Future of Zero Trust
Security
An Open Security Ecosystem with Shared Signals is the Future of Zero Trust
By Nancy Cam-Winget Cisco
Zero Trust: as the name implies, is the strategy by which organizations trust nothing implicitly and verify everything continuously. This industry north star is driving different architectures, frameworks, and solutions to reduce an organization’s risk and improve their security posture. Beyond the need to enforce strong authentication and authorization to establish trust of an endpoint, how can we verify continuously? Often, the zero-trust approach today uses strong authentication and tools that evaluate the security of the user and device at the point of access, but what happens when the security posture of the user and device change after its initial access request is granted?
With many vendors offering impressive security capabilities in cybersecurity, there is a wealth of information that can be shared. Unfortunately, this information is fragmented and lacks standardization and thus interoperability. Getting all these best-in-class vendors to talk to each other is an expensive and time-consuming task, leaving organizations with disparate signal silos and a serious lack of visibility and control across their environment.
This is the problem the OpenID Foundation’s Shared Signals and Events working group is poised to address. For the unfamiliar, the OpenID Foundation is a non-profit organization that promotes open, interoperable standards with OpenID at its core, most notably the standardization of a simple identity layer on top of Oauth 2.0: OpenID Connect. The Shared Signals and Events working group lives within the OpenID Foundation and is comprised of industry leaders and innovators working to promote more open communication between systems. Shared Signals and Events standards like CAEP and RISC have the goal of enabling federated systems with well-defined mechanisms for sharing security events, state changes and other signals. This communication in turn simplifies interoperability and allows organizations to get closer to the Zero Trust ideal of continuously evaluating and enforcing security.
In its first ratified standard, the Shared Signals and Events working group created an open standard through which multiple services can communicate by publishing or subscribing relevant event streams. The standard drastically simplifies communication between applications with security context. For example, a cloud application might subscribe to events from an endpoint detection and response solution to quickly remove access from infected systems. Alternatively, an IAM solution might publish a change of user context used by a SIEM tool to start an investigation. An example shown below demonstrates how a device or an application performs an HTTPS service request in step 1 can trigger an update to a change in state to a policy server in step 2. Further, a policy service can determine whether that change in state needs to be broadcasted to other subscribers (step 3). A subscriber to that event can process the information and determine if a remediation response (step 4) is needed. ... '