Cisco Joins the OpenID Foundation Board, Signaling the Importance of Shared Signals to a Future of Zero Trust
Published November 30, 2021
Cisco has joined the OpenID Foundation as a sustaining member, effective November 2021. As Gail Hodges, the Executive Director of the OpenID Foundation said, “Cisco has played a pivotal role in building networked systems that underpin the internet today. We are honored to have Cisco join the Board at this critical inflection point in identity standards development. Nancy Cam-Winget and Cisco are long standing contributors to global standards, and we look forward to collaborating with them to meet this moment by both crafting the path and scaling an approach that will serve society.”
The OpenID Foundation is pleased to republish Nancy Cam-Winget’s blog post regarding changes in the security landscape, and the importance of OpenID Foundation standards, especially the new Shared Signals and Events standard, in helping Cisco and the wider internet community to meet this moment.
We encourage other members of the community to join the OpenID Foundation and the Shared Signals and Events working group to help realize the potential of this new standard.
Gail Hodges
OpenID Foundation Executive Director
An Open Security Ecosystem with Shared Signals is the Future of Zero Trust
Author: Nancy Cam-Winget Publish Date: November 30, 2021 Zero Trust: as the name implies, is the strategy by which organizations trust nothing implicitly and verify everything continuously. This industry north star is driving different architectures, frameworks, and solutions to reduce an organization’s risk and improve their security posture. Beyond the need to enforce strong authentication and authorization to establish trust of an endpoint, how can we verify continuously? Often, the zero-trust approach today uses strong authentication and tools that evaluate the security of the user and device at the point of access, but what happens when the security posture of the user and device change after its initial access request is granted? With many vendors offering impressive security capabilities in cybersecurity, there is a wealth of information that can be shared. Unfortunately, this information is fragmented and lacks standardization and thus interoperability. Getting all these best-in-class vendors to talk to each other is an expensive and time-consuming task, leaving organizations with disparate signal silos and a serious lack of visibility and control across their environment. This is the problem the OpenID Foundation’s Shared Signals and Events working group is poised to address. For the unfamiliar, the OpenID Foundation is a non-profit organization that promotes open, interoperable standards with OpenID at its core, most notably the standardization of a simple identity layer on top of Oauth 2.0: OpenID Connect. The Shared Signals and Events working group lives within the OpenID Foundation and is comprised of industry leaders and innovators working to promote more open communication between systems. Shared Signals and Events standards like CAEP and RISC have the goal of enabling federated systems with well-defined mechanisms for sharing security events, state changes and other signals. This communication in turn simplifies interoperability and allows organizations to get closer to the Zero Trust ideal of continuously evaluating and enforcing security. In its first ratified standard, the Shared Signals and Events working group created an open standard through which multiple services can communicate by publishing or subscribing relevant event streams. The standard drastically simplifies communication between applications with security context. For example, a cloud application might subscribe to events from an endpoint detection and response solution to quickly remove access from infected systems. Alternatively, an IAM solution might publish a change of user context used by a SIEM tool to start an investigation. An example shown below demonstrates how a device or an application performs an HTTPS service request in step 1 can trigger an update to a change in state to a policy server in step 2. Further, a policy service can determine whether that change in state needs to be broadcasted to other subscribers (step 3). A subscriber to that event can process the information and determine if a remediation response (step 4) is needed.
By communicating across an open and interoperable standard, we can move to a world where risk is assessed and addressed in real time.
Risk assessment need not be done after static intervals of time but can move at the speed of contextual changes.