Sample Page Title

Zero Belief helps organizations shrink their assault floor and reply to threats quicker, however many nonetheless wrestle to implement it as a result of their safety instruments do not share alerts reliably. 88% of organizations admit they’ve suffered vital challenges in attempting to implement such approaches, in line with Accenture. When merchandise cannot talk, real-time entry selections break down.

The Shared Indicators Framework (SSF) goals to repair this with a standardized approach to trade safety occasions. But adoption is uneven. For instance, Kolide Machine Belief does not presently assist SSF.

Scott Bean, Senior IAM and Safety Engineer at MongoDB, proposed a approach to resolve the issue, giving groups a simple and intuitive approach to operationalize SSF throughout their atmosphere.

On this information, we’ll share an summary of the workflow, plus step-by-step directions for getting it up and working.

The issue – IAM instruments do not assist SSF

A core requirement of Zero Belief is steady, dependable alerts about consumer and system posture. However many instruments do not assist SSF for Steady Entry Analysis Protocol (CAEP), making it arduous to share or act on these alerts.

Groups typically face three challenges:

• Instruments lack native SSF assist
• Indicators require enrichment or correlation
• Managing SSF endpoints and token dealing with provides overhead

With out this interoperability, organizations wrestle to use constant insurance policies — and in instances like Kolide Machine Belief, important system occasions by no means attain programs like Okta.

The answer – a SSF transmitter that turns Kolide points into CAEP occasions

As a result of SSF is constructed on HTTPS requests, the OpenID normal works with Tines’ HTTP Motion.

Scott developed a brand new workflow integrating Kolide Machine Belief with Tines, enabling it to ship SSF alerts to Okta. If a tool is non-compliant, Kolide sends a message to the workflow through webhook. Tines enriches the sign, makes positive it may be linked to a consumer, builds a Safety Occasion Token (SET), after which sends it to Okta.

On this approach, Tines acts because the connective tissue that makes SSF work throughout the distributed IT atmosphere, even when particular person instruments do not natively assist the usual.

Tines can:

• Obtain alerts from Kolide (and instruments prefer it) through webhook when a tool turns into non-compliant
• Enrich and correlate these alerts (e.g., map system to consumer)
• Generate and signal SETs that meet the SSF specification
• Ship them to Okta (and different id suppliers) to implement Zero Belief
• Host required SSF metadata endpoints utilizing API path prefixes, giving consuming programs a standards-compliant place to fetch keys and decrypt tokens

All of which makes Zero Belief enforcement quicker, extra dependable, and far simpler to operationalize. IT groups are empowered with steady, real-time danger evaluation of gadgets, quicker response to threats, and extra versatile coverage orchestration. And finish customers get the good thing about automated remediation, which helps to optimize productiveness and reduce IT intervention.

If you wish to go deeper into id modernization, the Tines IAM information explores how groups are unifying system belief, entry selections, and least-privilege enforcement with automation. Scott’s workflow is certainly one of a number of real-world patterns inside.

Workflow overview

Required instruments:

• Tines – workflow orchestration and AI platform
• Kolide – system belief and posture monitoring
• Okta – id platform receiving CAEP occasions

Required credentials:

• Tines API Key – `Group` Scoped with the `Editor` function
• Kolide API Key – Learn Solely
• Kolide Webhook Signing Secret

Required assets:

Okta area, comparable to instance.okta.com, instance.oktapreview.com, or a branded area.

The way it works:

The workflow creates a proof-of-concept SSF transmitter that may be registered with Okta and sends system compliance change CAEP occasions (despatched as SETs), based mostly on points generated in Kolide. There are three components:

1. Generate and retailer SET signing keys (SETs are signed JSON Internet Tokens):

• Creates an RSA key pair and converts it to JWK format.
• Publishes the general public key for SSF receivers to validate SET signatures.
• Shops the personal JWK keyset as a Tines secret.

2. Expose SSF transmitter API

SSF receivers (like Okta) want:

• a .well-known/sse-configuration endpoint describing the transmitter
• a JWK endpoint exposing the general public key used to confirm SET signatures
• a webhook set off acts because the SSF API floor
• logic returns the .well-known config
• logic returns the JWKs

As soon as that is reside, groups can register a brand new SSF receiver in Okta beneath:

• Safety → Machine Integrations → Obtain shared alerts

And create a brand new stream utilizing the API’s URL and the brand new `.well-known` endpoint

3. Create, signal and ship of SETs from Kolide occasions

• Receives Kolide challenge occasions through webhook and validates them utilizing the signing secret.
• Fetches system and consumer metadata from Kolide.
• Builds a SET for a Machine Compliance Change CAEP occasion.
• Indicators the SET with the saved personal key utilizing the JWT_SIGN formulation.
• Sends the signed token to Okta’s security-events endpoint.

This delivers real-time device-compliance updates to Okta so entry insurance policies can reply instantly.

Configuring the workflow — a step-by-step information

You may construct and run this complete workflow utilizing Tines Neighborhood Version.

1. Log into Tines or create a brand new account.

2. Navigate to the pre-built workflow within the library. Choose import. This could take you straight to your new pre-built workflow.

3. Collect the required credentials

• Tines API Key (team-scoped with Editor function)
• Kolide API Key (read-only)
• Kolide Webhook Signing Secret

These guarantee authenticated calls to Kolide and safe webhook validation.

4. Gather your required assets

You may want an Okta tenant area, comparable to:

• instance.oktapreview.com
• instance.okta.com
• or your customized Okta model area

This area is used when sending signed SETs to Okta’s security-events endpoint.

Be aware: Within the instance supplied, Scott arrange as a `push` reasonably than a `ballot` supplier as tokens are despatched based mostly off of inbound webhooks, so there isn’t any have to retailer state.

5. Generate your SET signing keys

• Use the Generate JWK keyset motion to create RSA keys
• Convert each private and non-private keys to JWK format (two occasion transforms)
• Retailer the ensuing keyset utilizing a Tines secret

That is required earlier than Okta will settle for and confirm your SETs.

6. Publish the SSF transmitter API

The SSF API webhook comprises two branches:

• .well-known endpoint
  • Set off: well-known
  • Occasion remodel: returns the SSF configuration declaring the transmitter’s capabilities
• JWKS endpoint
  • Set off: JWKs
  • Occasion remodel: returns the general public JWKs so Okta can confirm signatures

As soon as reside, Okta can register this transmitter as a shared alerts sender.

7. Join Kolide and course of system points

The Kolide integration stream follows these steps:

• Webhook: Kolide webhook – receives challenge opened/resolved occasions
• Get system particulars – fetches metadata for the system concerned
• Machine has a consumer – branching logic to verify a consumer is related
• Get consumer particulars – search for consumer metadata for the CAEP payload

Relying on whether or not the problem is new or resolved:

• Construct SET – assemble the CAEP device_compliance_change occasion
• Signal SET – use the RSA personal key saved earlier to supply an SSF-compliant SET
• Ship SET – ship the ultimate signed token to Okta’s security-events endpoint

As quickly as Okta receives and verifies the SET, the related consumer danger stage updates.

Bringing all of it collectively

SSF exists to assist safety instruments converse the identical language, delivering steady perception into danger and system posture. However when key instruments do not assist the usual, gaps open up, and entry insurance policies lag behind real-world adjustments.

Tines bridges these gaps by enabling new clever workflows. They make sure that even instruments that do not assist SSF can ship data in the identical standardized approach. Through the use of Tines to generate, signal, and ship compliance alerts in actual time, you get the advantages of SSF even when the supply software wasn’t constructed for it.

If you would like to do that workflow your self, you’ll be able to spin it up in minutes with a free Tines account. And if you wish to see how system posture suits right into a broader id technique, this information to trendy IAM workflows presents sensible patterns and real-world workflows like Scott’s you can begin constructing on at the moment.