Earlier this year, TCG published for public review a new spec that helps protect potentially high-value data in MAP servers, based on TCG’s IF-MAP protocol – click here for details. Based on the feedback received from the public review and prototype implementation, the MAP Content Authorization spec is now official!

IF-MAP, the interface for a Metadata Access Point, is an open standard to support interoperable, dynamic data sharing among a wide variety of networking and security components, enabling customers to implement multi-vendor systems that provide coordinated defense-in-depth and enable security automation.  The initial version of IF-MAP was designed to enable integration of various network security functions such as network access control (NAC), remote access, intrusion detection, endpoint profiling, behavior monitoring, data leak detection, etc.  Since then, it’s been applied to fields such as Industrial Control Systems (ICS) and SCADA security, physical security, SDN, and more.

From a technical standpoint, IF-MAP is a standard client/server protocol for access to a Metadata Access Point (MAP). A MAP server has a database for storing information about network security events and objects (users, devices, etc.); it acts as a central clearinghouse for information that infrastructure devices can act on. The IF-MAP protocol defines a powerful publish/subscribe/search mechanism and an extensible set of identifiers and data types. MAP clients can publish metadata and/or consume metadata published by other clients.

So what’s the big deal now? Well, much of the data flowing through a MAP service is of high value and must be protected against unauthorized access. With the rapidly expanding push into the Internet of Things, from wearables to industrial control systems to appliances, more and more data will soon be flowing through these MAP servers and could be potentially compromised.

The new MAP Content Authorization specification (more here,https://trustedcomputinggroup.org/resources/tnc_map_content_authorization) defines an authorization model that restricts the operations each MAP Client can perform on MAP content— the metadata in a MAP server. This will help prevent, for example, unauthorized access to the content of a MAP server that could enable a malicious IF-MAP client to gather information about its environment and even potentially grant improper access or enable other forms of attack.

In its continuing drive to support and evolve with existing and emerging industry standards outside TCG, the MAP Content Authorization specification leverages the OASIS eXtensible Access Control Markup Language (XACML). XACML was chosen for its flexibility, extensibility, and fine-grained access control. The MAP Content Authorization specification illustrates and makes use of an XACML profile, explaining how XACML is employed when MAP clients seek access to the content of a MAP.

MAP servers implementing the MAP Content Authorization specification will utilize an XACML profile and consult an XACML PDP (either internal or external) to enable application of access control to IF-MAP clients seeking to read and access MAP content.

For cloud service providers, ICS infrastructures, and other environments requiring multiple security enclaves, MAP is an ideal solution and now offers protected content. More here:https://trustedcomputinggroup.org/resources/tnc_map_content_authorization