Why Cyber-heroes need a Zero Trust CAEP!

In the modern digital landscape, where threats evolve and organizational perimeters extend into the cloud, maintaining a strong security posture requires more than static defense mechanisms. This is where the Continuous Access Evaluation Profile (CAEP) and the Shared Signals Framework (SSF) come into play. 

At the recent Gartner Identity & Access Management Summit in London, Apoorva Deshpande, Okta Engineering Lead, along with other OpenID Foundation SSF Working Group members, demonstrated how these signals can be used as part of a Zero Trust approach to create policies in Okta to detect and prevent threats across technology platforms and data silos.

Wait, doesn’t my SIEM already do this?

The OpenID Foundation Shared Signals Framework (SSF) and Security Information and Event Management (SIEM) systems play very different roles in an organization's cybersecurity strategy. 

Security Information and Event Management (SIEM) systems play a crucial role in helping analysts detect, analyze and respond to cybersecurity threats. Analysts stream network, application and device logs to a SIEM for aggregation, correlation and alerting on known suspicious activity. 

The Shared Signals Framework is a method for transmitting, receiving and aggregating risk signals between applications, creating opportunities for automated policy-based actions. SSF-based CAEP events specifically allow identity practitioners to configure an exchange of risk signals between IdPs and applications related to user and session risk. The events might still be logged in the SIEM, but CAEP allows for protective controls to swing into action before detective controls kick into gear.

SSF enables real time context with trusted partners, simplifying the security stack into a cohesive service that supports secure access across a broad range of technologies and platforms using Zero Trust security principles.

The main differences are:

• Enhanced Interoperability and Integration: SSF facilitates direct, real-time communication between various security tools and platforms within an organization’s IT ecosystem, continuously communicating to thwart attackers lateral movement across services. This seamless integration can sometimes be more efficient than the centralized logging and analysis approach of SIEM systems, which may require complex configuration and integration efforts to achieve similar levels of interoperability.
• Standardized Signaling: By standardizing the way security signals are shared and interpreted across different systems, SSF can enhance the overall effectiveness of security measures. SIEMs, while powerful for analysis and correlation, might not inherently standardize or streamline the communication protocols between disparate security solutions.
• Real-Time Adaptive Response: SSF enables security solutions to respond to threats in real-time by sharing signals about detected threats or anomalies instantly. This can allow for automated, immediate responses such as isolating a compromised endpoint. In contrast, SIEMs might excel in detection and alerting but can be slower to enact automated responses due to their reliance on central processing and analysis 
• Scalability and Efficiency: SSF's direct signaling between tools can reduce the complexity and overhead associated with aggregating and processing vast amounts of log data, as is common with SIEM systems. This can be particularly advantageous in highly dynamic or cloud-native environments where the volume and velocity of data can overwhelm traditional SIEM architectures, or require numerous collectors and connectors which incur lag and costs.
• Cost-Effectiveness: For startups and Small to Medium Enterprise organizations, implementing and maintaining a SIEM solution can be resource-intensive, requiring dedicated hardware, software, training and personnel. In contrast, an SSF approach, leveraging cloud services and APIs for integration and communication, might offer a more cost-effective solution for organizations looking to maximize their security efficiency and budgets.

It’s important to note that SSF and SIEM serve different needs within the cybersecurity ecosystem. In many cases, the most robust security posture would benefit from leveraging both SSF and SIEM capabilities, using SSF to enhance the real-time response and operational efficiency of the security infrastructure, and SIEM to provide deep analytical insights, historical data analysis, and compliance reporting.

How is Okta championing SSF and CAEP interoperability?

We recently announced the Okta Secure Identity Commitment with one of the pillars being, Raising the bar for our Industry, and Okta believes in a collaborative approach to security. By actively participating in SSF standardization and demonstrating interoperability with key partners, we aim to:

• Boost security effectiveness: Sharing enriched threat data across different solutions empowers organizations to detect and respond to threats faster and more effectively.
• Simplify security operations: Eliminating vendor lock-in and streamlining data exchange reduces complexity and operational overhead for security teams.
• Accelerate innovation: Fostering an open ecosystem encourages innovation and the development of more advanced security solutions.

Some key takeaways to consider when reviewing your identity strategy:

• How do you evaluate user risk during sessions beyond initial access? 
• What challenges exist when correlating threat data across your security stack?
• How quickly and proactively can you respond to emerging identity threats?
• How do you apply the right authentication method for the data rather than one-for-all and how can you adopt adaptive authentication workflows?
• How open or closed is your identity ecosystem? Do your application vendors support CAEP/SSF?