No one in the world of enterprise security is denying the super powers of Zero Trust. More secure, more flexible, able to leap tall buildings in a single bound…. Ok, I got wires crossed on that last one, but the point is that regardless of who you talk to, most everyone agrees that Zero Trust is the answer to many of our modern IT security challenges.
At the network level, zero trust network access (ZTNA) requires a user to prove who they are in order to be granted a network connection to a specific application. This provides for a granularity that couldn’t be achieved when a user was given access to a much larger segment of the corporate network through the typical perimeter-based VPN. And while represents a significant improvement, there are still ways to further enhance security by limiting the duration of a ZTNA session.
In a typical ZTNA architecture, once a user is granted access to an authorized application, that user remains logged into a session for a specified period of time. However, during that time changes to an employee’s status or group permissions may change. If this occurs, what was once allowed at the initial time of authentication could now warrant a denial of access.
The challenge is the record of these changes lives within the identity provider and can be difficult to integrate with ZTNA. Due to the complexity of integrating and coordinating the relevant identity data from multiple providers, a standardized approach to this problem has emerged… continuous access evaluation protocol (CAEP).
What is Continuous Access Evaluation Protocol?
CAEP (pronounced ‘cape’) is a model that uses input from multiple sources to provide security context around a user and a network session. CAEP attempts to solve the challenge of a user being granted access based on perishable information and then having that access persist despite changes that occur during a session. With CAEP changes relating to a user, device or session are shared with a service such as ZTNA that can execute a response based on this data.
Using real-time analysis of the data, a Zero Trust session manager can be notified when an identity provider detects relevant changes and a session’s token should no longer be accepted. Access can then be terminated instantly and automatically.
While it has yet to be standardized, some identity providers have already begun aggregating this data and making it available for applications to ingest. Leading providers Azure AD and Okta already provide the ability for users to create conditional access policies based on device trust or state.
Placing intelligence between the application, endpoint and administrator allows sessions and their policy-based access protections to adjust to the dynamics of how IT is actually used. Whether the trigger is an administrative action, state change or security event, CAEP enables more effective enforcement of user access policies and gets environments closer to the principles of Zero Trust.
So while Zero Trust may be the security super hero we have been waiting for, CAEP may be the thing that it needed to really fly.