Last month, at the Gartner Identity and Access Management Summit in London, industry leaders showcased successful, interoperable implementations of the Shared Signals Framework (SSF) and Continuous Access Evaluation Profile (CAEP). This included Okta, SailPoint, and Cisco as well as security startups SGNL, VeriClouds, and Helisoft. The SSF suite of standards underpins Zero-Trust architectures and promises to enable a more secure digital future for everyone.
The Shared Signals Framework is a Game Changer
Today’s businesses and their users demand seamless access to services. Often, this involves many concurrent logged in sessions to countless applications - and these sessions can last days or even weeks at a time. Over the course of the session, plenty can change:
- A user may change their location
- A malicious application may be found on a device
- Users may be granted new privileges (or privileges may have been revoked)
Furthermore, there may be suspicious activity on user accounts that have meaningful implications for other dependent services - like an email address that is used to login to many other online services.
The industry has worked hard over the last decade to make single sign-on and federated identity possible. This greatly improved the experience for users and opened many doors to make adoption of SaaS widespread. However, closing doors when needed was more of an afterthought, and hasn't been fully solved.
While many security solutions now exist, a lot of actionable data sits siloed within individual tools, applications, and dashboards—and it hasn’t historically traveled across service providers. This lack of data sharing constrains the implementation of a Zero Trust security posture.
Enter SSF: the Solution
The Shared Signals Framework is an open API built upon a suite of protocols that enable applications and service providers to communicate about security events in order to make dynamic access and authorization decisions. It acts as a signaling layer on a back channel that helps to secure sessions at near real-time.
Back in 2019, Google introduced a standards-based approach to continuously evaluating access authorization. The Continuous Access Evaluation Profile (CAEP) created a simpler way for IdPs and services to convey information about a given session. Meanwhile, the OpenID Foundation published the Risk & Incident Sharing and Collaboration (RISC) specification to define a standardized way to communicate account-level risk events. The two initiatives merged within the OpenID Foundation and formed the Shared Signals working group. CAEP and RISC are now profiles on top of the Shared Signals Framework (SSF).
Now a maturing standard, SSF is an API with a standard format for expressing both account-level and session-level Security Events. It offers seamless, privacy-preserving data-sharing about security events between service providers. Organizations can easily integrate SSF into their security infrastructure and begin sending and receiving Security Events across an ecosystem. This enables organizations to deliver Zero Trust security underpinned by continuous risk assessment efficiently and at scale.
Security through Collaboration
In a recent report by the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA), the authors note that the Shared Signals Framework is an emerging, promising standard gaining traction in the industry. They state “support for and the development of these standards in the enterprise ecosystem will enable a variety of security use cases, ranging from limiting access to managed devices to quickly revoking access when accounts are compromised.” They further recommend broader support for the development and implementation of identity standards as a crucial underpinning of security.
The interoperability session held at the Gartner IAM Summit in London demonstrates, not only the latest in security protocols, but also the industry’s shift towards collaborative security enabled by Open Standards. By sharing these security events across an ecosystem of trusted parties, organizations have more informed Zero Trust implementations and are empowered to mitigate threats more effectively.
Input to the Work Group
The OIDF Shared Signals Work Group is very active and welcomes a wider set of requirements from implementors. For example, implementors at April's Internet Identity Workshop (IIW) discussed the possibility of using the Shared Signals Framework to communicate lifecycle and security signals between participants (issuers, wallets, etc.) in mobile driving license (mDL) and other digital identity ecosystems. Such an approach would lower the burden on issuing authorities to deploy across wallets and ensure their policies are enforced consistently.
Join us to get involved!