Cloud service providers promote a shared responsibility model, which puts identity and access security in the hands of cloud customers. The Continuous Access Evaluation Profile (CAEP) addresses a critical gap in this model by enabling real-time security updates that adjust user access dynamically. As a result, securing the cloud is fundamentally about securing access, and CAEP ensures that access decisions remain accurate even after a session has been established.
Challenges in achieving zero trust security
The zero-trust architecture is a natural way to secure the cloud: each access is checked to ensure the right user is trying to access the intended resource(s). However, achieving zero trust has proven challenging in a cloud environment, mainly because the cloud service does not have all the context to determine whether each access should be permitted. A typical compromise is to verify the user’s access permissions and roles at the time of federated sign-on. In this scenario, the Identity Provider (IdP) will verify if the user has the correct permissions to access the target cloud service and make additional checks such as IP address or time of day.
Once the user is logged in to the cloud service, it is up to that service to determine when to log the user out. So if, for example, the user’s account is removed from allowing access to the particular service or the user moves to a different IP address, the IdP won’t allow the user to log in anymore. Any active session, however, remains unaffected, unaware of the updated security posture. While the cloud service may verify the login session cookie on every access, the cookie, in effect, has become stale.
There are a number of ways in which a stale cookie could be dangerous:
- The user may have been terminated (or less dramatic account actions such as the user being removed from accessing that application).
- An EDR service may indicate that the user’s device is infected with malware.
- The user’s cookie may be stolen and replayed by an attacker from a different IP address, who now appears to be no different than the user to the cloud service.
- The user’s device may have fallen out of compliance (e.g., failure to apply important security patches).
There are more circumstances possible here, but you get the point.
CAEP to the rescue
This was exactly the problem I set out to solve when I wrote the blog that envisioned a “Continuous Access Evaluation Protocol” (CAEP). CAEP is now a part of the Shared Signals working group (SSWG) in the OpenID Foundation and is now based on the Shared Signals Framework (SSF). The “P” in CAEP now stands for Profile as a result.
CAEP enables a way for any cloud service to assemble all the context required to make local access decisions. Using SSF, a service can subscribe to specific CAEP event types from Transmitters it trusts about developments that can impact a user’s access privilege. So whenever, say, an EDR service detects an issue with the user’s device, it can send the cloud service an “assurance level change” event. When the user then tries to access the cloud service, the service can take the previously received event into account and deny the user access or ask the user to re-login with the IdP.
How CAEP enhances cloud security
So, CAEP enables cloud services to receive real-time updates about changes in a user’s security posture, allowing them to take immediate action when necessary. Instead of waiting for the next login event, services can react dynamically to access control changes, reducing the risk of unauthorized access due to stale session cookies.
With CAEP, a cloud service can:
- Log a user out immediately if their access is revoked.
- Adjust permissions dynamically based on risk signals.
- Require reauthentication if a user’s device status changes.
What is SSF?
The Shared Signals Framework (SSF) provides the foundation for CAEP. SSF enables independent services that share common users to exchange real-time security updates using Security Event Tokens (SETs)—signed JSON objects that act as structured notifications. This publish-subscribe model ensures that access decisions remain current across distributed systems, aligning cloud security with zero-trust principles.
By leveraging CAEP and SSF, organizations can enhance cloud security by ensuring that user sessions reflect their real-time security posture, minimizing risks associated with outdated access credentials. CAEP enables cloud providers and enterprises to stay ahead of evolving threats by continuously enforcing access policies—long after the initial login.