Section 3.1.1 Posture Assesment Information Provider #19
Comments
|
Spontaneous / unsolicited publication is required to enable loose coupling of consumers and providers (i.e., so that consumers and providers don't require a priori knowledge of each other). Providers must be able to publish spontaneously to support use cases where endpoint posture changes. This could apply to a policy server publishing user authentication information (logon / logoff), endpoint security software reporting changes in endpoint compliance state (real-time AV protection disabled), network sensors observing traffic indicating endpoint compromise (IPS or behavior monitor seeing unauthorized traffic), etc. Controllers can still apply authorization policies to unsolicited publications. -----Original Message----- version -03 In paragraph 3 - The sharing of things spontaneously seems to be problematic from an authorization point of view. It is one thing to provide data asynchronously from a previous request, where the authorization can have already been checked and another to just start arbitrarily sending data to somebody. I realize that the latter matches, to a large degree, the case of a Posture Collector sending data to an initial Posture Consumer, but it might be well to separate these two cases deal with them separately. Are there other cases for the second case that I have missed? In paragraph 3 - I think you mean based on the former rather than the latter. Authorization restrictions would be based on the consumer not the provider. In paragraph 5 - A Provider which is not authorized to provide information does not seem to be a very useful concept. I suggest deleting "and further, be authorized to do so" you might add to the end "and for specific consumers" — |
|
Resolution - expand third paragraph to two paragraphs - one addressing unsolicited / spontaneous publication, the second dealing with requested publication. |
|
Henk - unsolicited could be an ongoing event stream in SIEM domain, would like to include this kind of processing of information |
|
I've reworked the 3rd paragraph and taken Jim's suggestion to clean up the 5th paragraph as well....updated in v05 draft. |
Make the suggested edits to deal with Issue sacmwg#19. I want to distinguish between a spontaneous publication and a subscription publication. While both of them are asynchronous, the model of how they work and do authentication is going to be very different.
version -03
In paragraph 3 - The sharing of things spontaneously seems to be problematic from an authorization point of view. It is one thing to provide data asynchronously from a previous request, where the authorization can have already been checked and another to just start arbitrarily sending data to somebody. I realize that the latter matches, to a large degree, the case of a Posture Collector sending data to an initial Posture Consumer, but it might be well to separate these two cases deal with them separately. Are there other cases for the second case that I have missed?
In paragraph 3 - I think you mean based on the former rather than the latter. Authorization restrictions would be based on the consumer not the provider.
In paragraph 5 - A Provider which is not authorized to provide information does not seem to be a very useful concept. I suggest deleting "and further, be authorized to do so" you might add to the end "and for specific consumers"
The text was updated successfully, but these errors were encountered: