The Trusted Computing Group's New Blog

The Trusted Computing Group, a consortium of vendors that are driving standardized APIs and specifications for secure computing, is perhaps opening up a bit with its recently announced blog. The TCG has been a very opaque organization for those folks who aren't willing to pony up the $1,000-per-year minimum membership dues, and I think the opacity has hurt its efforts to educate the ultimate consumer of its technology, the enterprise. Hopefully, the new blog signals a change within the TCG to be more open. I am going to limit the rest of my comments to the Trusted Network Connect (TNC) working group, since I am more familiar with its activities than the TCG as a whole. The TNC has an ongoing image problem that it's trying to improve; namely, few people even know what it is. For the past few years, we have conducted reader surveys on network access control, and the number of respondents who even aware of the TNC never got much above 20%. More in-depth knowledge pushed that percentage down further.

Now the TNC has been much more proactive in attending trade shows and reaching out to enterprises in other venues. Steve Hanna, distinguished engineer for Juniper Networks and co-chair of the IETF NEA and Trusted Computing Group's Trusted Network Connect working groups, has been hitting the road, evangelizing the work of the TNC to vendors, analysts, and the press. The impact of the TNC outreach has yet to be realized.

As an organization, the TCG can be described as "for vendors, by vendors." The membership roster is a who's who of high-tech security firms that pay big money, as much as $55,000 per year, to sit in on meetings, hammer out specifications, and gain access to early drafts of specifications to jump-start product development. However, when I talk with vendors who are TCG members interested in TNC, few of them will say they are active in the working group and are adopting a wait-and-see attitude to TNC specification adoption.

The reason is clear. Vendors won't adopt TNC specifications until they hear customer demand. Customers won't demand TNC support if they don't know about it. Vendors won't bring up TNC specifications because they don't want to jeopardize a sale by clouding the issues. Everyone is waiting for what, I don't know. But let me take a guess.

Nearly all of the vendors I have spoken with secretly want to do away with their client software. It's an albatross around their necks. They would rather not touch the desktop and use something that already exists, like Microsoft's NAP. Alan Shimel of StillSecure was quite excited that Windows XP Service Pack 3 Release Candidate was available; he started downloading it as soon as he got home from his last trip. I bet he didn't even wait to unpack. I don't know StillSecure's client plans, but I'll bet he was excited because the TNC adopted Microsoft's Statement of Health (SoH) protocol as one of the methods for a client to inform a policy server of its condition. Alan laments that without Windows Server 2008 or Policy Server, the NAP client isn't much use. There is nothing stopping NAC vendors from becoming the policy server, and that probably makes the most sense. Host assessment is low-hanging fruit. The difficult parts are policy development, enforcement, and integration with existing infrastructure.So maybe what happens next is that vendors will begin to actually integrate the TNC SoH specifications by the time enterprises start to deploy Service Pack 3 and Vista. Then they can talk about support for the TNC specifications, which gives enterprises a warm-fuzzy because they don't have to manage yet another piece of client software. That in turn raises visibility of the TNC, which may create demand for TNC conformance.

It's not enough to just get vendors to talk about the TNC work. Companies making technology decisions want to know they're betting on a winning horse. Without joining the TCG, the parsimonious announcements from the TCG haven't shed much light on the goings on and haven't done much to bolster consumer confidence in the work they're doing. Remember the circle: 1) Vendors build it when there is customer demand. 2) Customers demand when they trust the technology is good. 3) The first step to trusting the technology is good is knowledge about the standards and the future directions.