Published December, 2023, revised February 14, 2024 to confirm interoperability demonstration at Gartner IAM conference held in London, UK.
Blog authored by Apoorva Deshpande, Engineering Leader, Okta.
The OpenID Foundation Shared Signals Framework (SSF) is an emerging and promising standard for sharing security signals between trusted parties. It has the potential to play a significant role in securing the world by enabling organizations to share indicators of compromise (Security Events) and other security information more easily and efficiently.
How SSF Can Help Secure Identity and Access by Sharing Security Events
SSF Events are either artifacts of malicious activity or indicators of session property updates that can be used to monitor, detect, and prevent attacks, without a standard way to share Security Events between organizations, information silos form and weaken defenders’ ability to identify and mitigate threats.
SSF provides a secure and privacy-preserving way for organizations to share information via events. It uses a standard format for representing these events and a secure transport mechanism for sharing them. This makes it easy for organizations to integrate SSF into their existing security infrastructure and to share Security Events with a wide range of partners.
By sharing events among trusted parties, organizations can exchange threat indicators across domains and collaborate to identify and mitigate threats more quickly and effectively.
Benefits of Using SSF to Share Security Events
There are several benefits to using SSF to share Security Events, including:
- Zero trust security posture: Zero trust is a security model that assumes no implicit trust and continuously verifies the identity and authorization of users, devices, and applications. SSF aligns with zero-trust principles by enabling organizations to continuously share and update security signals, ensuring that access decisions are based on the most up-to-date information.
- Reduced operational overhead: SSF can help organizations reduce the operational overhead of sharing Security Events by providing a standard and automated way. This allows organizations to leverage the collective knowledge of the federated ecosystem to make more informed access control decisions, reducing the risk of unauthorized access.
- Increased visibility: SSF empowers organizations to share information about their cloud security posture, including security policies, configurations, and incident response procedures. This transparency fosters collaboration and enables organizations to learn from each other's experiences, improving overall cloud security posture.
- Seamless Federated Identity Management: In federated identity management, multiple organizations manage user identities and access control. This shared responsibility can create challenges in ensuring only authorized users can access sensitive resources. SSF is crucial in addressing these challenges by enabling organizations to share security signals about users, devices, and applications.
- Enabling Continuous Risk Assessment: SSF enables continuous risk assessment by providing a mechanism for sharing real-time information about user behavior, device health, and network activity. This continuous risk assessment allows organizations to dynamically adjust access control measures based on the evolving threat landscape.
NSA and CISA Report on SSF
The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) recently published a report on the future of identity and access management (IAM). In the report, the NSA and CISA identified SSF as an emerging and promising standard for sharing security signals between trusted parties.
The report states that SSF has the potential to "revolutionize the way that organizations share security information." It also notes that SSF is "gaining traction in the industry" and that it is "being used by several leading organizations." Although this is not an endorsement of the specifications, it is encouraging to see the US government's recognition of the SSF's potential to support infrastructure security by closing critical gaps.
How SSF Will Be Useful in the Future
According to Okta's blog post on the future of open identity standards, SSF will be useful in the following ways:
- Improving risk-based authentication: SSF profile signals can be used to assess the risk of a particular login attempt (Tokens Claim changed, assurance level change, etc.) and implement risk-based authentication measures, such as requiring additional authentication factors for high-risk logins.
- Preventing fraud: SSF can be used to identify patterns of fraudulent activities (credentials change, Credential Compromise, etc.) and block fraudulent transactions by requesting re-authentication or step-up challenges.
- Improving threat detection and response: SSF can be used to share Security Events and other security information between trusted parties, enabling them to detect and respond to threats more quickly and effectively.
Apple's decision to mandate the Shared Signals Framework (SSF) for custom identity providers in Apple Business Manager marks a step forward in adopting this open standard, signaling its growing recognition within the industry.
Okta is proud to be one of the first identity providers to implement this new capability to integrate seamlessly with Apple's new feature, further solidifying SSF's position as a promising industry standard with the potential to transform identity management practices.
Cisco’s sharedsignals.guide has also supported the industry with a robust guide for developers on the benefits and how to take advantage of current shared signals capabilities, and SGNL’s caep.dev is a tool to help implementers build to the shared signals spec and get responses from a Transmitter.
The involvement of tech giants and start-ups underscores the framework's maturity and potential to become the de facto standard for identity management in the coming years.
How to get involved in the Shared Signals Framework
- Joining the SSWG as contributors: The Shared Signals Working Group (SSWG) is the group responsible for developing and maintaining the SSF specification. Interested parties can join the SSWG as contributors to help shape the future of the framework.
- Taking part in the interop demonstration: The SSWG is planning an interoperability demonstration at the Gartner IAM conference held in London, UK. Interested parties can participate in the demonstration to see how SSF can be used to share security signals between different products and vendors. Please email the co-chair of SSWG, Atul Tulshibagwale, if you are interested.
- Early adoption: Early adopters of SSF will benefit from being at the start of deployment and vendor selection as these capabilities become baseline expectations for implementors ranging from the US Government to leading digital platforms and relying parties. They can also take a central role in the ecosystem governance efforts.
The OpenID Foundation Shared Signals Framework is a promising new standard for sharing security signals between trusted parties. It has the potential to play a significant role in securing the world by enabling organizations to share Security Events and other security information more easily and efficiently.
Organizations should consider adopting SSF to improve security posture and reduce the operational overhead of sharing Security Events.
To learn more about SSF, please checkout the OpenID Foundation’s Shared Signals Working Group,
About the OpenID Foundation
The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments, and non-profits are encouraged to join or participate. Find out more at openid.net.