Industry Coalition Develops S-CAP for VoIP

July 15, 2009 by ADMIN

Share |

The diffusion of VoIP in network systems, as well as Multimedia, Mobile technology, Converged Real Time Networks, and VoIP based converged data and voice solutions raises valid concerns regarding new vulnerabilities and threats targeting these applications.

In February of 2008 the ISA Board approved a sophisticated new project designed to develop cost effective solutions to these emerging issues.

The goal of this project is to provide a secure playing field as corporations deploy VoIP and related technologies.

An ongoing, industry led collaborative effort to reduce the risks these investments may introduce by using the SCAP platform will begin to address these emerging security issues.

This is especially significant as converged voice and data solutions are deployed.

ISA has initiated contact and received support from the US Department of Homeland Security and the National Institute of Standards and Technology.

ISA has been designated to lead the development of industry based SCAP checklists for these key technologies.

OMB has already mandated to federal CIO’s that “Information technology providers must use S-CAP validated tools, as they become available, to certify their products do not alter the Federal Desktop Core Configurations, and agencies must use these tools when monitoring use of these configurations.”

From this point forward, automation of configuration management, assessment, and remediation is inevitable.

The SCAP format has become the preferred format for all new checklists.

The National Checklist Program is already migrating its repository of checklists to conform to the SCAP format and SCAP is extending into additional security technologies including IDS/IPS, firewall and other IT technologies including asset and configuration management systems.

The project kick off was held in conjunction with the 4th Annual Security Automation Conference & Workshop at the NIST Campus in September 2008.

ISAlliance presented a panel to discuss the applicability of security automation in VoIP, Multimedia and Unified Communications environments.

In particular the value of performing in situ security testing was covered, specifically, how it can be applied to bring a level of security assurance to a high availability, high reliability network.

This discussion set the stage for broad participation in the ISA sponsored workshop focused on developing broad answers to the following questions:

How can SCAP based testing be productively used to create a level of assurance in high availability/high reliability networks and what might some limitations to that approach be?
What SCAP protocols/approaches/components are best for voice and real time networks?
Is there a baseline of best practice/standards to base the development of SCAP checklists to achieve a level of assurance in voice and real time networks?

The workshop gathered sufficient input and overwhelming support to develop the “next steps” required to advance the project in a constructive manner.

In the first quarter of 2009 a formal project plan was developed to:

Analyze and report on the applicability of SCAP and the Information Security Automation Project to VoIP.
Develop a reference set of standards and best practices surrounding VoIP/Converged Network Security to form the basis for SCAP standard content development.

ISAlliance is now forming technical working groups to advance these two sub-projects.

The goal is to develop the initial deliverables for presentation at the 2009 5th Annual NIST Information Security Automation Conference this fall.

Participants with strong technical background in VoIP, or Security or SCAP are being sought:

Please contact bfoer@isalliance.org to participate or for additional details.
To view the project scoping statement and deliverables - Click Here
To visit the project workgroup collaboration site - Click Here
To Join the LinkedIn project group - Click Here
To visit the Nortel Networks Voice Security Blog - Click Here

Download a complete copy of The Cyber Secuirty Social Contract: Policy Recommendations for the Obama Administration and 111th Congress.

Learn More About ISAlliance HERE

The Internet Security Alliance (ISAlliance) was created to provide a forum for information sharing and thought leadership on information security issues. The ISAlliance represents corporate security interests before legislators and regulators, in so doing the alliance aims to identify and standardize best practices in Internet security and network survivability, while creating a collaborative environment to develop and implement information security solutions.

* * *

Stay Informed With ISR News Feeds and Email Alerts Here:

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.