Security standard could improve interoperability among security vendors and expand support for zero trust approach to security.

digital identity

Image: Pop Tika

Cisco’s new Shared Signals and Events framework is designed to make life easier for security analysts by improving interoperability and supporting zero trust security. The company has joined the OpenID Foundation as a sustaining member and published an open-source technical reference document.

Shared signals is pretty much exactly what it sounds like: a standard communication method for security changes that has the potential to reduce “unnecessary, rote re-authentications or authorizations” and allow far more precise reactions to changes in security parameters.

Nancy Cam-Winget, a distinguished engineer at Cisco Secure, said Shared Signals is similar to an RSS feed for security signals or events, even though the actual technical implementation is quite different. 

“The ecosystem would be one where some vendors are publishing events and others are subscribing to events,” she said. 

Cam-Winget wrote a blog post about the news announced Tuesday, Nov. 3 and describes the protocol this way:

“For example, a cloud application might subscribe to events from an endpoint detection and response solution to quickly remove access from infected systems. Alternatively, an IAM solution might publish a change of user context used by a SIEM tool to start an investigation.”

Using a Shared Signals and Events approach could solve the “head on a swivel” issue, which requires security analysts to check and correlate signals from many different tools and environments because they don’t talk to each other. 

SEE: Zero trust: The good, the bad and the ugly

“The goal is a world in which security environments react more quickly and more dynamically to changes in risk given a decreased manual burden on analysts and an increase in security efficacy,” she said.

Cam-Winget said Cisco’s new reference document should make it easier to adopt the standard so that the path to realizing the security value is shorter and smoother. Developers can use the reference architecture to get a transmitter and receiver set up in relatively short order. 

“The big value proposition here is that the time spent will be much less than setting up one-to-one API integrations for each solution you’d like to integrate with,” she said. “With the Shared Signals framework, after the initial set-up, work is drastically reduced for each additional signal.” 

The Shared Signals and Events approach will allow a sea change in security, similar to the impact of the WebAuthn standard on passwordless authentication, according to Cisco.

The OpenID Foundation is a non-profit that promotes open and interoperable standards, specifically the use of a simple identity layer on top of Oauth 2.0: Open ID Connect. 

Gail Hodges, executive director of the OpenID Foundation, said in a press release that Cisco is joining the board at a critical inflection point in identity standards development.

“Cisco is a long-standing contributor to global standards, and we look forward to collaborating to meet this moment by crafting the path and scaling an approach that will serve society,” Hodges said.

The foundation’s Shared Signals and Events working group includes industry leaders working to promote more open communication between security systems. The three co-chairs represent Amazon, Google and Coinbase. The group’s main goal is to enable federated systems with well-defined mechanisms for sharing security events, state changes and other signals in order to: 

  1. Manage access to resources and enforce access control restrictions across distributed services operating in a dynamic environment.
  2. Prevent malicious actors from leveraging compromises of accounts, devices, services, endpoints or other principals or resources to gain unauthorized access to additional systems or resources.
  3. Enable users, administrators and service providers to coordinate in order to detect and respond to incidents. 

The group’s specification can be found here.

Also see