Today we have an impressive and ever increasing number of vendors to support the security, governance and insights of cybersecurity across our organisations. There is more data than ever being collected in order to make security decisions. However this array of choice presents a challenge when trying to communicate events across Silos.
The OpenID Foundation Shared Signals Framework (SSF) is an open standard for sharing security signals between trusted parties, vendors and technologies. It is designed to play a significant role in securing the world by enabling organizations to share indicators of compromise (Security Events) and other security information more easily and efficiently.
SSF is best described as an API service which orchestrates communication between Transmitters and Receivers. Security events are provided over secure webhooks as a continuous stream (push and/or pull). Security events are available in either CAEP or RISC format.
Access decisions and authorization rules are traditionally made and evaluated at the time of login, based on conditions known at that moment. This presents risk scenarios when conditions can change yet the session remains open based on old information.
CAEP (also known as the Continuous Access Evaluation Protocol) is a standards-based approach to communicating changes to access properties.
CAEP includes events such as;
Risk & Incident Sharing and Collaboration (RISC) defines events related to compromised accounts, particularly for the scenario where accounts are linked in some way. For example, a compromised inbox could open access to other systems by following a password reset flow on those systems.
RISC includes events such as;
The OpenID SSF Working Group is chaired by companies such as Okta, Cisco, Sgnl and Disney.
Okta, CrowdStrike, and Zscaler are known as early adopters of the Shared Signals Framework (SSF) by integrating their respective strengths in identity management, endpoint security, and secure access.
The best place to start would be the OpenID online assets here - https://openid.net/wg/sharedsignals/. There is also an excellent explainer video on this site - https://sharedsignals.guide/.
RISC spec is here and you can read more about CAEP here.
If you would like to explore how to leverage, adopt or just experiment with SSF, please get in touch with the Distology Studios team, an engineer is always ready to have a chat :)
Martyn Roberts is an IAM Practitioner and Services Director at Distology. Martyn consults major tech companies Consumer Identity, Workforce Identity and Innovation.