Elevating Security with Continuous Access Evaluation: Omnissa Access and the Security Events Service

Elevating Security with Continuous Access Evaluation: Omnissa Access and the Security Events Service

I had a cheeky gander into the Omnissa Access release notes this week and noticed that Security Events Services is now in preview, and I want to explain why this is a potential game changer in the authentication space. In today's dynamic digital landscape, traditional "authenticate once, permit always" access models are no longer sufficient. The need for real-time security posture assessment has given rise to a critical industry initiative: Continuous Access Evaluation (CAE), and Omnissa is jumping right in.

The Challenge of Static Access

Historically, once a user authenticated, their session was largely considered secure until expiry. However, user contexts, device statuses, and threat landscapes can change rapidly. A user's account could be compromised, a device might become non-compliant, or their password could be changed – all after initial authentication. This gap in real-time security assessment creates vulnerabilities that modern threats exploit.

Introducing Continuous Access Evaluation (CAE)

Continuous Access Evaluation (CAE) addresses this challenge by enabling real-time exchange of security and threat data between trusted parties. This allows for immediate action to be taken if a user's security posture changes post-authentication. CAE is a key component of the OpenID Foundation's broader Shared Signals Framework (SSF).

The OpenID Shared Signals Framework (SSF) and CAEP

The Shared Signals Framework (SSF) is an OpenID standard designed to enable scalable and secure exchange of security and threat data between registered participants. It establishes standard protocols, such as the Continuous Access Evaluation Protocol (CAEP), for sharing security events and risk intelligence between trusted parties [1, 2].

How CAEP Works:

Imagine a scenario where a user's password is changed. With CAEP, the Identity Provider (IdP) can instantly send a "password changed" event as a CAEP signal to a Relying Party (RP) or a Policy Enforcement Point (PEP). This allows the RP/PEP to re-evaluate the user's access in real-time and take appropriate action, such as revoking existing sessions or prompting for re-authentication.

Here's a simplified visual representation of the CAEP flow:

In this diagram:

1. Initial Authentication: A user successfully authenticates with the Identity Provider (IdP), and access is granted.
2. Security Event Detected: The IdP detects a security event (e.g., password change, account disabled).
3. CAEP Event (signal) Issued: The Omnissa Security Events Service, acting as part of the SSF, issues a CAEP event, notifying the Relying Party (RP) or Policy Enforcement Point (PEP) of the change.
4. CAEP Event Received & Validated: The RP/PEP receives and validates the CAEP event.
5. Real-time Access Re-evaluation: The RP/PEP re-evaluates the user's access based on the new security event.
6. Action Enforced: Appropriate action is enforced, such as revoking the user's session or requiring re-authentication.

Omnissa Access and the Security Events Service

Omnissa Access is ideally positioned to offer continuous access evaluation through its new Security Events Service. This platform service enables seamless integration with identity and security vendors for the exchange of security and threat data using standard protocols. By adopting the Shared Signals Framework (SSF), Omnissa Access ensures that organizations can leverage security insights from various sources, fostering a more comprehensive and unified security posture [3].

Key Capabilities of Omnissa Security Events Service:

• Real-time Identity State Change Information: The service supports sharing continuous, real-time identity state change information. For example, through Omnissa Access connectors, it can identify user password changes or user account state changes and share this information through real-time CAEP events. This allows integrated partners, such as Apple Business Manager and Apple School Manager, to enforce access restrictions for a user to the iCloud environment upon detecting events like a user being disabled [3].

• Workspace ONE UEM Device Compliance State Changes: The Security Events Service also extends to sharing continuous, real-time Omnissa Workspace ONE UEM device compliance state change events as CAEP signals. This means integrated partners can take further actions – such as influencing authentication, session management, application access, or access certificate decisions – based on these compliance state changes [3].

Here's a visual of how Omnissa's Security Events Service integrates within the ecosystem:

In this expanded view:

1. Identity Providers & Omnissa Access detect and publish security events (e.g., password change, user disabled, device non-compliant).
2. The Omnissa Security Events Service Platform, acting as the SSF/CAEP Event Bus, enables Relying Parties & Service Providers (like Apple Business Manager, Apple School Manager, custom enterprise apps, and third-party security platforms) to subscribe to and consume these CAEP signals.
3. Based on these signals, Real-time Access Re-evaluation & Enforcement occurs, leading to dynamic policy updates.
4. Dynamic Policy Updates are pushed, which can include revoking sessions, blocking access, or other security measures.

See it in Action: Demo

To see how the Omnissa Security Events Service works in practice, check out the following demo:

Conclusion

The Omnissa Security Events Service is a significant leap forward in modern access management. By embracing the OpenID Shared Signals Framework and Continuous Access Evaluation Protocol, Omnissa Access empowers organizations to move beyond static security models and implement a proactive, real-time approach to access control. This not only enhances overall security posture but also provides greater agility in responding to evolving threats, ultimately safeguarding valuable digital assets.

---

References:

[1] OpenID Shared Signals Framework 1.0. (n.d.). Retrieved from https://openid.net/specs/openid-sharedsignals-framework-1_0.html [2] OpenID Continuous Access Evaluation Protocol 1.0. (n.d.). Retrieved from https://openid.net/specs/openid-caep-1_0.html [3] Continuous Access Evaluation Through Security Signal Sharing. (2023, November 29). Retrieved from https://community.omnissa.com/technical-blog/continuous-access-evaluation-through-security-signal-sharing-r39/