Securing Cloud Access with Continuous Access Evaluation Protocol (CAEP)

For today’s enterprises, security must adapt to the dynamic needs of the environments and the users. That takes integration and the ability to use everything from device characteristics to user behavior to make decisions about access and authentication. However, this integration and interoperability can be hard to come by.

As organizations look to Zero Trust to reduce risk, this lack of interoperability hurts adoption and prevents the approach from reaching its full potential for organizations with users leveraging cloud services and enterprise data from points all over the world. The fix for this problem for some enterprises is to stitch together a solution using proprietary protocols. But that only addresses a small portion of the challenges organizations are facing.

Securing access to cloud resources requires handling trust in an environment full of ephemeral infrastructure, which means managing trust that is short-lived. The limited nature of this trust is not handled well by federated identity protocols, which are already challenged by issues of visibility and consistent policy enforcement across multiple clouds.

Organizations need to be able to modulate that trust based on changing information. This reality is where the Shared Signals Framework (SSF) and the Continuous Access and Evaluation Protocol (CAEP) emerge as solutions. The objective of SSF (formerly known as Shared Signals and Events – SSE), which is being developed by the OpenID Foundation, is to provide secure webhooks to continuously communicate security alerts and status changes related to users. CAEP enables the exchange of events and security signals between multiple entities. These events provide context around user activity and enable fine-grained access control. Often, developers rely on proprietary protocols to handle communication between APIs that share this type of information. Leveraging context requires collecting and correlating relevant information from multiple sources, which makes this ability an inescapable aspect of Zero Trust. After all, Zero Trust is not a single technology—it is a process and a collection of technologies that replaces blind trust with trust based on continuous monitoring of context.

With this approach, trust can be modulated—as information comes in from different sources, it can be used to take appropriate action related to access and authentication. An example of a use case would be session revocation or requesting the reauthorization of an established session. This capability maps to one of the IDSA’s security outcomes, “access is revoked upon detection of high-risk events associated with an identity.” Organizations with this capability implemented can revoke access when systems capture security-related alerts or events that indicate a potential breach of policy has occurred.

These triggering events can be as specific or broad as IT leaders want them to be; they can be tied to an entire account or a particular session for a specific user on a specific device. The reasons for revocation can range from users changing their passwords to the changes in geolocation from which they are attempting to log in. 

Another use case involves multi-factor authentication (MFA). Let’s say you want to establish a user’s identity with a certain level of assurance, but you do not wish to obstruct the user’s workflow. If the user has authenticated with MFA elsewhere and is the same user, that information can be passed to you and used to establish assurance. There is also the benefit of enabling a better experience for the user by not introducing additional friction.

Your policy can define how everything works. The beauty of CAEP is that the decision to revoke a session in response to suspicious activity, for example, can impact not only the service provider where the activity originated but other service providers that have expressed interest in such events as well. This information exchange can also extend to other issues unrelated to user activity. For example, what if there is a flaw in an application the user uses? You can still transmit information about that. Even though the user has not taken any malicious action, the fact their machine is vulnerable can justify performing session replication. 

Perhaps the trickiest part of all this is dealing with the sheer volume of messages that can be generated. Helpful information will have to be separated from the noise to be successfully leveraged. The threshold for determining what activity warrants action may vary from provider to provider.  

In the final analysis, enabling the sharing of information is invaluable to security and making Zero Trust a reality. Identity providers hold intelligence that empowers organizations to create and enforce access policies that adapt to evolving risks. By using CAEP and sharing security signals, enterprises can consume the data they need to implement more effective access control.

To learn more, watch our recent webinar, A Guide to Securing Cloud Access with CAEP.

About the Authors:
Atul Tulshibagwale, CTO at SGNL, is a federated identity pioneer and the inventor of Continuous Access Evaluation Protocol (CAEP), forming the basis of the Shared Signals and Events working group in the OpenID Foundation, which he co-chairs. Prior to joining SGNL, he was a technical leader at Google where he focused on extending access security across multi-vendor SaaS and on-premise systems. He was the CEO and Co-Founder of Trustgenix (acquired by Hewlett Packard), where he defined the federation server, an architectural concept now adopted by all major Identity Providers. He helped define open standards such as the Liberty Alliance and SAML 2.0. He continued with HP as the Director of Federation. Prior to joining Google, Atul was at MobileIron as an Identity Architect.

Asad Ali, Director of Technology at Thales Group, brings 25 years of experience, and a track record of technical innovation, research, design, development, team management and delivery of products in the digital security space. He’s responsible for setting competitive, technical, and strategic product direction for the cyber-security business unit. Known for promoting innovation and adoption of user-centric design and usable security framework. Member of technology standards bodies (W3C, CSA, OpenID Foundation), industry technology alliances, and academia outreach. Holds 16 granted patents and has over 50 publications in peer-reviewed technical journals and international conferences.



Let's work together to help everyone become more secure.