llorenzin
commented
9 years ago WRT sub-issue 1) - I believe that the current definition of posture meets your first example of a raw assertion ("information about this endpoint"). For your second example of a complex assertion ("this state information is in conflict with a security policy"), I believe that's a posture attribute ("current state = out of compliance") generated by an evaluation result. I don't think this requires a change in the definition of the term posture. I do think it requires an additional posture attribute for in compliance / out of compliance to be defined in the information model.
WRT 2) - I agree, and I believe that the second paragraph introduces an unnecessary and harmful conflict with the NEA definition of posture. The wording of the second sentence of the second paragraph is also unclear. I propose that we change the second paragraph from:
This term is used within the scope of SACM to represent the configuration and state information that is collected from an endpoint (e.g. software/hardware inventory, configuration settings, dynamically assigned addresses). This information may constitute one to many Posture Attributes.
To (changes highlighted with **):
This term is used within the scope of SACM to represent the configuration and state information that is collected about an endpoint (e.g. software/hardware inventory, configuration settings, dynamically assigned addresses). This information may be composed of one to many Posture Attributes.
This aligns our usage with the NEA definition and clarifies the composition of posture.
3) I agree with the reintroduction of "configuration and status" to the second paragraph done in -07.
adammontville
henkbirkholz
The definition of Posture in the current terminology draft references RFC 5209, which includes “configuration and/or status of hardware or software on an endpoint as it pertains to an organization's security policy”. In contrast, the rest of the definition redefines it as a more elementary “state information that is collected from an endpoint”.
There might be issues with the current way this definition is worded:
1.) The term Posture – in the context of security automation, especially due to its existing definition in RFC 5209 – might always imply that it is about a quite elaborate assertion regarding security policies. If the goal of the definition is to describe bundles of “state information that is collected from an endpoint” maybe using another term helps to better distinguish this raw assertion (“this state information is about this endpoint”) from more complex assertions (e.g. “this state information is in conflict with security policies”).
2.) In the Endpoint ID DT, a general categorization of Endpoint Attributes is currently discussed. Basically there are four categories of Endpoint Attributes that depend on their provenance/origin:
These “variants of collection” will potentially exceed the current definition of Posture, which is limited to “originates from this endpoint”.
3.) While the original definition of Posture from RFC 5209 encompasses (and differentiates) configuration and state, the new definition does not. If there are no good reasons speaking against it, the differentiation of configuration and state could be reintroduced in the definition.
Potential changes to this definition might propagate corresponding changes to the definition of Posture Attributes (and might lead to additional definitions, such as Configuration, State, Native Interface (remote API), Raw Assertion/Collection Result, Identity Assertion, Security Posture Assertion, etc.).