Blog Post

Security, Compliance, and Identity Blog
2 MIN READ

Apply Zero Trust Principles to Authentication Session Management with Continuous Access Evaluation

annabarh's avatar
annabarh
Icon for Microsoft rankMicrosoft
Oct 03, 2022

Hi everyone,

 

Today we’re sharing our thoughts around managing and securing cloud authentication sessions. In the past, “authentication session management” referred to static updates to the session duration. That approach no longer provides adequate security for modern usage patterns where a user’s context changes multiple times after the initial authentication. This can occur due to moving between locations, a need to collaborate inside and outside of an organization or multi-device scenarios.

 

So how can we secure authentication sessions without affecting user experience and productivity? Or how do Zero Trust principles apply to authentication sessions? These are the questions we asked as we embarked on a journey to modernize session management. While we had not arrived at our destination yet, we made discoveries and released our first session management product that disrupted the traditional approach. –

Introducing Continuous Access Evaluation (CAE)

 

Traditional session management – pre-configuring authentication session duration – is not compliant with Zero Trust principles of Verify Explicitly and Assume Breach. Session Management built on Zero Trust principles must not rely on static configuration but on real-time signals. And this is exactly how Continuous Access Evaluation works: it evaluates session health on every data access point. CAE sessions can last uninterrupted for as long as they are safe and secure. As soon as policy violations or account risks are detected, sessions are interrupted and re-evaluated. By allowing safe sessions to last without interruption CAE also improves user productivity in the face of outages. Zero Trust compliant session management is enabled by new standards like the OpenID Shared Signals and Events suite of standards, including Continuous Access Evaluation Profile.

 

These short videos share our vision for Zero Trust based Session Management and explain Continuous Access Evaluation in more detail:

Session Management Reimagined: What is session management? - YouTube

Session Management Reimagined: How Zero Trust principles apply to session management - YouTube

Session Management Reimagined: Continuous Access Evaluation - YouTube

More secure and resilient apps built on Azure AD Continuous Access Evaluation | OD120 - YouTube

 

Continuous Access Evaluation is our first step in building Session Management based on Zero Trust principles. There are more challenges and exciting innovations in this space. Stay tuned to new product launches in this area later this year.

Updated Oct 19, 2022
Version 2.0