nobeastsofierce - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

NSA opens up about data security tools

The NSA expects industry experts to get better at security automation. Learn which data security tools are expected to help.

There's a certain cosmic symmetry that exists when interviewing a data security expert from the National Security Agency (NSA), whose surname is Blank. As a technical director at the NSA, Jeffrey Blank is involved with nearly every aspect of security automation and data security tools.

In this podcast, Blank discusses SCAP, the Security Content Automation Protocol for security automation compliance and establishing normalized pass/fail reports for security controls. He also provides his perspective on what businesses must do to avoid the security breaches that make the news, regardless of whether they do work with the federal government. Blank provides an update on FIPS 140-2, the Federal Information Processing Standard, publication 140-2. FIPS is a U.S. government computer security standard used for the accreditation of cryptographic modules. Finally, he discusses the shortage of security experts in the private sector.

The entire point of [Security Content Automation Protocol] is automation.
Jeffrey Blanktechnical director, National Security Agency

Though SCAP is a recent, emerging technology published by the National Institute of Standards and Technology, it has evolved to become an important part of security compliance. Data security tools like this are designed to ensure that organizations have a secure, defined baseline in place and that this baseline is maintained, Blank said. "The entire point of SCAP is automation. It's the idea that if you express the things you want to check for in a machine-readable format, then the software can check everything for you," he said. It eliminates the need for people to do this work manually, which can be time-intensive, less reliable and more costly.

To help businesses work toward a position of avoiding security automation breaches, Blank said the NSA published a top ten list of Information Assurance Mitigation Strategies, designed to be easily usable. FIPS, which covers encryption, remains important and is still a requirement when processing government data, Blanks said.

Regarding the dearth of security expertise in the private sector, Blank said, "This has to be a government and industry partnership. Over time, we really do expect creators of IT products to improve their security, and we are trying to drive that through validation programs like FIPS."

Next Steps

Lessons on security from the NSA

NSA is moving data to AWS

This was last published in September 2015

Dig Deeper on Topics Archive

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Which data security tools does your enterprise use?
 "The entire point of SCAP is automation. It's the idea that if you express the things you want to check for in a machine-readable format, then the software can check everything for you,"

Sounds good on the service, but I imagine certain types of security issues will still require an intelligent human guiding them beyond using some type of static analysis scanning to vet.

But automation can go a long way to getting closer to the goal I think, more companies should look to leverage that.







  • How do I size a UPS unit?

    Your data center UPS sizing needs are dependent on a variety of factors. Develop configurations and determine the estimated UPS ...

  • How to enhance FTP server security

    If you still use FTP servers in your organization, use IP address whitelists, login restrictions and data encryption -- and just ...

  • 3 ways to approach cloud bursting

    With different cloud bursting techniques and tools from Amazon, Zerto, VMware and Oracle, admins can bolster cloud connections ...