Use Case B: Enterprise-ID Access#

Note

This page is supplementary material for the NIST SP 1800-35 publication.

Demonstrations in this use case deal with different scenarios using access to enterprise resources as well as non-enterprise resources located on-premises, in the cloud, and on the internet.

Each activity demonstrates the capability of authentication from within a given setting. The access is authenticated with an β€œenterprise-ID” using an enterprise-owned endpoint (EP) as well as a privately owned endpoint (BYOD). Each scenario provides a set of pre-conditions as well as multiple demonstrations. Each scenario could be repeated using different transport protocols (TCP- and UDP-based protocols).

Scenario B-1: Full/limited resource access using an enterprise endpoint#

This scenario deals with a request using different Enterprise-ID profiles, one with access to all provided resources and one with access to a limited set of resources (e.g., only RSS1 but not RSS2), or limited functionality while accessing an enterprise-controlled resource (e.g., read-only vs. read/write).

Pre-Condition: The enterprise provides multiple user accounts with different access levels. The P_FULL access profile specifies access to all resources (RSS) within the enterprise and/or all capabilities (CAP) of resources within the enterprise. Additionally, the P_LIMITED access profile specifies access to a subset of the resources and/or only limited functionality of each resource. Both endpoints’ compliance (Compl) is already verified, and systems are authenticated per demonstration policy.

Demonstration: Each requestor using an enterprise-ID will attempt to successfully access an enterprise resource or a functionality of an enterprise resource.

Purpose and Outcome: This demonstration focuses on user privilege, authentication/re-authentication, the endpoint and RSS location, and the compliance of endpoints.

Table 1 - Scenario B-1 Demonstrations

Demo ID

UP

Location Req. > RSS

Auth Stat User

Auth Stat EP

Auth Stat RSS

Access

Compl

EP

Compl

RSS

Desired Outcome

B-1.1

a

E1

On-Prem πŸ‘ͺ On-Prem

A+

A

A

RSS1

Y

Y

Access Successful

B-1.1

b

E1

On-Prem πŸ‘ͺ On-Prem

A+

A

A

RSS2

Y

Y

Access Successful

B-1.1

c

E1

On-Prem πŸ‘ͺ On-Prem

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-1.1

d

E2

On-Prem πŸ‘ͺ On-Prem

A+

A

A

RSS1

Y

Y

Access Not Successful

B-1.1

e

E2

On-Prem πŸ‘ͺ On-Prem

A+

A

A

RSS2

Y

Y

Access Successful

B-1.1

f

E2

On-Prem πŸ‘ͺ On-Prem

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-1.1

g

E3

On-Prem πŸ‘ͺ On-Prem

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-1.1

h

E1

On-Prem πŸ‘ͺ On-Prem

RA+

A

A

RSS1

Y

Y

Access Successful

B-1.1

i

E1

On-Prem πŸ‘ͺ On-Prem

RA-

A

β€”

β€”

Y

β€”

Access Not Successful

B-1.1

j

E1

On-Prem πŸ‘ͺ On-Prem

RA+

A

A

RSS1

N

Y

Access Not Successful

B-1.1

k

E1

On-Prem πŸ‘ͺ On-Prem

RA+

A

A

RSS2

N

Y

Access Limited

B-1.1

l

E1

On-Prem πŸ‘ͺ On-Prem

A+

A

A

RSS1

N

Y

Access Not Successful

B-1.1

m

E1

On-Prem πŸ‘ͺ On-Prem

A+

A

A

RSS2

N

Y

Access Limited

B-1.1

n

E1

On-Prem πŸ‘ͺ On-Prem

A+

A

A

RSS1

Y

N

Access Not Successful

B-1.1

o

E1

On-Prem πŸ‘ͺ On-Prem

A+

A

A

RSS2

Y

N

Access Not Successful

B-1.1

p

E2

On-Prem πŸ‘ͺ On-Prem

A+

A

A

RSS2

Y

N

Access Not Successful

B-1.2

a

E1

Branch πŸ‘ͺ On-Prem

A+

A

A

RSS1

Y

Y

Access Successful

B-1.2

b

E1

Branch πŸ‘ͺ On-Prem

A+

A

A

RSS2

Y

Y

Access Successful

B-1.2

c

E1

Branch πŸ‘ͺ On-Prem

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-1.2

d

E2

Branch πŸ‘ͺ On-Prem

A+

A

A

RSS1

Y

Y

Access Not Successful

B-1.2

e

E2

Branch πŸ‘ͺ On-Prem

A+

A

A

RSS2

Y

Y

Access Successful

B-1.2

f

E2

Branch πŸ‘ͺ On-Prem

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-1.2

g

E3

Branch πŸ‘ͺ On-Prem

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-1.2

h

E1

Branch πŸ‘ͺ On-Prem

RA+

A

A

RSS1

Y

Y

Access Successful

B-1.2

i

E1

Branch πŸ‘ͺ On-Prem

RA-

A

β€”

β€”

Y

β€”

Access Not Successful

B-1.2

j

E1

Branch πŸ‘ͺ On-Prem

RA+

A

A

RSS1

N

Y

Access Not Successful

B-1.2

k

E1

Branch πŸ‘ͺ On-Prem

RA+

A

A

RSS2

N

Y

Access Limited

B-1.2

l

E1

Branch πŸ‘ͺ On-Prem

A+

A

A

RSS1

N

Y

Access Not Successful

B-1.2

m

E1

Branch πŸ‘ͺ On-Prem

A+

A

A

RSS2

N

Y

Access Limited

B-1.2

n

E1

Branch πŸ‘ͺ On-Prem

A+

A

A

RSS1

Y

N

Access Not Successful

B-1.2

o

E1

Branch πŸ‘ͺ On-Prem

A+

A

A

RSS2

Y

N

Access Not Successful

B-1.2

p

E2

Branch πŸ‘ͺ On-Prem

A+

A

A

RSS2

Y

N

Access Not Successful

B-1.3

a

E1

Remote πŸ‘ͺ On-Prem

A+

A

A

RSS1

Y

Y

Access Successful

B-1.3

b

E1

Remote πŸ‘ͺ On-Prem

A+

A

A

RSS2

Y

Y

Access Successful

B-1.3

c

E1

Remote πŸ‘ͺ On-Prem

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-1.3

d

E2

Remote πŸ‘ͺ On-Prem

A+

A

A

RSS1

Y

Y

Access Not Successful

B-1.3

e

E2

Remote πŸ‘ͺ On-Prem

A+

A

A

RSS2

Y

Y

Access Successful

B-1.3

f

E2

Remote πŸ‘ͺ On-Prem

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-1.3

g

E3

Remote πŸ‘ͺ On-Prem

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-1.3

h

E1

Remote πŸ‘ͺ On-Prem

RA+

A

A

RSS1

Y

Y

Access Successful

B-1.3

i

E1

Remote πŸ‘ͺ On-Prem

RA-

A

β€”

β€”

Y

β€”

Access Not Successful

B-1.3

j

E1

Remote πŸ‘ͺ On-Prem

RA+

A

A

RSS1

N

Y

Access Not Successful

B-1.3

k

E1

Remote πŸ‘ͺ On-Prem

RA+

A

A

RSS2

N

Y

Access Limited

B-1.3

l

E1

Remote πŸ‘ͺ On-Prem

A+

A

A

RSS1

N

Y

Access Not Successful

B-1.3

m

E1

Remote πŸ‘ͺ On-Prem

A+

A

A

RSS2

N

Y

Access Limited

B-1.3

n

E1

Remote πŸ‘ͺ On-Prem

A+

A

A

RSS1

Y

N

Access Not Successful

B-1.3

o

E1

Remote πŸ‘ͺ On-Prem

A+

A

A

RSS2

Y

N

Access Not Successful

B-1.3

p

E2

Remote πŸ‘ͺ On-Prem

A+

A

A

RSS2

Y

N

Access Not Successful

B-1.4

a

E1

On-Prem πŸ‘ͺ Cloud

A+

A

A

RSS1

Y

Y

Access Successful

B-1.4

b

E1

On-Prem πŸ‘ͺ Cloud

A+

A

A

RSS2

Y

Y

Access Successful

B-1.4

c

E1

On-Prem πŸ‘ͺ Cloud

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-1.4

d

E2

On-Prem πŸ‘ͺ Cloud

A+

A

A

RSS1

Y

Y

Access Not Successful

B-1.4

e

E2

On-Prem πŸ‘ͺ Cloud

A+

A

A

RSS2

Y

Y

Access Successful

B-1.4

f

E2

On-Prem πŸ‘ͺ Cloud ———– On-Prem πŸ‘ͺ Cloud

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-1.4

g

E3

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-1.4

h

E1

On-Prem πŸ‘ͺ Cloud

RA+

A

A

RSS1

Y

Y

Access Successful

B-1.4

i

E1

On-Prem πŸ‘ͺ Cloud

RA-

A

β€”

β€”

Y

β€”

Access Not Successful

B-1.4

j

E1

On-Prem πŸ‘ͺ Cloud

RA+

A

A

RSS1

N

Y

Access Not Successful

B-1.4

k

E1

On-Prem πŸ‘ͺ Cloud

RA+

A

A

RSS2

N

Y

Access Limited

B-1.4

l

E1

On-Prem πŸ‘ͺ Cloud

A+

A

A

RSS1

N

Y

Access Not Successful

B-1.4

m

E1

On-Prem πŸ‘ͺ Cloud

A+

A

A

RSS2

N

Y

Access Limited

B-1.4

n

E1

On-Prem πŸ‘ͺ Cloud

A+

A

A

RSS1

Y

N

Access Not Successful

B-1.4

o

E1

On-Prem πŸ‘ͺ Cloud

A+

A

A

RSS2

Y

N

Access Not Successful

B-1.4

p

E2

On-Prem πŸ‘ͺ Cloud

A+

A

A

RSS2

Y

N

Access Not Successful

B-1.5

a

E1

Branch πŸ‘ͺ Cloud

A+

A

A

RSS1

Y

Y

Access Successful

B-1.5

b

E1

Branch πŸ‘ͺ Cloud

A+

A

A

RSS2

Y

Y

Access Successful

B-1.5

c

E1

Branch πŸ‘ͺ Cloud

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-1.5

d

E2

Branch πŸ‘ͺ Cloud

A+

A

A

RSS1

Y

Y

Access Not Successful

B-1.5

e

E2

Branch πŸ‘ͺ Cloud

A+

A

A

RSS2

Y

Y

Access Successful

B-1.5

f

E2

Branch πŸ‘ͺ Cloud

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-1.5

g

E3

Branch πŸ‘ͺ Cloud

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-1.5

h

E1

Branch πŸ‘ͺ Cloud

RA+

A

A

RSS1

Y

Y

Access Successful

B-1.5

i

E1

Branch πŸ‘ͺ Cloud

RA-

A

β€”

β€”

Y

β€”

Access Not Successful

B-1.5

j

E1

Branch πŸ‘ͺ Cloud

RA+

A

A

RSS1

N

Y

Access Not Successful

B-1.5

k

E1

Branch πŸ‘ͺ Cloud

RA+

A

A

RSS2

N

Y

Access Limited

B-1.5

l

E1

Branch πŸ‘ͺ Cloud

A+

A

A

RSS1

N

Y

Access Not Successful

B-1.5

m

E1

Branch πŸ‘ͺ Cloud

A+

A

A

RSS2

N

Y

Access Limited

B-1.5

n

E1

Branch πŸ‘ͺ Cloud

A+

A

A

RSS1

Y

N

Access Not Successful

B-1.5

o

E1

Branch πŸ‘ͺ Cloud

A+

A

A

RSS2

Y

N

Access Not Successful

B-1.5

p

E2

Branch πŸ‘ͺ Cloud

A+

A

A

RSS2

Y

N

Access Not Successful

B-1.6

a

E1

Remote πŸ‘ͺ Cloud

A+

A

A

RSS1

Y

Y

Access Successful

B-1.6

b

E1

Remote πŸ‘ͺ Cloud

A+

A

A

RSS2

Y

Y

Access Successful

B-1.6

c

E1

Remote πŸ‘ͺ Cloud

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-1.6

d

E2

Remote πŸ‘ͺ Cloud

A+

A

A

RSS1

Y

Y

Access Not Successful

B-1.6

e

E2

Remote πŸ‘ͺ Cloud

A+

A

A

RSS2

Y

Y

Access Successful

B-1.6

f

E2

Remote πŸ‘ͺ Cloud

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-1.6

g

E3

Remote πŸ‘ͺ Cloud

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-1.6

h

E1

Remote πŸ‘ͺ Cloud

RA+

A

A

RSS1

Y

Y

Access Successful

B-1.6

i

E1

Remote πŸ‘ͺ Cloud

RA-

A

β€”

β€”

Y

β€”

Access Not Successful

B-1.6

j

E1

Remote πŸ‘ͺ Cloud

RA+

A

A

RSS1

N

Y

Access Not Successful

B-1.6

k

E1

Remote πŸ‘ͺ Cloud

RA+

A

A

RSS2

N

Y

Access Limited

B-1.6

l

E1

Remote πŸ‘ͺ Cloud

A+

A

A

RSS1

N

Y

Access Not Successful

B-1.6

m

E1

Remote πŸ‘ͺ Cloud

A+

A

A

RSS2

N

Y

Access Limited

B-1.6

n

E1

Remote πŸ‘ͺ Cloud

A+

A

A

RSS1

Y

N

Access Not Successful

B-1.6

o

E1

Remote πŸ‘ͺ Cloud

A+

A

A

RSS2

Y

N

Access Not Successful

B-1.6

p

E2

Remote πŸ‘ͺ Cloud

A+

A

A

RSS2

Y

N

Access Not Successful

Scenario B-2: Full/limited internet access using an enterprise endpoint#

This scenario deals with access from an enterprise-owned device to non-enterprise-managed internet resources using different Enterprise-ID profiles: one with access to the internet, one with limited access to the internet, and one with no access to the internet. This is to simulate an enterprise that may have policies around accessing public Internet resources using enterprise-owned devices.

Pre-Condition: The enterprise provides multiple user accounts with different access levels to the internet. The internet access will be performed using an enterprise-owned endpoint. RSS types are OK for approved and not OK for not-approved internet resources. The approval depends on the user’s policy. User endpoints are checked for compliance (Compl) per demonstration policy. β€œOut of Hours” refers to the request taking place outside of marked business hours, which would fall outside of normal access behaviors seen for the ID.

Demonstration: Each requestor using an Enterprise-ID will attempt to successfully access a non-enterprise resource.

Purpose and Outcome: This demonstration focuses on the endpoint location as well as the resource location.

Table 2 - Scenario B-2 Demonstrations

Demo ID

UP

Location Req. > RSS

Auth Stat User

Auth Stat EP

Access

Compl EP

Compl Out of Hours

Desired Outcome

B-2.1

a

E4

On-Prem πŸ‘ͺ Internet

A+

A

URL1

Y

N

Access Successful

B-2.1

b

E4

On-Prem πŸ‘ͺ Internet

A+

A

URL2

Y

N

Access Successful

B-2.1

c

E4

On-Prem πŸ‘ͺ Internet

A+

A

URL1

Y

Y

Access Successful

B-2.1

d

E4

On-Prem πŸ‘ͺ Internet

A+

A

URL1

Y

Y

Access Successful

B-2.1

e

E4

On-Prem πŸ‘ͺ Internet

A-

A

β€”

Y

β€”

Access Not Successful

B-2.1

f

E5

On-Prem πŸ‘ͺ Internet

A+

A

URL1

Y

N

Access Not Successful

B-2.1

g

E5

On-Prem πŸ‘ͺ Internet

A+

A

URL2

Y

N

Access Successful

B-2.1

h

E5

On-Prem πŸ‘ͺ Internet

A+

A

URL1

Y

Y

Access Not Successful

B-2.1

i

E5

On-Prem πŸ‘ͺ Internet

A+

A

URL1

Y

Y

Access Not Successful

B-2.1

j

E5

On-Prem πŸ‘ͺ Internet

A-

A

β€”

Y

β€”

Access Not Successful

B-2.1

k

E4

On-Prem πŸ‘ͺ Internet

RA+

A

URL1

Y

β€”

Access Successful

B-2.1

l

E4

On-Prem πŸ‘ͺ Internet

RA-

A

β€”

Y

β€”

Access Not Successful

B-2.1

m

E4

On-Prem πŸ‘ͺ Internet

A+

A

URL1

N

β€”

Access Not Successful

B-2.1

n

E4

On-Prem πŸ‘ͺ Internet

A+

A

URL2

N

β€”

Access Successful

B-2.1

o

E5

On-Prem πŸ‘ͺ Internet

A+

A

URL1

N

N

Access Not Successful

B-2.1

p

E5

On-Prem πŸ‘ͺ Internet

A+

A

URL2

N

N

Access Not Successful

B-2.2

a

E4

Branch πŸ‘ͺ Internet

A+

A

URL1

Y

N

Access Successful

B-2.2

b

E4

Branch πŸ‘ͺ Internet

A+

A

URL2

Y

N

Access Successful

B-2.2

c

E4

Branch πŸ‘ͺ Internet

A+

A

URL1

Y

Y

Access Successful

B-2.2

d

E4

Branch πŸ‘ͺ Internet

A+

A

URL1

Y

Y

Access Successful

B-2.2

e

E4

Branch πŸ‘ͺ Internet

A-

A

β€”

Y

β€”

Access Not Successful

B-2.2

f

E5

Branch πŸ‘ͺ Internet

A+

A

URL1

Y

N

Access Not Successful

B-2.2

g

E5

Branch πŸ‘ͺ Internet

A+

A

URL2

Y

N

Access Successful

B-2.2

h

E5

Branch πŸ‘ͺ Internet

A+

A

URL1

Y

Y

Access Not Successful

B-2.2

i

E5

Branch πŸ‘ͺ Internet

A+

A

URL1

Y

Y

Access Not Successful

B-2.2

j

E5

Branch πŸ‘ͺ Internet

A-

A

β€”

Y

β€”

Access Not Successful

B-2.2

k

E4

Branch πŸ‘ͺ Internet

RA+

A

URL1

Y

β€”

Access Successful

B-2.2

l

E4

Branch πŸ‘ͺ Internet

RA-

A

β€”

Y

β€”

Access Not Successful

B-2.2

m

E4

Branch πŸ‘ͺ Internet

A+

A

URL1

N

β€”

Access Not Successful

B-2.2

n

E4

Branch πŸ‘ͺ Internet

A+

A

URL2

N

β€”

Access Successful

B-2.2

o

E5

Branch πŸ‘ͺ Internet

A+

A

URL1

N

N

Access Not Successful

B-2.2

p

E5

Branch πŸ‘ͺ Internet

A+

A

URL2

N

N

Access Not Successful

B-2.3

a

E4

Remote πŸ‘ͺ Internet

A+

A

URL1

Y

N

Access Successful

B-2.3

b

E4

Remote πŸ‘ͺ Internet

A+

A

URL2

Y

N

Access Successful

B-2.3

c

E4

Remote πŸ‘ͺ Internet

A+

A

URL1

Y

Y

Access Successful

B-2.3

d

E4

Remote πŸ‘ͺ Internet

A+

A

URL1

Y

Y

Access Successful

B-2.3

e

E4

Remote πŸ‘ͺ Internet

A-

A

β€”

Y

β€”

Access Not Successful

B-2.3

f

E5

Remote πŸ‘ͺ Internet

A+

A

URL1

Y

N

Access Not Successful

B-2.3

g

E5

Remote πŸ‘ͺ Internet

A+

A

URL2

Y

N

Access Successful

B-2.3

h

E5

Remote πŸ‘ͺ Internet

A+

A

URL1

Y

Y

Access Not Successful

B-2.3

i

E5

Remote πŸ‘ͺ Internet

A+

A

URL1

Y

Y

Access Not Successful

B-2.3

j

E5

Remote πŸ‘ͺ Internet

A-

A

β€”

Y

β€”

Access Not Successful

B-2.3

k

E4

Remote πŸ‘ͺ Internet

RA+

A

URL1

Y

β€”

Access Successful

B-2.3

l

E4

Remote πŸ‘ͺ Internet

RA-

A

β€”

Y

β€”

Access Not Successful

B-2.3

m

E4

Remote πŸ‘ͺ Internet

A+

A

URL1

N

β€”

Access Not Successful

B-2.3

n

E4

Remote πŸ‘ͺ Internet

A+

A

URL2

N

β€”

Access Successful

B-2.3

o

E5

Remote πŸ‘ͺ Internet

A+

A

URL1

N

N

Access Not Successful

B-2.3

p

E5

Remote πŸ‘ͺ Internet

A+

A

URL2

N

N

Access Not Successful

Scenario B-3: Stolen credential using an enterprise endpoint#

This scenario deals with a request using a stolen credential. It does not matter if the access is performed using an enterprise endpoint.

Pre-Condition: The requestor’s credential is stolen and is used to attempt accessing the enterprise resource RSS1 using an enterprise endpoint. The endpoints are compliant and authenticated, and so is the resource.

Demonstration: Two requests for the same enterprise resource are performed using the same user credentials. The β€œReal Request” is performed using the latest credentials, which are modified/replaced after being reported stolen. The β€œHostile Request” is performed using a stolen enterprise-ID. All authentication methods of the Hostile Request are compromised. Re-authentication always follows a previously successful authentication.

Purpose and Outcome: This demonstration focuses on the detection of a stolen requester’s enterprise-ID and enforcement of isolation.

Table 3 - Scenario B-3 Demonstrations

Demo ID

UP

Location

Real
Hostile
> RSS

Auth Stat

Real Req

Auth Stat

Hostile Req

Rep. Stolen

Desired Outcome for Real Request

Desired Outcome for Hostile Request

B-3.1

a

E6

On-Prem

On-Prem πŸ‘ͺ

On-Prem

A+

β€”

N

Access Successful

β€”

B-3.1

b

E6

On-Prem

On-Prem πŸ‘ͺ

On-Prem

A-

β€”

N

Access Not Successful

β€”

B-3.1

c

E6

On-Prem

On-Prem πŸ‘ͺ

On-Prem

A

A+

N

Change to Access Limited

Access Not Successful

B-3.1

d

E6

On-Prem

On-Prem πŸ‘ͺ

On-Prem

A

A-

N

Keep Access

Access Not Successful

B-3.1

e

E6

On-Prem

On-Prem πŸ‘ͺ

On-Prem

β€”

A+

N

β€”

Access Successful

B-3.1

f

E6

On-Prem

On-Prem πŸ‘ͺ

On-Prem

β€”

A-

N

β€”

Access Not Successful

B-3.1

g

E6

On-Prem

On-Prem πŸ‘ͺ

On-Prem

A+

A

N

Access Not Successful

Change to Access Limited

B-3.1

h

E6

On-Prem

On-Prem πŸ‘ͺ

On-Prem

A-

A

N

Access Not Successful

Keep Access

B-3.1

i

E7

On-Prem

On-Prem πŸ‘ͺ

On-Prem

A+

β€”

Y

Access Successful

β€”

B-3.1

j

E7

On-Prem

On-Prem πŸ‘ͺ

On-Prem

A

A-

Y

Keep Access

Access Not Successful

B-3.1

k

E7

On-Prem

On-Prem πŸ‘ͺ

On-Prem

β€”

A-

Y

β€”

Access Not Successful

B-3.1

l

E7

On-Prem

On-Prem πŸ‘ͺ

On-Prem

RA+

β€”

Y

Access Successful

β€”

B-3.1

m

E7

On-Prem

On-Prem πŸ‘ͺ

On-Prem

β€”

RA-

Y

β€”

Access Not Successful

B-3.1

n

E7

On-Prem

On-Prem πŸ‘ͺ

On-Prem

β€”

A

Y

β€”

All Sessions Terminated

B-3.1

o

E7

On-Prem

On-Prem πŸ‘ͺ

On-Prem

A

β€”

Y

All Sessions Terminated

β€”

B-3.2

a

E6

On-Prem

Branch πŸ‘ͺ

On-Prem

A+

β€”

N

Access Successful

β€”

B-3.2

b

E6

On-Prem

Branch πŸ‘ͺ

On-Prem

A-

β€”

N

Access Not Successful

β€”

B-3.2

c

E6

On-Prem

Branch πŸ‘ͺ

On-Prem

A

A+

N

Change to Access Limited

Access Not Successful

B-3.2

d

E6

On-Prem

Branch πŸ‘ͺ

On-Prem

A

A-

N

Keep Access

Access Not Successful

B-3.2

e

E6

On-Prem

Branch πŸ‘ͺ

On-Prem

β€”

A+

N

β€”

Access Successful

B-3.2

f

E6

On-Prem

Branch πŸ‘ͺ

On-Prem

β€”

A-

N

β€”

Access Not Successful

B-3.2

g

E6

On-Prem

Branch πŸ‘ͺ

On-Prem

A+

A

N

Access Not Successful

Change to Access Limited

B-3.2

h

E6

On-Prem

Branch πŸ‘ͺ

On-Prem

A-

A

N

Access Not Successful

Keep Access

B-3.2

i

E7

On-Prem

Branch πŸ‘ͺ

On-Prem

A+

β€”

Y

Access Successful

β€”

B-3.2

j

E7

On-Prem

Branch πŸ‘ͺ

On-Prem

A

A-

Y

Keep Access

Access Not Successful

B-3.2

k

E7

On-Prem

Branch πŸ‘ͺ

On-Prem

β€”

A-

Y

β€”

Access Not Successful

B-3.2

l

E7

On-Prem

Branch πŸ‘ͺ

On-Prem

RA+

β€”

Y

Access Successful

β€”

B-3.2

m

E7

On-Prem

Branch πŸ‘ͺ

On-Prem

β€”

RA-

Y

β€”

Access Not Successful

B-3.2

n

E7

On-Prem

Branch πŸ‘ͺ

On-Prem

β€”

A

Y

β€”

Change to Access Limited

B-3.2

o

E7

On-Prem

Branch πŸ‘ͺ

On-Prem

A

β€”

Y

Change to Access Limited

β€”

B-3.3

a

E6

Branch

On-Prem πŸ‘ͺ

On-Prem

A+

β€”

N

Access Successful

β€”

B-3.3

b

E6

Branch

On-Prem πŸ‘ͺ

On-Prem

A-

β€”

N

Access Not Successful

β€”

B-3.3

c

E6

Branch

On-Prem πŸ‘ͺ

On-Prem

A

A+

N

Change to Access Limited

Access Not Successful

B-3.3

d

E6

Branch

On-Prem πŸ‘ͺ

On-Prem

A

A-

N

Keep Access

Access Not Successful

B-3.3

e

E6

Branch

On-Prem πŸ‘ͺ

On-Prem

β€”

A+

N

β€”

Access Successful

B-3.3

f

E6

Branch

On-Prem πŸ‘ͺ

On-Prem

β€”

A-

N

β€”

Access Not Successful

B-3.3

g

E6

Branch

On-Prem πŸ‘ͺ

On-Prem

A+

A

N

Access Not Successful

Change to Access Limited

B-3.3

h

E6

Branch

On-Prem πŸ‘ͺ

On-Prem

A-

A

N

Access Not Successful

Keep Access

B-3.3

i

E7

Branch

On-Prem πŸ‘ͺ

On-Prem

A+

β€”

Y

Access Successful

β€”

B-3.3

j

E7

Branch

On-Prem πŸ‘ͺ

On-Prem

A

A-

Y

Keep Access

Access Not Successful

B-3.3

k

E7

Branch

On-Prem πŸ‘ͺ

On-Prem

β€”

A-

Y

β€”

Access Not Successful

B-3.3

l

E7

Branch

On-Prem πŸ‘ͺ

On-Prem

RA+

β€”

Y

Access Successful

β€”

B-3.3

m

E7

Branch

On-Prem πŸ‘ͺ

On-Prem

β€”

RA-

Y

β€”

Access Not Successful

B-3.3

n

E7

Branch

On-Prem πŸ‘ͺ

On-Prem

β€”

A

Y

β€”

Change to Access Limited

B-3.3

o

E7

Branch | On-Prem πŸ‘ͺ

On-Prem

A

β€”

Y

Change to Access Limited

β€”

B-3.4

a

E6

Remote

On-Prem πŸ‘ͺ

On-Prem

A+

β€”

N

Access Successful

β€”

B-3.4

b

E6

Remote

On-Prem πŸ‘ͺ

On-Prem

A-

β€”

N

Access Not Successful

β€”

B-3.4

c

E6

Remote

On-Prem πŸ‘ͺ

On-Prem

A

A+

N

Change to Access Limited

Access Not Successful

B-3.4

d

E6

Remote

On-Prem πŸ‘ͺ

On-Prem

A

A-

N

Keep Access

Access Not Successful

B-3.4

e

E6

Remote

On-Prem πŸ‘ͺ

On-Prem

β€”

A+

N

β€”

Access Successful

B-3.4

f

E6

Remote

On-Prem πŸ‘ͺ

On-Prem

β€”

A-

N

β€”

Access Not Successful

B-3.4

g

E6

Remote

On-Prem πŸ‘ͺ

On-Prem

A+

A

N

Access Not Successful

Change to Access Limited

B-3.4

h

E6

Remote

On-Prem πŸ‘ͺ

On-Prem

A-

A

N

Access Not Successful

Keep Access

B-3.4

i

E7

Remote

On-Prem πŸ‘ͺ

On-Prem

A+

β€”

Y

Access Successful

β€”

B-3.4

j

E7

Remote

On-Prem πŸ‘ͺ

On-Prem

A

A-

Y

Keep Access

Access Not Successful

B-3.4

k

E7

Remote

On-Prem πŸ‘ͺ

On-Prem

β€”

A-

Y

β€”

Access Not Successful

B-3.4

l

E7

Remote

On-Prem πŸ‘ͺ

On-Prem

RA+

β€”

Y

Access Successful

β€”

B-3.4

m

E7

Remote

On-Prem πŸ‘ͺ

On-Prem

β€”

RA-

Y

β€”

Access Not Successful

B-3.4

n

E7

Remote

On-Prem πŸ‘ͺ

On-Prem

β€”

A

Y

β€”

Change to Access Limited

B-3.4

o

E7

Remote

On-Prem πŸ‘ͺ

On-Prem

A

β€”

Y

Change to Access Limited

β€”

B-3.5

a

E6

On-Prem

Remote πŸ‘ͺ

On-Prem

A+

β€”

N

Access Successful

β€”

B-3.5

b

E6

On-Prem

Remote πŸ‘ͺ

On-Prem

A-

β€”

N

Access Not Successful

β€”

B-3.5

c

E6

On-Prem

Remote πŸ‘ͺ

On-Prem

A

A+

N

Change to Access Limited

Access Not Successful

B-3.5

d

E6

On-Prem

Remote πŸ‘ͺ

On-Prem

A

A-

N

Keep Access

Access Not Successful

B-3.5

e

E6

On-Prem

Remote πŸ‘ͺ

On-Prem

β€”

A+

N

β€”

Access Successful

B-3.5

f

E6

On-Prem

Remote πŸ‘ͺ

On-Prem

β€”

A-

N

β€”

Access Not Successful

B-3.5

g

E6

On-Prem

Remote πŸ‘ͺ

On-Prem

A+

A

N

Access Not Successful

Change to Access Limited

B-3.5

h

E6

On-Prem

Remote πŸ‘ͺ

On-Prem

A-

A

N

Access Not Successful

Keep Access

B-3.5

i

E7

On-Prem

Remote πŸ‘ͺ

On-Prem

A+

β€”

Y

Access Successful

β€”

B-3.5

j

E7

On-Prem

Remote πŸ‘ͺ

On-Prem

A

A-

Y

Keep Access

Access Not Successful

B-3.5

k

E7

On-Prem

Remote πŸ‘ͺ

On-Prem

β€”

A-

Y

β€”

Access Not Successful

B-3.5

l

E7

On-Prem

Remote πŸ‘ͺ

On-Prem

RA+

β€”

Y

Access Successful

β€”

B-3.5

m

E7

On-Prem

Remote πŸ‘ͺ

On-Prem

β€”

RA-

Y

β€”

Access Not Successful

B-3.5

n

E7

On-Prem

Remote πŸ‘ͺ

On-Prem

β€”

A

Y

β€”

Change to Access Limited

B-3.5

o

E7

On-Prem

Remote πŸ‘ͺ

On-Prem

A

β€”

Y

Change to Access Limited

β€”

Scenario B-4: Full/limited resource access using BYOD#

This scenario deals with requests using different Enterprise-ID profiles, one with access to all provided resources and one with access to a limited set of resources (e.g., only RSS1 but not RSS2) or limited functionality while accessing an enterprise-controlled resource (e.g., read-only vs. read/write). In this scenario, the device used is BYOD.

Pre-Condition: The enterprise provides multiple User accounts with different access levels. The P_FULL access profile specifies access to either all resources (RSS) within the enterprise and/or all capabilities (CAP) of resources within the enterprise. Additionally, the P_LIMITED access profile specifies access to either a subset of the resources and/or limited functionality of each resource. Both endpoints’ compliance (Compl) is already verified, and systems are authenticated per demonstration policy.

Demonstration: Each requestor using an enterprise-ID will attempt to successfully access an enterprise resource or a functionality of an enterprise resource.

Purpose and Outcome: This demonstration focuses on user privilege, authentication/re-authentication, the endpoint and RSS location, and the compliance of endpoints.

Table 4 - Scenario B-4 Demonstrations

Demo ID

UP

Location

Req. > RSS

Auth Stat User

Auth Stat EP

Auth Stat RSS

Access

Compl EP

Compl RSS

Desired Outcome

B-4.1

a

E1

On-Prem πŸ‘ͺ On-Prem

A+

A

A

RSS1

Y

Y

Access Successful

B-4.1

b

E1

On-Prem πŸ‘ͺ On-Prem

A+

A

A

RSS2

Y

Y

Access Successful

B-4.1

c

E1

On-Prem πŸ‘ͺ On-Prem

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-4.1

d

E2

On-Prem πŸ‘ͺ On-Prem

A+

A

A

RSS1

Y

Y

Access Not Successful

B-4.1

e

E2

On-Prem πŸ‘ͺ On-Prem

A+

A

A

RSS2

Y

Y

Access Successful

B-4.1

f

E2

On-Prem πŸ‘ͺ On-Prem

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-4.1

g

E3

On-Prem πŸ‘ͺ On-Prem

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-4.1

h

E1

On-Prem πŸ‘ͺ On-Prem

RA+

A

A

RSS1

Y

Y

Access Successful

B-4.1

i

E1

On-Prem πŸ‘ͺ On-Prem

RA-

A

β€”

β€”

Y

β€”

Access Not Successful

B-4.1

j

E1

On-Prem πŸ‘ͺ On-Prem

RA+

A

A

RSS1

N

Y

Access Not Successful

B-4.1

k

E1

On-Prem πŸ‘ͺ On-Prem

RA+

A

A

RSS2

N

Y

Access Limited

B-4.1

l

E1

On-Prem πŸ‘ͺ On-Prem

A+

A

A

RSS1

N

Y

Access Not Successful

B-4.1

m

E1

On-Prem πŸ‘ͺ On-Prem

A+

A

A

RSS2

N

Y

Access Limited

B-4.1

n

E1

On-Prem πŸ‘ͺ On-Prem

A+

A

A

RSS1

Y

N

Access Not Successful

B-4.1

o

E1

On-Prem πŸ‘ͺ On-Prem

A+

A

A

RSS2

Y

N

Access Not Successful

B-4.1

p

E2

On-Prem πŸ‘ͺ On-Prem

A+

A

A

RSS2

Y

N

Access Not Successful

B-4.2

a

E1

Branch πŸ‘ͺ On-Prem

A+

A

A

RSS1

Y

Y

Access Successful

B-4.2

b

E1

Branch πŸ‘ͺ On-Prem

A+

A

A

RSS2

Y

Y

Access Successful

B-4.2

c

E1

Branch πŸ‘ͺ On-Prem

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-4.2

d

E2

Branch πŸ‘ͺ On-Prem

A+

A

A

RSS1

Y

Y

Access Not Successful

B-4.2

e

E2

Branch πŸ‘ͺ On-Prem

A+

A

A

RSS2

Y

Y

Access Successful

B-4.2

f

E2

Branch πŸ‘ͺ On-Prem

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-4.2

g

E3

Branch πŸ‘ͺ On-Prem

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-4.2

h

E1

Branch πŸ‘ͺ On-Prem

RA+

A

A

RSS1

Y

Y

Access Successful

B-4.2

i

E1

Branch πŸ‘ͺ On-Prem

RA-

A

β€”

β€”

Y

β€”

Access Not Successful

B-4.2

j

E1

Branch πŸ‘ͺ On-Prem

RA+

A

A

RSS1

N

Y

Access Not Successful

B-4.2

k

E1

Branch πŸ‘ͺ On-Prem

RA+

A

A

RSS2

N

Y

Access Limited

B-4.2

l

E1

Branch πŸ‘ͺ On-Prem

A+

A

A

RSS1

N

Y

Access Not Successful

B-4.2

m

E1

Branch πŸ‘ͺ On-Prem

A+

A

A

RSS2

N

Y

Access Limited

B-4.2

n

E1

Branch πŸ‘ͺ On-Prem

A+

A

A

RSS1

Y

N

Access Not Successful

B-4.2

o

E1

Branch πŸ‘ͺ On-Prem

A+

A

A

RSS2

Y

N

Access Not Successful

B-4.2

p

E2

Branch πŸ‘ͺ On-Prem

A+

A

A

RSS2

Y

N

Access Not Successful

B-4.3

a

E1

Remote πŸ‘ͺ On-Prem

A+

A

A

RSS1

Y

Y

Access Successful

B-4.3

b

E1

Remote πŸ‘ͺ On-Prem

A+

A

A

RSS2

Y

Y

Access Successful

B-4.3

c

E1

Remote πŸ‘ͺ On-Prem

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-4.3

d

E2

Remote πŸ‘ͺ On-Prem

A+

A

A

RSS1

Y

Y

Access Not Successful

B-4.3

e

E2

Remote πŸ‘ͺ On-Prem

A+

A

A

RSS2

Y

Y

Access Successful

B-4.2

f

E2

Remote πŸ‘ͺ On-Prem

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-4.3

g

E3

Remote πŸ‘ͺ On-Prem

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-4.3

h

E1

Remote πŸ‘ͺ On-Prem

RA+

A

A

RSS1

Y

Y

Access Successful

B-4.3

i

E1

Remote πŸ‘ͺ On-Prem

RA-

A

β€”

β€”

Y

β€”

Access Not Successful

B-4.3

j

E1

Remote πŸ‘ͺ On-Prem

RA+

A

A

RSS1

N

Y

Access Not Successful

B-4.3

k

E1

Remote πŸ‘ͺ On-Prem

RA+

A

A

RSS2

N

Y

Access Limited

B-4.3

l

E1

Remote πŸ‘ͺ On-Prem

A+

A

A

RSS1

N

Y

Access Not Successful

B-4.3

m

E1

Remote πŸ‘ͺ On-Prem

A+

A

A

RSS2

N

Y

Access Limited

B-4.3

n

E1

Remote πŸ‘ͺ On-Prem

A+

A

A

RSS1

Y

N

Access Not Successful

B-4.3

o

E1

Remote πŸ‘ͺ On-Prem

A+

A

A

RSS2

Y

N

Access Not Successful

B-4.3

p

E2

Remote πŸ‘ͺ On-Prem

A+

A

A

RSS2

Y

N

Access Not Successful

B-4.4

a

E1

On-Prem πŸ‘ͺ Cloud

A+

A

A

RSS1

Y

Y

Access Successful

B-4.4

b

E1

On-Prem πŸ‘ͺ Cloud

A+

A

A

RSS2

Y

Y

Access Successful

B-4.4

c

E1

On-Prem πŸ‘ͺ Cloud

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-4.4

d

E2

On-Prem πŸ‘ͺ Cloud

A+

A

A

RSS1

Y

Y

Access Not Successful

B-4.4

e

E2

On-Prem πŸ‘ͺ Cloud

A+

A

A

RSS2

Y

Y

Access Successful

B-4.4

f

E2

On-Prem πŸ‘ͺ Cloud

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-4.4

g

E3

On-Prem πŸ‘ͺ Cloud

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-4.4

h

E1

On-Prem πŸ‘ͺ Cloud

RA+

A

A

RSS1

Y

Y

Access Successful

B-4.4

i

E1

On-Prem πŸ‘ͺ Cloud

RA-

A

β€”

β€”

Y

β€”

Access Not Successful

B-4.4

j

E1

On-Prem πŸ‘ͺ Cloud

RA+

A

A

RSS1

N

Y

Access Not Successful

B-4.4

k

E1

On-Prem πŸ‘ͺ Cloud

RA+

A

A

RSS2

N

Y

Access Limited

B-4.4

l

E1

On-Prem πŸ‘ͺ Cloud

A+

A

A

RSS1

N

Y

Access Not Successful

B-4.4

m

E1

On-Prem πŸ‘ͺ Cloud

A+

A

A

RSS2

N

Y

Access Limited

B-4.4

n

E1

On-Prem πŸ‘ͺ Cloud

A+

A

A

RSS1

Y

N

Access Not Successful

B-4.4

o

E1

On-Prem πŸ‘ͺ Cloud

A+

A

A

RSS2

Y

N

Access Not Successful

B-4.4

p

E2

On-Prem πŸ‘ͺ Cloud

A+

A

A

RSS2

Y

N

Access Not Successful

B-4.5

a

E1

Branch πŸ‘ͺ Cloud

A+

A

A

RSS1

Y

Y

Access Successful

B-4.5

b

E1

Branch πŸ‘ͺ Cloud

A+

A

A

RSS2

Y

Y

Access Successful

B-4.5

c

E1

Branch πŸ‘ͺ Cloud

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-4.5

d

E2

Branch πŸ‘ͺ Cloud

A+

A

A

RSS1

Y

Y

Access Not Successful

B-4.5

e

E2

Branch πŸ‘ͺ Cloud

A+

A

A

RSS2

Y

Y

Access Successful

B-4.5

f

E2

Branch πŸ‘ͺ Cloud

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-4.5

g

E3

Branch πŸ‘ͺ Cloud

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-4.5

h

E1

Branch πŸ‘ͺ Cloud

RA+

A

A

RSS1

Y

Y

Access Successful

B-4.5

i

E1

Branch πŸ‘ͺ Cloud

RA-

A

β€”

β€”

Y

β€”

Access Not Successful

B-4.5

j

E1

Branch πŸ‘ͺ Cloud

RA+

A

A

RSS1

N

Y

Access Not Successful

B-4.5

k

E1

Branch πŸ‘ͺ Cloud

RA+

A

A

RSS2

N

Y

Access Limited

B-4.5

l

E1

Branch πŸ‘ͺ Cloud

A+

A

A

RSS1

N

Y

Access Not Successful

B-4.5

m

E1

Branch πŸ‘ͺ Cloud

A+

A

A

RSS2

N

Y

Access Limited

B-4.5

n

E1

Branch πŸ‘ͺ Cloud

A+

A

A

RSS1

Y

N

Access Not Successful

B-4.5

o

E1

Branch πŸ‘ͺ Cloud

A+

A

A

RSS2

Y

N

Access Not Successful

B-4.5

p

E2

Branch πŸ‘ͺ Cloud

A+

A

A

RSS2

Y

N

Access Not Successful

B-4.6

a

E1

Remote πŸ‘ͺ Cloud

A+

A

A

RSS1

Y

Y

Access Successful

B-4.6

b

E1

Branch πŸ‘ͺ Cloud

A+

A

A

RSS2

Y

Y

Access Successful

B-4.6

c

E1

Branch πŸ‘ͺ Cloud

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-4.6

d

E2

Branch πŸ‘ͺ Cloud

A+

A

A

RSS1

Y

Y

Access Not Successful

B-4.6

e

E2

Branch πŸ‘ͺ Cloud

A+

A

A

RSS2

Y

Y

Access Successful

B-4.6

f

E2

Branch πŸ‘ͺ Cloud

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-4.6

g

E3

Branch πŸ‘ͺ Cloud

A-

A

β€”

β€”

Y

β€”

Access Not Successful

B-4.6

h

E1

Branch πŸ‘ͺ Cloud

RA+

A

A

RSS1

Y

Y

Access Successful

B-4.6

i

E1

Branch πŸ‘ͺ Cloud

RA-

A

β€”

β€”

Y

β€”

Access Not Successful

B-4.6

j

E1

Branch πŸ‘ͺ Cloud

RA+

A

A

RSS1

N

Y

Access Not Successful

B-4.6

k

E1

Branch πŸ‘ͺ Cloud

RA+

A

A

RSS2

N

Y

Access Limited

B-4.6

l

E1

Branch πŸ‘ͺ Cloud

A+

A

A

RSS1

N

Y

Access Not Successful

B-4.6

m

E1

Branch πŸ‘ͺ Cloud

A+

A

A

RSS2

N

Y

Access Limited

B-4.6

n

E1

Branch πŸ‘ͺ Cloud

A+

A

A

RSS1

Y

N

Access Not Successful

B-4.6

o

E1

Branch πŸ‘ͺ Cloud

A+

A

A

RSS2

Y

N

Access Not Successful

B-4.6

p

E2

Branch πŸ‘ͺ Cloud

A+

A

A

RSS2

Y

N

Access Not Successful

Scenario B-5: Full/limited internet access based on ID attributes#

This scenario deals with access from an enterprise-owned device to non-enterprise-managed internet resources using different Enterprise-ID profiles: one with access to the internet, one with limited access to the internet, and one with no access to the internet.

Pre-Condition: The enterprise provides multiple user accounts with different access levels to the internet. Internet access will be performed using an enterprise-owned endpoint. RSS types are OK for approved and not OK for not-approved internet resources. The approval depends on the user’s policy. User endpoints are checked for compliance (Compl) per demonstration policy.

Demonstration: Each requestor using an enterprise-ID will attempt to successfully access a non-enterprise resource.

Purpose and Outcome: This demonstration focuses on the endpoint location and the resource location.

Table 5 - Scenario B-5 Demonstrations

Demo ID

UP

Location

Req. > RSS

Auth Stat User

Auth Stat EP

Access

Compl EP

Compl Out of Hours

Desired Outcome

B-5.1

a

E4

On-Prem πŸ‘ͺ Internet

A+

A

URL1

Y

N

Access Successful

B-5.1

b

E4

On-Prem πŸ‘ͺ Internet

A+

A

URL2

Y

N

Access Successful

B-5.1

c

E4

On-Prem πŸ‘ͺ Internet

A+

A

URL1

Y

Y

Access Successful

B-5.1

d

E4

On-Prem πŸ‘ͺ Internet

A+

A

URL1

Y

Y

Access Successful

B-5.1

e

E4

On-Prem πŸ‘ͺ Internet

A-

A

β€”

Y

β€”

Access Not Successful

B-5.1

f

E5

On-Prem πŸ‘ͺ Internet

A+

A

URL1

Y

N

Access Not Successful

B-5.1

g

E5

On-Prem πŸ‘ͺ Internet

A+

A

URL2

Y

N

Access Successful

B-5.1

h

E5

On-Prem πŸ‘ͺ Internet

A+

A

URL1

Y

Y

Access Not Successful

B-5.1

i

E5

On-Prem πŸ‘ͺ Internet

A+

A

URL1

Y

Y

Access Not Successful

B-5.1

j

E5

On-Prem πŸ‘ͺ Internet

A-

A

β€”

Y

β€”

Access Not Successful

B-5.1

k

E4

On-Prem πŸ‘ͺ Internet

RA+

A

URL1

Y

β€”

Access Successful

B-5.1

l

E4

On-Prem πŸ‘ͺ Internet

RA-

A

β€”

Y

β€”

Access Not Successful

B-5.1

m

E4

On-Prem πŸ‘ͺ Internet

A+

A

URL1

N

β€”

Access Not Successful

B-5.1

n

E4

On-Prem πŸ‘ͺ Internet

A+

A

URL2

N

β€”

Access Successful

B-5.1

o

E5

On-Prem πŸ‘ͺ Internet

A+

A

URL1

N

N

Access Not Successful

B-5.1

p

E5

On-Prem πŸ‘ͺ Internet

A+

A

URL2

N

N

Access Not Successful

B-5.2

a

E4

Branch πŸ‘ͺ Internet

A+

A

URL1

Y

N

Access Successful

B-5.2

b

E4

Branch πŸ‘ͺ Internet

A+

A

URL2

Y

N

Access Successful

B-5.2

c

E4

Branch πŸ‘ͺ Internet

A+

A

URL1

Y

Y

Access Successful

B-5.2

d

E4

Branch πŸ‘ͺ Internet

A+

A

URL1

Y

Y

Access Successful

B-5.2

e

E4

Branch πŸ‘ͺ Internet

A-

A

β€”

Y

β€”

Access Not Successful

B-5.2

f

E5

Branch πŸ‘ͺ Internet

A+

A

URL1

Y

N

Access Not Successful

B-5.2

g

E5

Branch πŸ‘ͺ Internet

A+

A

URL2

Y

N

Access Successful

B-5.2

h

E5

Branch πŸ‘ͺ Internet

A+

A

URL1

Y

Y

Access Not Successful

B-5.2

i

E5

Branch πŸ‘ͺ Internet

A+

A

URL1

Y

Y

Access Not Successful

B-5.2

j

E5

Branch πŸ‘ͺ Internet

A-

A

β€”

Y

β€”

Access Not Successful

B-5.2

k

E4

Branch πŸ‘ͺ Internet

RA+

A

URL1

Y

β€”

Access Successful

B-5.2

l

E4

Branch πŸ‘ͺ Internet

RA-

A

β€”

Y

β€”

Access Not Successful

B-5.2

m

E4

Branch πŸ‘ͺ Internet

A+

A

URL1

N

β€”

Access Not Successful

B-5.2

n

E4

Branch πŸ‘ͺ Internet

A+

A

URL2

N

β€”

Access Successful

B-5.2

o

E5

Branch πŸ‘ͺ Internet

A+

A

URL1

N

N

Access Not Successful

B-5.2

p

E5

Branch πŸ‘ͺ Internet

A+

A

URL2

N

N

Access Not Successful

B-5.3

a

E4

Remote πŸ‘ͺ Internet

A+

A

URL1

Y

N

Access Successful

B-5.3

b

E4

Remote πŸ‘ͺ Internet

A+

A

URL2

Y

N

Access Successful

B-5.3

c

E4

Remote πŸ‘ͺ Internet

A+

A

URL1

Y

Y

Access Successful

B-5.3

d

E4

Remote πŸ‘ͺ Internet

A+

A

URL1

Y

Y

Access Successful

B-5.3

e

E4

Remote πŸ‘ͺ Internet

A-

A

β€”

Y

β€”

Access Not Successful

B-5.3

f

E5

Remote πŸ‘ͺ Internet

A+

A

URL1

Y

N

Access Not Successful

B-5.3

g

E5

Remote πŸ‘ͺ Internet

A+

A

URL2

Y

N

Access Successful

B-5.3

h

E5

Remote πŸ‘ͺ Internet

A+

A

URL1

Y

Y

Access Not Successful

B-5.3

i

E5

Remote πŸ‘ͺ Internet

A+

A

URL1

Y

Y

Access Not Successful

B-5.3

j

E5

Remote πŸ‘ͺ Internet

A-

A

β€”

Y

β€”

Access Not Successful

B-5.3

k

E4

Remote πŸ‘ͺ Internet

RA+

A

URL1

Y

β€”

Access Successful

B-5.3

l

E4

Remote πŸ‘ͺ Internet

RA-

A

β€”

Y

β€”

Access Not Successful

B-5.3

m

E4

Remote πŸ‘ͺ Internet

A+

A

URL1

N

β€”

Access Not Successful

B-5.3

n

E4

Remote πŸ‘ͺ Internet

A+

A

URL2

N

β€”

Access Successful

B-5.3

o

E5

Remote πŸ‘ͺ Internet

A+

A

URL1

N

N

Access Not Successful

B-5.3

p

E5

Remote πŸ‘ͺ Internet

A+

A

URL2

N

N

Access Not Successful

Scenario B-6: Stolen credential using BYOD#

This scenario deals with a request using a stolen credential. It does not matter if the access is performed using an enterprise endpoint or BYOD device.

Pre-Condition: The requestor’s credential is stolen and is used to attempt accessing the enterprise resource RSS1 using an enterprise endpoint. The endpoints are compliant and authenticated, and so is the resource.

Demonstration: Two requests for the same enterprise resource are performed using the same user credentials. The β€œReal Request” is performed using the latest credentials, which are modified/replaced after being reported stolen, and that request can succeed. The β€œHostile Request” is performed using a stolen enterprise-ID. All authentication methods are compromised for the Hostile Request. Re-authentication always follows a previously successful authentication.

Purpose and Outcome: This demonstration focuses on the detection of a stolen enterprise-ID and enforcement of isolation.

Table 6 - Scenario B-6 Demonstrations

Demo ID

UP

Location

Real
Hostile
> RSS

Auth Stat Real Req

Auth Stat Hostile Req

Rep. Stolen

Desired Outcome for Real Request

Desired Outcome for Hostile Request

B-6.1

a

E6

On-Prem

On-Prem πŸ‘ͺ

On-Prem

A+

β€”

N

Access Successful

β€”

B-6.1

b

E6

On-Prem

On-Prem πŸ‘ͺ

On-Prem

A-

β€”

N

Access Not Successful

β€”

B-6.1

c

E6

On-Prem

On-Prem πŸ‘ͺ

On-Prem

A

A+

N

Change to Access Limited

Access Not Successful

B-6.1

d

E6

On-Prem

On-Prem πŸ‘ͺ

On-Prem

A

A-

N

Keep Access

Access Not Successful

B-6.1

e

E6

On-Prem

On-Prem πŸ‘ͺ

On-Prem

β€”

A+

N

β€”

Access Successful

B-6.1

f

E6

On-Prem

On-Prem πŸ‘ͺ

On-Prem

β€”

A-

N

β€”

Access Not Successful

B-6.1

g

E6

On-Prem

On-Prem πŸ‘ͺ

On-Prem

A+

A

N

Access Not Successful

Change to Access Limited

B-6.1

h

E6

On-Prem

On-Prem πŸ‘ͺ

On-Prem

A-

A

N

Access Not Successful

Keep Access

B-6.1

i

E6

On-Prem

On-Prem πŸ‘ͺ

On-Prem

A+

β€”

Y

Access Successful

β€”

B-6.1

j

E6

On-Prem

On-Prem πŸ‘ͺ

On-Prem

A

A-

Y

Keep Access

Access Not Successful

B-6.1

k

E6

On-Prem

On-Prem πŸ‘ͺ

On-Prem

β€”

A-

Y

β€”

Access Not Successful

B-6.1

l

E6

On-Prem

On-Prem πŸ‘ͺ

On-Prem

RA+

β€”

Y

Access Successful

β€”

B-6.1

m

E6

On-Prem

On-Prem πŸ‘ͺ

On-Prem

β€”

RA-

Y

β€”

Access Not Successful

B-6.1

n

E6

On-Prem

On-Prem πŸ‘ͺ

On-Prem

β€”

A

Y

β€”

All Sessions Terminated

B-6.1

o

E6

On-Prem

On-Prem πŸ‘ͺ

On-Prem

A

β€”

Y

All Sessions Terminated

β€”

B-6.2

a

E6

On-Prem

Branch πŸ‘ͺ

On-Prem

A+

β€”

N

Access Successful

β€”

B-6.2

b

E6

On-Prem

Branch πŸ‘ͺ

On-Prem

A-

β€”

N

Access Not Successful

β€”

B-6.2

c

E6

On-Prem

Branch πŸ‘ͺ

On-Prem

A

A+

N

Change to Access Limited

Access Not Successful

B-6.2

d

E6

On-Prem

Branch πŸ‘ͺ

On-Prem

A

A-

N

Keep Access

Access Not Successful

B-6.2

e

E6

On-Prem

Branch πŸ‘ͺ

On-Prem

β€”

A+

N

β€”

Access Successful

B-6.2

f

E6

On-Prem

Branch πŸ‘ͺ

On-Prem

β€”

A-

N

β€”

Access Not Successful

B-6.2

g

E6

On-Prem

Branch πŸ‘ͺ

On-Prem

A+

A

N

Access Not Successful

Change to Access Limited

B-6.2

h

E6

On-Prem

Branch πŸ‘ͺ

On-Prem

A-

A

N

Access Not Successful

Keep Access

B-6.2

i

E7

On-Prem

Branch πŸ‘ͺ

On-Prem

A+

β€”

Y

Access Successful

β€”

B-6.2

j

E7

On-Prem

Branch πŸ‘ͺ

On-Prem

A

A-

Y

Keep Access

Access Not Successful

B-6.2

k

E7

On-Prem

Branch πŸ‘ͺ

On-Prem

β€”

A-

Y

β€”

Access Not Successful

B-6.2

l

E7

On-Prem

Branch πŸ‘ͺ

On-Prem

RA+

β€”

Y

Access Successful

β€”

B-6.2

m

E7

On-Prem

Branch πŸ‘ͺ

On-Prem

β€”

RA-

Y

β€”

Access Not Successful

B-6.2

n

E7

On-Prem

Branch πŸ‘ͺ

On-Prem

On-Prem

Branch πŸ‘ͺ

On-Prem

β€”

A

Y

β€”

Change to Access Limited

B-6.2

o

E7

A

β€”

Y

Change to Access Limited

β€”

B-6.3

a

E6

Branch

On-Prem πŸ‘ͺ

On-Prem

A+

β€”

N

Access Successful

β€”

B-6.3

b

E6

Branch

On-Prem πŸ‘ͺ

On-Prem

A-

β€”

N

Access Not Successful

β€”

B-6.3

c

E6

Branch

On-Prem πŸ‘ͺ

On-Prem

A

A+

N

Change to Access Limited

Access Not Successful

B-6.3

d

E6

Branch

On-Prem πŸ‘ͺ

On-Prem

A

A-

N

Keep Access

Access Not Successful

B-6.3

e

E6

Branch

On-Prem πŸ‘ͺ

On-Prem

β€”

A+

N

β€”

Access Successful

B-6.3

f

E6

Branch

On-Prem πŸ‘ͺ

On-Prem

β€”

A-

N

β€”

Access Not Successful

B-6.3

g

E6

Branch

On-Prem πŸ‘ͺ

On-Prem

A+

A

N

Access Not Successful

Change to Access Limited

B-6.3

h

E6

Branch

On-Prem πŸ‘ͺ

On-Prem

A-

A

N

Access Not Successful

Keep Access

B-6.3

i

E7

Branch

On-Prem πŸ‘ͺ

On-Prem

A+

β€”

Y

Access Successful

β€”

B-6.3

j

E7

Branch

On-Prem πŸ‘ͺ

On-Prem

A

A-

Y

Keep Access

Access Not Successful

B-6.3

k

E7

Branch

On-Prem πŸ‘ͺ

On-Prem

β€”

A-

Y

β€”

Access Not Successful

B-6.3

l

E7

Branch

On-Prem πŸ‘ͺ

On-Prem

RA+

β€”

Y

Access Successful

β€”

B-6.3

m

E7

Branch

On-Prem πŸ‘ͺ

On-Prem

β€”

RA-

Y

β€”

Access Not Successful

B-6.3

n

E7

Branch

On-Prem πŸ‘ͺ

On-Prem

β€”

A

Y

β€”

Change to Access Limited

B-6.3

o

E7

Branch

On-Prem πŸ‘ͺ

On-Prem

A

β€”

Y

Change to Access Limited

β€”

B-6.4

a

E6

Remote

On-Prem πŸ‘ͺ

On-Prem

A+

β€”

N

Access Successful

β€”

B-6.4

b

E6

Remote

On-Prem πŸ‘ͺ

On-Prem

A-

β€”

N

Access Not Successful

β€”

B-6.4

c

E6

Remote

On-Prem πŸ‘ͺ

On-Prem

A

A+

N

Change to Access Limited

Access Not Successful

B-6.4

d

E6

Remote

On-Prem πŸ‘ͺ

On-Prem

A

A-

N

Keep Access

Access Not Successful

B-6.4

e

E6

Remote

On-Prem πŸ‘ͺ

On-Prem

β€”

A+

N

β€”

Access Successful

B-6.4

f

E6

Remote

On-Prem πŸ‘ͺ

On-Prem

β€”

A-

N

β€”

Access Not Successful

B-6.4

g

E6

Remote

On-Prem πŸ‘ͺ

On-Prem

A+

A

N

Access Not Successful

Change to Access Limited

B-6.4

h

E6

Remote

On-Prem πŸ‘ͺ

On-Prem

A-

A

N

Access Not Successful

Keep Access

B-6.4

i

E7

Remote

On-Prem πŸ‘ͺ

On-Prem

A+

β€”

Y

Access Successful

β€”

B-6.4

j

E7

Remote

On-Prem πŸ‘ͺ

On-Prem

A

A-

Y

Keep Access

Access Not Successful

B-6.4

k

E7

Remote

On-Prem πŸ‘ͺ

On-Prem

β€”

A-

Y

β€”

Access Not Successful

B-6.4

l

E7

Remote

On-Prem πŸ‘ͺ

On-Prem

RA+

β€”

Y

Access Successful

β€”

B-6.4

m

E7

Remote

On-Prem πŸ‘ͺ

On-Prem

β€”

RA-

Y

β€”

Access Not Successful

B-6.4

n

E7

Remote

On-Prem πŸ‘ͺ

On-Prem

β€”

A

Y

β€”

Change to Access Limited

B-6.4

o

E7

Remote

On-Prem πŸ‘ͺ

On-Prem

A

β€”

Y

Change to Access Limited

β€”

B-6.5

a

E6

On-Prem

Remote πŸ‘ͺ

On-Prem

A+

β€”

N

Access Successful

β€”

B-6.5

b

E6

On-Prem

Remote πŸ‘ͺ

On-Prem

A-

β€”

N

Access Not Successful

β€”

B-6.5

c

E6

On-Prem

Remote πŸ‘ͺ

On-Prem

A

A+

N

Change to Access Limited

Access Not Successful

B-6.5

d

E6

On-Prem

Remote πŸ‘ͺ

On-Prem

A

A-

N

Keep Access

Access Not Successful

B-6.5

e

E6

On-Prem

Remote πŸ‘ͺ

On-Prem

β€”

A+

N

β€”

Access Successful

B-6.5

f

E6

On-Prem

Remote πŸ‘ͺ

On-Prem

β€”

A-

N

β€”

Access Not Successful

B-6.5

g

E6

On-Prem

Remote πŸ‘ͺ

On-Prem

A+

A

N

Access Not Successful

Change to Access Limited

B-6.5

h

E6

On-Prem

Remote πŸ‘ͺ

On-Prem

A-

A

N

Access Not Successful

Keep Access

B-6.5

i

E7

On-Prem

Remote πŸ‘ͺ

On-Prem

A+

β€”

Y

Access Successful

β€”

B-6.5

j

E7

On-Prem

Remote πŸ‘ͺ

On-Prem

A

A-

Y

Keep Access

Access Not Successful

B-6.5

k

E7

On-Prem

Remote πŸ‘ͺ

On-Prem

β€”

A-

Y

β€”

Access Not Successful

B-6.5

l

E7

On-Prem

Remote πŸ‘ͺ

On-Prem

RA+

β€”

Y

Access Successful

β€”

B-6.5

m

E7

On-Prem

Remote πŸ‘ͺ

On-Prem

β€”

RA-

Y

β€”

Access Not Successful

B-6.5

n

E7

On-Prem

Remote πŸ‘ͺ

On-Prem

β€”

A

Y

β€”

Change to Access Limited

B-6.5

o

E7

On-Prem

Remote πŸ‘ͺ

On-Prem

A

β€”

Y

Change to Access Limited

β€”

Scenario B-7: Just-in-Time Access Privileges#

In this demonstration, an enterprise provisions access privileges to a resource based on a single business process flow. Temporary privileges are granted to perform a portion of a business process, then revoked when the process is complete.

Pre-Condition: There are no active sessions from a subject to the resource. Both the subject endpoint and resource are in compliance with enterprise security posture or expected to be in compliance after the session is completed.

Demonstration: A subject is granted privileges to access a resource. The subject then establishes a session with an endpoint to perform some administrative task, then closes the connection. Privilege to access that resource is then removed.

Purpose and Outcome: The enterprise can provide just-in-time (JIT) access privileges to resources.

Table 7 - Scenario B-7 Demonstrations

Demo ID

Subject Location

Resource Location

Priv. Provisioned

Desired Outcome

B-7.1

a

On-Prem

On-Prem

No

Access Not Successful

B-7.1

b

On-Prem

On-Prem

Yes

Access Successful

B-7.1

c

On-Prem

Branch

No

Access Not Successful

B-7.1

d

On-Prem

Branch

Yes

Access Successful

B-7.1

e

On-Prem

Remote

No

Access Not Successful

B-7.1

f

On-Prem

Remote

Yes

Access Successful

B-7.1

g

On-Prem

IaaS

No

Access Not Successful

B-7.1

h

On-Prem

IaaS

Yes

Access Successful

B-7.1

i

On-Prem

PaaS

No

Access Not Successful

B-7.1

j

On-Prem

PaaS

Yes

Access Successful

B-7.1

k

On-Prem

SaaS

No

Access Not Successful

B-7.1

l

On-Prem

SaaS

Yes

Access Successful

B-7.1

m

Branch

On-Prem

No

Access Not Successful

B-7.1

n

Branch

On-Prem

Yes

Access Successful

B-7.1

o

Branch

Branch

No

Access Not Successful

B-7.1

p

Branch

Branch

Yes

Access Successful

B-7.1

q

Branch

Remote

No

Access Not Successful

B-7.1

r

Branch

Remote

Yes

Access Successful

B-7.1

s

Branch

IaaS

No

Access Not Successful

B-7.1

t

Branch

IaaS

Yes

Access Successful

B-7.1

u

Branch

PaaS

No

Access Not Successful

B-7.1

v

Branch

PaaS

Yes

Access Successful

B-7.1

w

Branch

SaaS

No

Access Not Successful

B-7.1

x

Branch

SaaS

Yes

Access Successful

B-7.1

y

Remote

On-Prem

No

Access Not Successful

B-7.1

z

Remote

On-Prem

Yes

Access Successful

B-7.1

aa

Remote

Branch

No

Access Not Successful

B-7.1

ab

Remote

Branch

Yes

Access Successful

B-7.1

ac

Remote

Remote

No

Access Not Successful

B-7.1

ad

Remote

Remote

Yes

Access Successful

B-7.1

ae

Remote

IaaS

No

Access Not Successful

B-7.1

af

Remote

IaaS

Yes

Access Successful

B-7.1

ag

Remote

PaaS

No

Access Not Successful

B-7.1

ah

Remote

PaaS

Yes

Access Successful

B-7.1

ai

Remote

SaaS

No

Access Not Successful

B-7.1

aj

Remote

SaaS

Yes

Access Successful

Scenario B-8: Enterprise-ID Step-Up Authentication#

In this demonstration, the subject has an open session to the resource, but requests to perform an action that requires additional authentication checks. If successful, the subject session proceeds as normal; if failed, the session is terminated.

Pre-Condition: The subject has a current session with the resource and has successfully authenticated for the current action. The subject is authorized to perform higher security action. Both the subject endpoint and resource are in compliance with the enterprise security posture.

Demonstration: The subject has an open session to the resource and desires to perform a different action that is considered more sensitive. The system prompts the subject to re-authenticate or perform a higher level of authentication (e.g., additional factor of MFA or similar).

Purpose and Outcome: The system can request additional authentication mechanisms to match with an increased sensitive action during an active session.

Table 8 - Scenario B-8 Demonstrations

Demo ID

Subj Type

Subject Location

Auth Success

RSS Loc

Desired Outcome

B-8.1

a

EP

On-Prem

Yes

On-Prem

Session Continues

B-8.1

b

BYOD

On-Prem

Yes

On-Prem

Session Continues

B-8.1

c

Guest

On-Prem

Yes

On-Prem

Session Continues

B-8.1

d

EP

On-Prem

No

On-Prem

Session Terminated

B-8.1

e

BYOD

On-Prem

No

On-Prem

Session Terminated

B-8.1

f

Guest

On-Prem

No

On-Prem

Session Terminated

B-8.1

g

EP

Branch

Yes

On-Prem

Session Continues

B-8.1

h

BYOD

Branch

Yes

On-Prem

Session Continues

B-8.1

i

Guest

Branch

Yes

On-Prem

Session Continues

B-8.1

j

EP

Branch

No

On-Prem

Session Terminated

B-8.1

k

BYOD

Branch

No

On-Prem

Session Terminated

B-8.1

l

Guest

Branch

No

On-Prem

Session Terminated

B-8.1

m

EP

Remote

Yes

On-Prem

Session Continues

B-8.1

n

BYOD

Remote

Yes

On-Prem

Session Continues

B-8.1

o

Guest

Remote

Yes

On-Prem

Session Continues

B-8.1

p

EP

Remote

No

On-Prem

Session Terminated

B-8.1

q

BYOD

Remote

No

On-Prem

Session Terminated

B-8.1

r

Guest

Remote

No

On-Prem

Session Terminated

B-8.2

a

EP

On-Prem

Yes

Branch

Session Continues

B-8.2

b

BYOD

On-Prem

Yes

Branch

Session Continues

B-8.2

c

Guest

On-Prem

Yes

Branch

Session Continues

B-8.2

d

EP

On-Prem

No

Branch

Session Terminated

B-8.2

e

BYOD

On-Prem

No

Branch

Session Terminated

B-8.2

f

Guest

On-Prem

No

Branch

Session Terminated

B-8.2

g

EP

Branch

Yes

Branch

Session Continues

B-8.2

h

BYOD

Branch

Yes

Branch

Session Continues

B-8.2

i

Guest

Branch

Yes

Branch

Session Continues

B-8.2

j

EP

Branch

No

Branch

Session Terminated

B-8.2

k

BYOD

Branch

No

Branch

Session Terminated

B-8.2

l

Guest

Branch

No

Branch

Session Terminated

B-8.2

m

EP

Remote

Yes

Branch

Session Continues

B-8.2

n

BYOD

Remote

Yes

Branch

Session Continues

B-8.2

o

Guest

Remote

Yes

Branch

Session Continues

B-8.2

p

EP

Remote

No

Branch

Session Terminated

B-8.2

q

BYOD

Remote

No

Branch

Session Terminated

B-8.2

r

Guest

Remote

No

Branch

Session Terminated

B-8.3

a

EP

On-Prem

Yes

IaaS

Session Continues

B-8.3

b

BYOD

On-Prem

Yes

IaaS

Session Continues

B-8.3

c

Guest

On-Prem

Yes

IaaS

Session Continues

B-8.3

d

EP

On-Prem

No

IaaS

Session Terminated

B-8.3

e

BYOD

On-Prem

No

IaaS

Session Terminated

B-8.3

f

Guest

On-Prem

No

IaaS

Session Terminated

B-8.3

g

EP

Branch

Yes

IaaS

Session Continues

B-8.3

h

BYOD

Branch

Yes

IaaS

Session Continues

B-8.3

i

Guest

Branch

Yes

IaaS

Session Continues

B-8.3

j

EP

Branch

No

IaaS

Session Terminated

B-8.3

k

BYOD

Branch

No

IaaS

Session Terminated

B-8.3

l

Guest

Branch

No

IaaS

Session Terminated

B-8.3

m

EP

Remote

Yes

IaaS

Session Continues

B-8.3

n

BYOD

Remote

Yes

IaaS

Session Continues

B-8.3

o

Guest

Remote

Yes

IaaS

Session Continues

B-8.3

p

EP

Remote

No

IaaS

Session Terminated

B-8.3

q

BYOD

Remote

No

IaaS

Session Terminated

B-8.3

r

Guest

Remote

No

IaaS

Session Terminated

B-8.4

a

EP

On-Prem

Yes

PaaS

Session Continues

B-8.4

b

BYOD

On-Prem

Yes

PaaS

Session Continues

B-8.4

c

Guest

On-Prem

Yes

PaaS

Session Continues

B-8.4

d

EP

On-Prem

No

PaaS

Session Terminated

B-8.4

e

BYOD

On-Prem

No

PaaS

Session Terminated

B-8.4

f

Guest

On-Prem

No

PaaS

Session Terminated

B-8.4

g

EP

Branch

Yes

PaaS

Session Continues

B-8.4

h

BYOD

Branch

Yes

PaaS

Session Continues

B-8.4

i

Guest

Branch

Yes

PaaS

Session Continues

B-8.4

j

EP

Branch

No

PaaS

Session Terminated

B-8.4

k

BYOD

Branch

No

PaaS

Session Terminated

B-8.4

l

Guest

Branch

No

PaaS

Session Terminated

B-8.4

m

EP

Remote

Yes

PaaS

Session Continues

B-8.4

n

BYOD

Remote

Yes

PaaS

Session Continues

B-8.4

o

Guest

Remote

Yes

PaaS

Session Continues

B-8.4

p

EP

Remote

No

PaaS

Session Terminated

B-8.4

q

BYOD

Remote

No

PaaS

Session Terminated

B-8.4

r

Guest

Remote

No

PaaS

Session Terminated

B-8.5

a

EP

On-Prem

Yes

SaaS

Session Continues

B-8.5

b

BYOD

On-Prem

Yes

SaaS

Session Continues

B-8.5

c

Guest

On-Prem

Yes

SaaS

Session Continues

B-8.5

d

EP

On-Prem

No

SaaS

Session Terminated

B-8.5

e

BYOD

On-Prem

No

SaaS

Session Terminated

B-8.5

f

Guest

On-Prem

No

SaaS

Session Terminated

B-8.5

g

EP

Branch

Yes

SaaS

Session Continues

B-8.5

h

BYOD

Branch

Yes

SaaS

Session Continues

B-8.5

i

Guest

Branch

Yes

SaaS

Session Continues

B-8.5

j

EP

Branch

No

SaaS

Session Terminated

B-8.5

k

BYOD

Branch

No

SaaS

Session Terminated

B-8.5

l

Guest

Branch

No

SaaS

Session Terminated

B-8.5

m

EP

Remote

Yes

SaaS

Session Continues

B-8.5

n

BYOD

Remote

Yes

SaaS

Session Continues

B-8.5

o

Guest

Remote

Yes

SaaS

Session Continues

B-8.5

p

EP

Remote

No

SaaS

Session Terminated

B-8.5

q

BYOD

Remote

No

SaaS

Session Terminated

B-8.5

r

Guest

Remote

No

SaaS

Session Terminated