms of vulnerability detection | |||
| an enterprise's vulnerability management capabilities to determine | that is used by an enterprise's vulnerability management | |||
| if a vulnerability is present on an endpoint. | capabilities to determine if a vulnerability is present on an | |||
| endpoint. | ||||
| Vulnerability Management Capabilities: An enterprise IT department's | Vulnerability Management Capabilities: An enterprise IT department's | |||
| ability to manage endpoint vulnerabilities and associated metadata | ability to manage endpoint vulnerabilities and associated metadata | |||
| on an ongoing basis by ingesting vulnerability description | on an ongoing basis by ingesting vulnerability description | |||
| information and vulnerability detection data, and performing | information and vulnerability detection data, and performing | |||
| vulnerability assessments. | vulnerability assessments. | |||
| Vulnerability assessment capabilities: An enterprise IT department's | Vulnerability assessment capabilities: An enterprise IT department's | |||
| ability to determine whether a set of endpoints is vulnerable | ability to determine whether a set of endpoints is vulnerable | |||
| according to the information contained in the vulnerability | according to the information contained in the vulnerability | |||
| skipping to change at page 22, line 6 ¶ | skipping to change at page 23, line 47 ¶ | |||
| o Added Configuration Drift, Data in Motion, Data at Rest, Endpoint | o Added Configuration Drift, Data in Motion, Data at Rest, Endpoint | |||
| Management Capability, Hardware Component, Hardware Inventory, | Management Capability, Hardware Component, Hardware Inventory, | |||
| Hardware Type, SACM Interface, Target Endpoint Characterization | Hardware Type, SACM Interface, Target Endpoint Characterization | |||
| Record, Target Endpoint Characterization Task, Target Endpoint | Record, Target Endpoint Characterization Task, Target Endpoint | |||
| Classification Task, Target Endpoint Discovery Task, Vulnerability | Classification Task, Target Endpoint Discovery Task, Vulnerability | |||
| Description Information, Vulnerability Detection Data, | Description Information, Vulnerability Detection Data, | |||
| Vulnerability Management Capability, Vulnerability Assessment | Vulnerability Management Capability, Vulnerability Assessment | |||
| o Added references to i2nsf definitions in Capability, SACM | o Added references to i2nsf definitions in Capability, SACM | |||
| Component, SACM Interface, SACM Role | Component, SACM Interface, SACM Role. | |||
| o Added i2nsf Terminology I-D Reference | o Added i2nsf Terminology I-D Reference. | |||
| o Major Updates to Endpoint, SACM Task, Target Endpoint Identifier | o Major Updates to Endpoint, SACM Task, Target Endpoint Identifier. | |||
| o Minor Updates to Guidance, SACM Component Discovery, Target | o Minor Updates to Guidance, SACM Component Discovery, Target | |||
| Endpoint Label, Target Endpoint Profile | Endpoint Label, Target Endpoint Profile. | |||
| o Relabeled SACM Task | o Relabeled SACM Task | |||
| o Removed Target Endpoint Discovery | o Removed Target Endpoint Discovery | |||
| Changes from version 10 to version 11: | Changes from version 10 to version 11: | |||
| o Added Content Element, Content Metadata, Endpoint Label, | o Added Content Element, Content Metadata, Endpoint Label, | |||
| Information Element, Metadata, SACM Component Label, Workflow | Information Element, Metadata, SACM Component Label, Workflow. | |||
| o Major Updates to Assessment, Capability, Collector, Endpoint | o Major Updates to Assessment, Capability, Collector, Endpoint | |||
| Management Capabilities, Guidance, Vulnerability Assessment | Management Capabilities, Guidance, Vulnerability Assessment | |||
| Capabilities, Vulnerability Detection Data, Vulnerability | Capabilities, Vulnerability Detection Data, Vulnerability | |||
| Assessment Capabilities | Assessment Capabilities. | |||
| o Minor updates to Collection Result, Control Plane, Data in Motion, | o Minor updates to Collection Result, Control Plane, Data in Motion, | |||
| Data at Rest, Data Origin, Network Interface, Statement, Target | Data at Rest, Data Origin, Network Interface, Statement, Target | |||
| Endpoint Label, | Endpoint Label. | |||
| o Relabeled Endpoint Management Capability, Vulnerability Management | o Relabeled Endpoint Management Capability, Vulnerability Management | |||
| Capability, Vulnerability Assessment | Capability, Vulnerability Assessment. | |||
| Changes from verion 11 to version 12: | ||||
| o Added Configuration, Endpoint Characteristic, Event, SACM Content, | ||||
| State, Subject. | ||||
| o Major Updates to Asserition, Data in Motion, Data Provenance, Data | ||||
| Source, Interaction Model. | ||||
| o Minor Updates to Attribute, Control Plane, Data Origin, Data | ||||
| Provenance, Expected Endpoint State, Guidance, Target Endpoint | ||||
| Classification Task, Vulnerability Detection Data. | ||||
| 7. Contributors | 7. Contributors | |||
| David Waltermire | David Waltermire | |||
| National Institute of Standards and Technology | National Institute of Standards and Technology | |||
| 100 Bureau Drive | 100 Bureau Drive | |||
| Gaithersburg, MD 20877 | Gaithersburg, MD 20877 | |||
| USA | USA | |||
| Email: david.waltermire@nist.gov | Email: david.waltermire@nist.gov | |||
| skipping to change at page 24, line 6 ¶ | skipping to change at page 26, line 6 ¶ | |||
| Double Shot Security | Double Shot Security | |||
| 3518 Fremont Avenue North, Suite 363 | 3518 Fremont Avenue North, Suite 363 | |||
| Seattle, WA 98103 | Seattle, WA 98103 | |||
| USA | USA | |||
| Email: merike@doubleshotsecurity.com | Email: merike@doubleshotsecurity.com | |||
| 8. Informative References | 8. Informative References | |||
| [I-D.ietf-i2nsf-terminology] | [I-D.ietf-i2nsf-terminology] | |||
| Hares, S., Strassner, J., Lopez, D., and L. Xia, | Hares, S., Strassner, J., Lopez, D., Xia, L., and H. | |||
| "Interface to Network Security Functions (I2NSF) | Birkholz, "Interface to Network Security Functions (I2NSF) | |||
| Terminology", draft-ietf-i2nsf-terminology-01 (work in | Terminology", draft-ietf-i2nsf-terminology-03 (work in | |||
| progress), July 2016. | progress), March 2017. | |||
| [I-D.ietf-sacm-vuln-scenario] | [I-D.ietf-sacm-vuln-scenario] | |||
| Coffin, C., Cheikes, B., Schmidt, C., Haynes, D., | Coffin, C., Cheikes, B., Schmidt, C., Haynes, D., | |||
| Fitzgerald-McKay, J., and D. Waltermire, "SACM | Fitzgerald-McKay, J., and D. Waltermire, "SACM | |||
| Vulnerability Assessment Scenario", draft-ietf-sacm-vuln- | Vulnerability Assessment Scenario", draft-ietf-sacm-vuln- | |||
| scenario-02 (work in progress), September 2016. | scenario-02 (work in progress), September 2016. | |||
| [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between | [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between | |||
| Information Models and Data Models", RFC 3444, | Information Models and Data Models", RFC 3444, | |||
| DOI 10.17487/RFC3444, January 2003, | DOI 10.17487/RFC3444, January 2003, | |||
| End of changes. 43 change blocks. | ||||
| 128 lines changed or deleted | 222 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||