Posture assessment has long been desired, but has been difficult to achieve due to complexities of customization requirements at each organization.
-By using policy and measurement sets that may be offered at various assurance levels, local assessment of evidence can be performed to continuousy assess compliance. An example of a form of local attestation is through the Trusted Computing Group's Trusted Platform Module (TPM) format and assessment method. This and other methods provide a secured log for transparency on the results of the assessed evidence against expacted values. In order to support continuous monitoring of posture assessment and integrity in an enterprise or large data center, the local assessments and remediation are useful to reduce load on the network and remote resources. This is currently done today for the so called trusted boot process. It is useful to share the results of the compliance to expected values for measurements and policies in order to gain a bigger picture view of the governance, risk, and complaince posture for a network. As such, communiciating a summary result as evidence tied including a link to supporting logs with a remote attestation defined in an Entity Attestation Token (EAT) profile [I-D.ietf-rats-eat] provides a way to accomplish that goal. The level of intergation for local attestation meeting defined policies and measurements at specific levels, including the ability to remediate makes posture assessment through attestation achievable for organizations of all sizes due to integration being required in existing toolsets and systems, built as an intrinsic capability.
-The measurement and policy groupings results summarized in an EAT profile may be provided by the vendor or by a neutral third party to enable ease of use and consistent implementations. The local system or server host performs the assessment of posture and remediation.
+By using policy and measurement sets that may be offered at various assurance levels, local assessment of evidence can be performed to continuousy assess compliance. An example of a form of local attestation is through the Trusted Computing Group's Trusted Platform Module (TPM) format and assessment method. This and other methods provide a secured log for transparency on the results of the assessed evidence against expected values. In order to support continuous monitoring of posture assessment and integrity in an enterprise or large data center, the local assessments and remediation are useful to reduce load on the network and remote resources. This is currently done today for the so called trusted boot process. It is useful to share the results of the compliance to expected values for measurements and policies in order to gain a bigger picture view of the governance, risk, and complaince posture for a network. As such, communiciating a summary result as evidence tied including a link to supporting logs with a remote attestation defined in an Entity Attestation Token (EAT) profile [I-D.ietf-rats-eat] provides a way to accomplish that goal. The level of integration for local attestation meeting defined policies and measurements at specific levels, including the ability to remediate makes posture assessment through attestation achievable for organizations of all sizes due to integration being required in existing toolsets and systems, built as an intrinsic capability.
+The measurement and policy grouping results summarized in an EAT profile may be provided by the vendor or by a neutral third party to enable ease of use and consistent implementations. The local system or server host performs the assessment of posture and remediation.
This provides simpler options to enable posture assessment at selected levels by organizations without the need to have in-house expertise.
The measurement and policy sets may also be customized, but not necessary to achieve posture assessment to predefined options.
This document describes a method to use existing attestation formats and protocols while allowing for defined profiles of policies, benchmarks, and measurements for specific assurance levels to provide transparency on posture assessment results summarized with remote attestations.¶
Thank you to Nick Grobelney, Dell Technologies, for your review and contribution to separate out the policy and measurement sets.
Thank you, Samant Kakarla and Huijun Xie from Dell Technologies, for your detailed review and corrections on boot process details.
Section 3 has been contributed by Rudy Bauer from Dell as well and an author will be added on the next revision.
-IANA section added in version 7 by Kathleen Moriarty, expanding the claims registered and adding a proposed registry to define policy and measurement sets.¶
+IANA section added in version 7 by Kathleen Moriarty, expanding the claims registered and adding a proposed registry to define policy and measurement sets.
+Thank you to Henk Birkholz for his review and edits.¶
diff --git a/draft-moriarty-rats-posture-assessment.txt b/draft-moriarty-rats-posture-assessment.txt
index 3db0b5c..4e5e9b2 100644
--- a/draft-moriarty-rats-posture-assessment.txt
+++ b/draft-moriarty-rats-posture-assessment.txt
@@ -5,10 +5,10 @@
Network Working Group K. M. Moriarty
Internet-Draft Transforming Information Security LLC
Intended status: Standards Track M. Wiseman
-Expires: 18 November 2024 Beyond Identity
+Expires: 3 January 2025 Beyond Identity
A.J. Stein
NIST
- 17 May 2024
+ 2 July 2024
Scalable Remote Attestation for Systems, Containers, and Applications
@@ -57,7 +57,7 @@ Status of This Memo
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
- This Internet-Draft will expire on 18 November 2024.
+ This Internet-Draft will expire on 3 January 2025.
Copyright Notice
@@ -101,7 +101,7 @@ Table of Contents
of local attestation is through the Trusted Computing Group's Trusted
Platform Module (TPM) format and assessment method. This and other
methods provide a secured log for transparency on the results of the
- assessed evidence against expacted values. In order to support
+ assessed evidence against expected values. In order to support
continuous monitoring of posture assessment and integrity in an
enterprise or large data center, the local assessments and
remediation are useful to reduce load on the network and remote
@@ -113,12 +113,12 @@ Table of Contents
tied including a link to supporting logs with a remote attestation
defined in an Entity Attestation Token (EAT) profile
[I-D.ietf-rats-eat] provides a way to accomplish that goal. The
- level of intergation for local attestation meeting defined policies
+ level of integration for local attestation meeting defined policies
and measurements at specific levels, including the ability to
remediate makes posture assessment through attestation achievable for
organizations of all sizes due to integration being required in
existing toolsets and systems, built as an intrinsic capability. The
- measurement and policy groupings results summarized in an EAT profile
+ measurement and policy grouping results summarized in an EAT profile
may be provided by the vendor or by a neutral third party to enable
ease of use and consistent implementations. The local system or
server host performs the assessment of posture and remediation. This
@@ -426,9 +426,9 @@ Table of Contents
[I-D.ietf-rats-eat]
Lundblade, L., Mandyam, G., O'Donoghue, J., and C.
Wallace, "The Entity Attestation Token (EAT)", Work in
- Progress, Internet-Draft, draft-ietf-rats-eat-26, 5 May
+ Progress, Internet-Draft, draft-ietf-rats-eat-28, 25 June
2024, .
+ rats-eat-28>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
@@ -473,7 +473,8 @@ Contributors
Dell as well and an author will be added on the next revision. IANA
section added in version 7 by Kathleen Moriarty, expanding the claims
registered and adding a proposed registry to define policy and
- measurement sets.
+ measurement sets. Thank you to Henk Birkholz for his review and
+ edits.
Authors' Addresses