Loading...
Identity
Introducing Shared Signals Framework
July 31st, 2024

Today's Landscape of Silo 

Today we have an impressive and ever increasing number of vendors to support the security, governance and insights of cybersecurity across our organisations.   There is more data than ever being collected in order to make security decisions.    However this array of choice presents a challenge when trying to communicate events across Silos.

Introducing Shared Signals

The OpenID Foundation Shared Signals Framework (SSF) is an open standard for sharing security signals between trusted parties, vendors and technologies. It is designed to play a significant role in securing the world by enabling organizations to share indicators of compromise (Security Events) and other security information more easily and efficiently.


How does this work?

SSF is best described as an API service which orchestrates communication between Transmitters and Receivers.  Security events are provided over secure webhooks as a continuous stream (push and/or pull).   Security events are available in either CAEP or RISC format.

What is CAEP?

Access decisions and authorization rules are traditionally made and evaluated at the time of login, based on conditions known at that moment.   This presents risk scenarios when conditions can change yet the session remains open based on old information.

CAEP (also known as the Continuous Access Evaluation Protocol) is a standards-based approach to communicating changes to access properties. 

CAEP includes events such as;

  • Session Revoked
  • Token Claims Change
  • Credential Change
  • Assurance Level Change
  • Device Compliance Change

How about RISC?

Risk & Incident Sharing and Collaboration (RISC) defines events related to compromised accounts, particularly for the scenario where accounts are linked in some way.   For example, a compromised inbox could open access to other systems by following a password reset flow on those systems.

 RISC includes events such as;

  • Account Credential Change Required
  • Account Purged/Disabled/Enabled
  • Identifier Changed/Recycled
  • Credential Compromise
  • Recovery Activated/Information Changed

Which vendors have adopted SSF?

The OpenID SSF Working Group is chaired by companies such as Okta, Cisco, Sgnl and Disney. 

Okta, CrowdStrike, and Zscaler are known as early adopters of the Shared Signals Framework (SSF) by integrating their respective strengths in identity management, endpoint security, and secure access. 

  • Okta provides robust identity and access management, ensuring secure user authentication and authorization.
  • CrowdStrike offers advanced endpoint protection and threat intelligence, detecting and responding to sophisticated cyber threats. 
  • Zscaler delivers secure access and threat prevention through its cloud security platform. 

Where can i learn more?

The best place to start would be the OpenID online assets here - https://openid.net/wg/sharedsignals/.  There is also an excellent explainer video on this site - https://sharedsignals.guide/.

RISC spec is here and you can read more about CAEP here.

If you would like to explore how to leverage, adopt or just experiment with SSF, please get in touch with the Distology Studios team, an engineer is always ready to have a chat :) 


About the Author

Martyn Roberts is an IAM Practitioner and Services Director at Distology.   Martyn consults major tech companies Consumer Identity, Workforce Identity and Innovation.