At times it seems the endpoint device is the scourge of the network – at least from a security administrator’s viewpoint. Endpoints come in a variety of devices, from a variety of vendors, and by their nature, many of them can come and go almost as they please. In response, network and security administrators attempt to restore order by managing the process by which an endpoint is admitted onto the corporate network.

But with threats to networks becoming more frequent and sophisticated; the corresponding increase in regulations to assure data privacy; and the continual pressure to reduce costs, there is a real need for integrated security beyond endpoint admission control.

The Trusted Computing Group (TCG) provides a blueprint for this integrated security called Trusted Network Connect (TNC). TNC is an open architecture and set of standards for network access control (Compare NAC products). These standards facilitate the creation and enforcement of security requirements for endpoint devices that connect to corporate networks by collecting endpoint configuration data; comparing this data against policies set by the network owner; and providing an appropriate level of network access based on the detected level of policy compliance (along with instructions on how to fix compliance failures). The standards ensure multi-vendor interoperability across a wide variety of endpoints, network technologies, and policies. 

More than likely the endpoint and NAC solutions you have implemented today to access and control your network are based on the TNC protocol/standard. Numerous hardware and software vendors support the standard in their networking products.

On April 28, TCG published extensions to the current TNC standard that address the following problems:

* There are more unmanaged network endpoints than managed endpoints, including, for example, factory automation components, inventory control devices, and RFID-enabled assets.
* There’s a need to manage the entire life-cycle of a network endpoint, not just the admission process.
* It’s hard to manage increasingly complex security solutions.

The TNC extension is called IF-MAP (Interface for Metadata Access Point). With IF-MAP, various devices can be integrated into the network infrastructure, enabling real-time monitoring of the security status of an endpoint by a network operator. By doing so, the management of security risk can move from point security to a holistic approach, as well as from passive protection to active protection.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.