Identity is increasingly becoming the keystone to security. This is because of the rapid transition to cloud computing and the zero trust architecture that is a natural consequence of it. Organizations continue to invest in network security, which works well for on-premise data center situations. But cloud service providers already offer state of the art network security, and as a result cyber threat actors don’t bother trying to break through that. The preferred (and often the only) way in for cyber criminals is now to compromise legitimate users’ identities in order to penetrate the victim organization’s systems.
Attackers often profile individuals to target based on their social media and online professional networking presence. They then formulate elaborate social engineering strategies to trick unsuspecting victims or organizational support staff into giving up the key individuals’ credentials. They then use those credentials to login as the legitimate user and assume all their access rights. Once the attacker is in, they rapidly move laterally through the target organization’s cloud systems and either encrypt (and demand a ransom), exfiltrate their data or compromise their integrity (or all of the above). Nikesh Arora, the CEO of Palo Alto Networks said recently that “defenders have to be right 100% of the time, whereas attackers have to be right only once” (to cause a catastrophic compromise). Recent breaches at large enterprises have shown that sometimes the attack consisted of a single credential getting compromised, proving Arora’s point.
Approaching Identity Security Differently
But this situation begs the question: Does it have to be so? Is this even sustainable?
We are used to doing identity security a certain way. Many access decisions are done at admin time (i.e. a manager decides if a person should have access to a system or specific resources, and adds them to a role). Some decisions are made at login time: The identity provider determines whether a user should access a specific system as they are logging into that system, possibly checking whether the user is coming from a permitted IP address or other such dynamic properties.
The newer thing now is to add event-time decisions, which are performed whenever there is a change of state. For example, if a user’s device falls out of compliance, an event is generated using open standards such as the Continuous Access Evaluation Profile (CAEP) of the Shared Signals Framework (SSF). The recipient of the event can take appropriate action to change the user’s access properties(for example, terminate all active sessions for the user).
This transition is a trend that can provide comprehensive identity security because by limiting the amount and lifetime of access a user has at any given time devalues the credential such that even if an attacker compromises a key individual’s credentials, they won’t have access to almost anything. This is the thought behind the Continuous Security Paradigm.
The Continuous Security Paradigm
A couple of months ago, IDPro published the “Continuous Security Paradigm” (CSP) article that was authored by Sean O’Dell of Disney and me. It outlines how, in order to achieve identity security, our systems must evolve to act independently yet in coordination with each other.
The Continuous Security Paradigm has three main aspects:
- The Topology of Trust: Which other systems to trust for obtaining and sending data to. What data should be accepted or sent and with which strategy - time interval based, or event-driven.
- Asynchronous Signaling: Asynchronously obtain and deliver information to where it is required for making access decisions. Leverage standards like the SSF and CAEP or use proprietary integrations where standards support doesn’t yet exist. When something that is of interest to other trusted systems changes, send out asynchronous updates.
- Continuous Evaluation: Evaluate every access locally, based on the latest data that was already obtained asynchronously from the trusted systems.
The Benefits of CSP with SGNL
The SGNL vision is to realize the CSP with open standards where they are supported but by using proprietary integrations where they are not.
- Extend token lifetimes: Login-time decisions are embodied in session tokens that represent the time for which that decision can be trusted. With CSP, because you can asynchronously obtain signals if something about the login-time decision has changed, you don’t need to limit the token lifetime. For example, based on this principle (although not using SGNL), Microsoft extended the lifetime of their session tokens between their own systems (which include Entra ID, Teams and Exchange Online) from 1 hour to 24 hours, greatly reducing their costs, and vastly improving their reliability while providing a superior user experience that didn’t require the user to be bounced every hour back to the IdP.
- Cloud ITDR: Leverage XDR and fraud-detection signals to immediately enforce session security (log out or step up) at all applications.
- Business activity driven access rights: By asynchronously ingesting business activity data, SGNL can enforce customer policies that determine access privileges in critical systems such as AWS, Azure, and GitHub or productivity applications such as Slack or Salesforce without incurring any exposure to the reliability, availability and latency characteristics of the source systems.
- Device posture based access: As independent device management or endpoint detection systems asynchronously provide device events to SGNL, customers can write policies to determine whether or not users coming from those devices can continue to access the critical systems and productivity apps.
Getting there
SGNL already provides integration with a large number of systems of record and protected systems, so you can get started with the CSP right now. As more of these systems start supporting open standards such as CAEP and Shared Signals, SGNL will enable customers to leverage them to control access to protected systems. SGNL can also generate standards-based events for those protected systems that can leverage open standards. We are seeing increasing momentum in the standards space, and SGNL remains best positioned to leverage it.