Endpoint Security Posture Assessment: Enterprise Use Cases
draft-ietf-sacm-use-cases-10

[Ballot comment]

- general: there seems to be no mention or consideration at
all of privacy which I think is a significant flaw in this
document. However, so long as privacy issues are considered in
later documents, that's not a problem. It would be a problem
if privacy were similarly ignored later on. As an example of
why this matters, enterprises will have to adhere to privacy
legislation in various jurisdictions which would for example
introduce a data controller as a relevant entity to be
considered (and that is not considered here). Once one
collects e.g. log information about authentication times and
locations then I suspect you need a data controller and you
might have to delete that data or anonymise it or do other
privacy friendly things with or to such data. I think for now,
adding a statement that later documents will have to consider
the privacy issues associated with these use cases would be a
good idea that would be sufficient to ensure that it's not
forgotten. Note: I do think it would be preferable if someone
had (or still would) spend time on an analysis of the possible
privacy considerations of some of these use-cases. I suspect
those aren't as bad as may be feared and could perhaps be
relatively easily covered in a few paragraphs, once that work
has been done. (If doing that, please do not only consider the
typical US private enterprise network scenario - those in
other parts of the world and in non-profit or public service
can differ significantly in privacy terms.)

- 2.2.5 - I've been to places like that for research purposes
(as stipulated here) and this use-case seems unrealistic to
me.

- section 4: I think you might end up need to consider the
confidentiality and origin authentication of some of the data
at rest as well as in transit. That could get tricky, but
OTOH, if you have any conception of provenance and of privacy
then it's likely to be needed. I'd say just adding a sentence
here to recognise that that can also be an issue would be
enough.

- The secdir review [1] noted a bunch of nits. I didn't
check if those have been fixed or not, but seems like
a good idea.

  [1] https://www.ietf.org/mail-archive/web/secdir/current/msg05536.html

IESG/Authors/WG Chairs:

IANA has reviewed draft-ietf-sacm-use-cases-08, which is currently in Last Call, and has the following comments:

We understand that, upon approval of this document, there are no IANA Actions that need completion.

While it is helpful for the IANA Considerations section of the document to remain in place upon publication, if the authors prefer to remove it, IANA doesn't object.

If this assessment is not accurate, please respond as soon as possible.

The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Endpoint Security Posture Assessment - Enterprise Use Cases) to Informational RFC


The IESG has received a request from the Security Automation and
Continuous Monitoring WG (sacm) to consider the following document:
- 'Endpoint Security Posture Assessment - Enterprise Use Cases'
  as Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2015-03-16. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This memo documents a sampling of use cases for securely aggregating
  configuration and operational data and evaluating that data to
  determine an organization's security posture.  From these operational
  use cases, we can derive common functional capabilities and
  requirements to guide development of vendor-neutral, interoperable
  standards for aggregating and evaluating data relevant to security
  posture.




The file can be obtained via
http://datatracker.ietf.org/doc/draft-ietf-sacm-use-cases/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-ietf-sacm-use-cases/ballot/


No IPR declarations have been submitted directly on this I-D.

As required by RFC 4858, this is the current template for the Document
Shepherd Write-Up.

Changes are expected over time. This version is dated 24 February 2012.

(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)?  Why
is this the proper type of RFC?  Is this type of RFC indicated in the
title page header?

Informational. The document describes use cases, so the status seems
appropriate. It is mentioned in the header.

(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:

Technical Summary

This memo documents a sampling of use cases for securely aggregating
configuration and operational data and evaluating that data to
determine an organization's security posture.  From these operational
use cases, we can derive common functional capabilities and
requirements to guide development of vendor-neutral, interoperable
standards for aggregating and evaluating data relevant to security
posture.

Working Group Summary

The working group paid a lot of attention to this document because it
was considered as important for the definition of the scope, requirements
and solution architecture for SACM. It was reviewed carefully and discussed
in details in meetings and on the mail list by a large number of participants.
The resulting work reflects a solid consensus. 

Document Quality

There is a sound interest in SACM, and this is the first WG document. the reviews
and discussions were solid and in depth. Using some kind of formal language
was considered but eventually the WG had strong consensus for the current
(plain English) was of expressing the use cases.

Personnel

Dan Romascanu is the document shepherd. Kathleen Moriarty is the responsible
AD.

(3) Briefly describe the review of this document that was performed by
the Document Shepherd.  If this version of the document is not ready
for publication, please explain why the document is being forwarded to
the IESG.

I have reviewed carefully every version of this document, including the one
now submitted for publication.

(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed? 

No.

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that
took place.

No.

(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the
IESG should be aware of? For example, perhaps he or she is uncomfortable
with certain parts of the document, or has concerns whether there really
is a need for it. In any event, if the WG has discussed those issues and
has indicated that it still wishes to advance the document, detail those
concerns here.

No concerns.

(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why.

Yes.

(8) Has an IPR disclosure been filed that references this document?
If so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

No IPR disclosures have been submitted

(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with it? 

There is a solid consensus to publish this document as well as a healthy
participation in the WG .

(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

No.

(11) Identify any ID nits the Document Shepherd has found in this
document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

No poblems. idnits only indicates a date-in-the-past warning and one false
alarm on references.

(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

not applicable

(13) Have all references within this document been identified as
either normative or informative?

yes

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

no

(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in
the Last Call procedure.

no

(16) Will publication of this document change the status of any
existing RFCs? Are those RFCs listed on the title page header, listed
in the abstract, and discussed in the introduction? If the RFCs are not
listed in the Abstract and Introduction, explain why, and point to the
part of the document where the relationship of this document to the
other RFCs is discussed. If this information is not in the document,
explain why the WG considers it unnecessary.

no

(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly
identified. Confirm that newly created IANA registries include a
detailed specification of the initial contents for the registry, that
allocations procedures for future registrations are defined, and a
reasonable name for the new registry has been suggested (see RFC 5226).

The IANA Considerations section is null in content

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find
useful in selecting the IANA Experts for these new registries.

not applicable

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

not applicable

As required by RFC 4858, this is the current template for the Document
Shepherd Write-Up.

Changes are expected over time. This version is dated 24 February 2012.

(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)?  Why
is this the proper type of RFC?  Is this type of RFC indicated in the
title page header?

Informational. The document describes use cases, so the status seems
appropriate. It is mentioned in the header.

(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:

Technical Summary

This memo documents a sampling of use cases for securely aggregating
configuration and operational data and evaluating that data to
determine an organization's security posture.  From these operational
use cases, we can derive common functional capabilities and
requirements to guide development of vendor-neutral, interoperable
standards for aggregating and evaluating data relevant to security
posture.

Working Group Summary

The working group paid a lot of attention to this document because it
was considered as important for the definition of the scope, requirements
and solution architecture for SACM. It was reviewed carefully and discussed
in details in meetings and on the mail list by a large number of participants.
The resulting work reflects a solid consensus. 

Document Quality

There is a sound interest in SACM, and this is the first WG document. the reviews
and discussions were solid and in depth. Using some kind of formal language
was considered but eventually the WG had strong consensus for the current
(plain English) was of expressing the use cases.

Personnel

Dan Romascanu is the document shepherd. Kathleen Moriarty is the responsible
AD.

(3) Briefly describe the review of this document that was performed by
the Document Shepherd.  If this version of the document is not ready
for publication, please explain why the document is being forwarded to
the IESG.

I have reviewed carefully every version of this document, including the one
now submitted for publication.

(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed? 

No.

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that
took place.

No.

(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the
IESG should be aware of? For example, perhaps he or she is uncomfortable
with certain parts of the document, or has concerns whether there really
is a need for it. In any event, if the WG has discussed those issues and
has indicated that it still wishes to advance the document, detail those
concerns here.

No concerns.

(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why.

Yes.

(8) Has an IPR disclosure been filed that references this document?
If so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

No IPR disclosures have been submitted

(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with it? 

There is a solid consensus to publish this document as well as a healthy
participation in the WG .

(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

No.

(11) Identify any ID nits the Document Shepherd has found in this
document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

No poblems. idnits only indicates a date-in-the-past warning and one false
alarm on references.

(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

not applicable

(13) Have all references within this document been identified as
either normative or informative?

yes

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

no

(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in
the Last Call procedure.

no

(16) Will publication of this document change the status of any
existing RFCs? Are those RFCs listed on the title page header, listed
in the abstract, and discussed in the introduction? If the RFCs are not
listed in the Abstract and Introduction, explain why, and point to the
part of the document where the relationship of this document to the
other RFCs is discussed. If this information is not in the document,
explain why the WG considers it unnecessary.

no

(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly
identified. Confirm that newly created IANA registries include a
detailed specification of the initial contents for the registry, that
allocations procedures for future registrations are defined, and a
reasonable name for the new registry has been suggested (see RFC 5226).

The IANA Considerations section is null in content

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find
useful in selecting the IANA Experts for these new registries.

not applicable

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

not applicable