nobeastsofierce - Fotolia

NSA opens up about data security tools

The NSA expects industry experts to get better at security automation. Learn which data security tools are expected to help.

There's a certain cosmic symmetry that exists when interviewing a data security expert from the National Security Agency (NSA), whose surname is Blank. As a technical director at the NSA, Jeffrey Blank is involved with nearly every aspect of security automation and data security tools.

In this podcast, Blank discusses SCAP, the Security Content Automation Protocol for security automation compliance and establishing normalized pass/fail reports for security controls. He also provides his perspective on what businesses must do to avoid the security breaches that make the news, regardless of whether they do work with the federal government. Blank provides an update on FIPS 140-2, the Federal Information Processing Standard, publication 140-2. FIPS is a U.S. government computer security standard used for the accreditation of cryptographic modules. Finally, he discusses the shortage of security experts in the private sector.

The entire point of [Security Content Automation Protocol] is automation.
Jeffrey Blanktechnical director, National Security Agency

Though SCAP is a recent, emerging technology published by the National Institute of Standards and Technology, it has evolved to become an important part of security compliance. Data security tools like this are designed to ensure that organizations have a secure, defined baseline in place and that this baseline is maintained, Blank said. "The entire point of SCAP is automation. It's the idea that if you express the things you want to check for in a machine-readable format, then the software can check everything for you," he said. It eliminates the need for people to do this work manually, which can be time-intensive, less reliable and more costly.

To help businesses work toward a position of avoiding security automation breaches, Blank said the NSA published a top ten list of Information Assurance Mitigation Strategies, designed to be easily usable. FIPS, which covers encryption, remains important and is still a requirement when processing government data, Blanks said.

Regarding the dearth of security expertise in the private sector, Blank said, "This has to be a government and industry partnership. Over time, we really do expect creators of IT products to improve their security, and we are trying to drive that through validation programs like FIPS."

Next Steps

Lessons on security from the NSA

NSA is moving data to AWS

Dig Deeper on Topics Archive