The need for anytime, anywhere access to enterprise applications has transformed the security strategy that organizations must employ to keep the bad actors away from corporate resources. While the COVID-19 pandemic has accelerated the need for modern security measures, the fact is that people will continue to work away from the traditional corporate perimeter. It is, therefore, important for organizations to adjust to this reality by enforcing the right access controls at the access point, ensuring that data is protected while maintaining a convenient login experience for users. Zero Trust security provides a framework for achieving these goals.
Zero Trust security is based on the precept that people, devices and services requesting access to corporate systems should be continuously assessed and verified for trust. In this regard, continuously authenticating users who are accessing corporate resources helps maintain trust in distributed IT environments.
To enforce the right level of security, IT teams need to have a deep understanding of the pros and cons, and the level of assurance authentication methods offer. For this assessment, the NIST SP 800-63-3 publication, titled “Digital Identity Guidelines”, is a perfect tool to be considered when making decisions for the purchase and deployment of access management solutions.
Let us examine some of the most prominent authentication mechanisms before we move on to the emerging continuous access evaluation protocol (CAEP) standard. For the sake of brevity, passwords are not going to be examined, given the industry consent that nowadays passwords are more a vulnerability than an authentication mechanism.
Out-of-band (OOB) authentication uses a physical device, usually a mobile device or dedicated authentication device that is uniquely addressable and communicates securely with the verifier over a distinct communications channel, referred to as the secondary channel. Many businesses tend to implement OOB authentication via SMS texts. However, the National Institute of Standards and Technology (NIST) has published guidance that recommends against using SMS as the channel for OOB verification. NIST states that “methods that do not prove possession of a specific device SHALL NOT be used for out-of-band authentication.” Instead push-based one-time password (OTP) by sending a code to a mobile device via an authenticator app is to be used to avoid risks like SIM swapping attacks.
OTP tokens are generated either by hardware devices or software-based OTP generators installed on devices such as mobile phones. These devices have an embedded secret that is used as the seed for the generation of OTPs. The OTP is displayed on the device and manually inputted for transmission to the verifier or displayed as a push OTP, thereby proving possession and control of the device. Used in combination with a local PIN or device-native biometric, OTP tokens can create sufficient trust in many cases.
Certificate-based authentication, also referred to as PKI authentication, may use either software or hardware tokens. Authentication is accomplished by proving possession and control of the key. When a software cryptographic authenticator is used, the certificate should be stored securely within a device’s secure element to avoid compromise.
Fast ID Online
The notion behind fast ID online (FIDO) is to separate the actual authentication mechanisms from the authentication process itself, so that authentications can run over a variety of hardware infrastructure, software apps, and digital identity methods. The FIDO specifications provide what are essentially passwordless, multifactor cryptographic tokens. A FIDO authenticator embeds one or more private keys, each dedicated to one online account. The protocols require a “user gesture” — a PIN, biometric method or authentication token — before the private key can be used to sign a response to an authentication challenge.
Although the above mechanisms provide a strong level of authentication assurance, they fail to address the requirement of continuously evaluating the authenticity of connected users. This gap is addressed by the CAEP standard.
What is CAEP?
Conceived by Atul Tulshibagwale, an engineer at Google, Continuous Access Evaluation Protocol (CAEP) is a new way of thinking about federated identities, offering a solution to perform continuous authentication and access.
This modern approach takes into consideration policy violations (e.g., outdated anti-malware signatures) or security issues (e.g., disabled user accounts) and requires a continuous communication between a policy service (i.e. an identity provider) and the relying party, like a SaaS app. This method provides vital information to the control plane that makes access decisions in real-time.
The main premise of CAEP is based on a limited publish and subscribe model, where subscribers express interest in information available through publishers. A publisher will broadcast changes in session and user information as update events to all those who are interested in them. The interested parties are of course the subscribers who have expressed interest in such information. CAEP defines a standard protocol for how this “express interest” handshake takes place and how the update events are exchanged. These events represent context signals about user activities on various end points and servers. Collectively, they represent a very rich set of data that a single entity (e.g. a bank) cannot collect unilaterally.
It's all about Zero Trust
Continuous authentication that is CAEP-able to evaluate access control based on current context is what zero trust is all about. Instead of checking user access at the perimeter only once, evaluate it at every access instance while considering the most current context.
To learn more about strong authentication methods you can read our “A Comprehensive Guide to Authentication Technologies and Methods” white paper. In addition, you may learn more about CAEP from the on-demand webinar, Securing Cloud Security with Continuous Access Evaluation Protocol, featuring Thales’s Asad Ali, and Atul Tulshibagwale from Google.