Use Case D: Other-ID Access#

Note

This page is supplementary material for the NIST SP 1800-35 publication.

Demonstrations in this use case deal with different scenarios using access to enterprise resources as well as non-enterprise resources located on-premises, in the cloud, and on the internet. Each activity demonstrates the capability of authentication from within a given setting. The access is authenticated with an “Other-ID” using enterprise-owned endpoints (EP) as well as privately owned endpoints (BYOD). Each scenario provides a set of pre-conditions as well as multiple demonstrations.

Scenario D-1: Full/limited resource access using an enterprise endpoint#

This scenario deals with a request using different “other-ID” profiles, one with access to all provided resources and one with access to a limited set of resources (e.g., only RSS1 but not RSS2) or with limited functionality while accessing an enterprise-controlled resource (e.g., read-only vs. read/write).

Pre-Condition: The enterprise provides multiple User accounts with different access levels. The P_FULL access profile specifies access to all resources (RSS) within the enterprise and/or access to all capabilities (CAP) of resources within the enterprise. Additionally, the P_LIMITED access profile specifies access to either a subset of the recourses and/or only limited functionality of each resource. Both endpoints’ compliance (Compl) is already verified, and systems are authenticated per demonstration policy.

Demonstration: Each requestor using an “Other-ID” will attempt to successfully access an enterprise resource or a functionality of an enterprise resource.

Purpose and Outcome: This demonstration focuses on user privilege, authentication/re-authentication, and endpoint and RSS location, as well as the compliance of endpoints.

Table 1 - Scenario D-1 Demonstrations

Demo ID

UP

Location Req. > RSS

Auth Stat User

Auth Stat EP

Auth Stat RSS

Access

Compl EP

Compl RSS

Desired Outcome

D-1.1

a

O1

On-Prem 🡪 On-Prem

A+

A

A

RSS1

Y

Y

Access Successful

D-1.1

b

O1

On-Prem 🡪 On-Prem

A+

A

A

RSS2

Y

Y

Access Successful

D-1.1

c

O1

On-Prem 🡪 On-Prem

A-

A

Y

Access Not Successful

D-1.1

d

E2

On-Prem 🡪 On-Prem

A+

A

A

RSS1

Y

Y

Access Not Successful

D-1.1

e

E2

On-Prem 🡪 On-Prem

A+

A

A

RSS2

Y

Y

Access Successful

D-1.1

f

E2

On-Prem 🡪 On-Prem

A-

A

Y

Access Not Successful

D-1.1

g

E3

On-Prem 🡪 On-Prem

A-

A

Y

Access Not Successful

D-1.1

h

O1

On-Prem 🡪 On-Prem

RA+

A

A

RSS1

Y

Y

Access Successful

D-1.1

i

O1

On-Prem 🡪 On-Prem

RA-

A

Y

Access Not Successful

D-1.1

j

O1

On-Prem 🡪 On-Prem

RA+

A

A

RSS1

N

Y

Access Not Successful

D-1.1

k

O1

On-Prem 🡪 On-Prem

RA+

A

A

RSS2

N

Y

Access Limited

D-1.1

l

O1

On-Prem 🡪 On-Prem

A+

A

A

RSS1

N

Y

Access Not Successful

D-1.1

m

O1

On-Prem 🡪 On-Prem

A+

A

A

RSS2

N

Y

Access Limited

D-1.1

n

O1

On-Prem 🡪 On-Prem

A+

A

A

RSS1

Y

N

Access Not Successful

D-1.1

o

O1

On-Prem 🡪 On-Prem

A+

A

A

RSS2

Y

N

Access Not Successful

D-1.1

p

E2

On-Prem 🡪 On-Prem

A+

A

A

RSS2

Y

N

Access Not Successful

D-1.2

a

O1

Branch 🡪 On-Prem

A+

A

A

RSS1

Y

Y

Access Successful

D-1.2

b

O1

Branch 🡪 On-Prem

A+

A

A

RSS2

Y

Y

Access Successful

D-1.2

c

O1

Branch 🡪 On-Prem

A-

A

Y

Access Not Successful

D-1.2

d

E2

Branch 🡪 On-Prem

A+

A

A

RSS1

Y

Y

Access Not Successful

D-1.2

e

E2

Branch 🡪 On-Prem

A+

A

A

RSS2

Y

Y

Access Successful

D-1.2

f

E2

Branch 🡪 On-Prem

A-

A

Y

Access Not Successful

D-1.2

g

E3

Branch 🡪 On-Prem

A-

A

Y

Access Not Successful

D-1.2

h

O1

Branch 🡪 On-Prem

RA+

A

A

RSS1

Y

Y

Access Successful

D-1.2

i

O1

Branch 🡪 On-Prem

RA-

A

Y

Access Not Successful

D-1.2

j

O1

Branch 🡪 On-Prem

RA+

A

A

RSS1

N

Y

Access Not Successful

D-1.2

k

O1

Branch 🡪 On-Prem

RA+

A

A

RSS2

N

Y

Access Limited

D-1.2

l

O1

Branch 🡪 On-Prem

A+

A

A

RSS1

N

Y

Access Not Successful

D-1.2

m

O1

Branch 🡪 On-Prem

A+

A

A

RSS2

N

Y

Access Limited

D-1.2

n

O1

Branch 🡪 On-Prem

A+

A

A

RSS1

Y

N

Access Not Successful

D-1.2

o

O1

Branch 🡪 On-Prem

A+

A

A

RSS2

Y

N

Access Not Successful

D-1.2

p

E2

Branch 🡪 On-Prem

A+

A

A

RSS2

Y

N

Access Not Successful

D-1.3

a

O1

Remote 🡪 On-Prem

A+

A

A

RSS1

Y

Y

Access Successful

D-1.3

b

O1

Remote 🡪 On-Prem

A+

A

A

RSS2

Y

Y

Access Successful

D-1.3

c

O1

Remote 🡪 On-Prem

A-

A

Y

Access Not Successful

D-1.3

d

E2

Remote 🡪 On-Prem

A+

A

A

RSS1

Y

Y

Access Not Successful

D-1.3

e

E2

Remote 🡪 On-Prem

A+

A

A

RSS2

Y

Y

Access Successful

D-1.3

f

E2

Remote 🡪 On-Prem

A-

A

Y

Access Not Successful

D-1.3

g

E3

Remote 🡪 On-Prem

A-

A

Y

Access Not Successful

D-1.3

h

O1

Remote 🡪 On-Prem

RA+

A

A

RSS1

Y

Y

Access Successful

D-1.3

i

O1

Remote 🡪 On-Prem

RA-

A

Y

Access Not Successful

D-1.3

j

O1

Remote 🡪 On-Prem

RA+

A

A

RSS1

N

Y

Access Not Successful

D-1.3

k

O1

Remote 🡪 On-Prem

RA+

A

A

RSS2

N

Y

Access Limited

D-1.3

l

O1

Remote 🡪 On-Prem

A+

A

A

RSS1

N

Y

Access Not Successful

D-1.3

m

O1

Remote 🡪 On-Prem

A+

A

A

RSS2

N

Y

Access Limited

D-1.3

n

O1

Remote 🡪 On-Prem

A+

A

A

RSS1

Y

N

Access Not Successful

D-1.3

o

O1

Remote 🡪 On-Prem

A+

A

A

RSS2

Y

N

Access Not Successful

D-1.3

p

E2

Remote 🡪 On-Prem

A+

A

A

RSS2

Y

N

Access Not Successful

D-1.4

a

O1

On-Prem 🡪 Cloud

A+

A

A

RSS1

Y

Y

Access Successful

D-1.4

b

O1

On-Prem 🡪 Cloud

A+

A

A

RSS2

Y

Y

Access Successful

D-1.4

c

O1

On-Prem 🡪 Cloud

A-

A

Y

Access Not Successful

D-1.4

d

E2

On-Prem 🡪 Cloud

A+

A

A

RSS1

Y

Y

Access Not Successful

D-1.4

e

E2

On-Prem 🡪 Cloud

A+

A

A

RSS2

Y

Y

Access Successful

D-1.4

f

E2

On-Prem 🡪 Cloud

A-

A

Y

Access Not Successful

D-1.4

g

E3

On-Prem 🡪 Cloud

A-

A

Y

Access Not Successful

D-1.4

h

O1

On-Prem 🡪 Cloud

RA+

A

A

RSS1

Y

Y

Access Successful

D-1.4

i

O1

On-Prem 🡪 Cloud

RA-

A

Y

Access Not Successful

D-1.4

j

O1

On-Prem 🡪 Cloud

RA+

A

A

RSS1

N

Y

Access Not Successful

D-1.4

k

O1

On-Prem 🡪 Cloud

RA+

A

A

RSS2

N

Y

Access Limited

D-1.4

l

O1

On-Prem 🡪 Cloud

A+

A

A

RSS1

N

Y

Access Not Successful

D-1.4

m

O1

On-Prem 🡪 Cloud

A+

A

A

RSS2

N

Y

Access Limited

D-1.4

n

O1

On-Prem 🡪 Cloud

A+

A

A

RSS1

Y

N

Access Not Successful

D-1.4

o

O1

On-Prem 🡪 Cloud

A+

A

A

RSS2

Y

N

Access Not Successful

D-1.4

p

E2

On-Prem 🡪 Cloud

A+

A

A

RSS2

Y

N

Access Not Successful

D-1.5

a

O1

Branch 🡪 Cloud

A+

A

A

RSS1

Y

Y

Access Successful

D-1.5

b

O1

Branch 🡪 Cloud

A+

A

A

RSS2

Y

Y

Access Successful

D-1.5

c

O1

Branch 🡪 Cloud

A-

A

Y

Access Not Successful

D-1.5

d

O2

Branch 🡪 Cloud

A+

A

A

RSS1

Y

Y

Access Not Successful

D-1.5

e

O2

Branch 🡪 Cloud

A+

A

A

RSS2

Y

Y

Access Successful

D-1.5

f

O2

Branch 🡪 Cloud

A-

A

Y

Access Not Successful

D-1.5

g

O3

Branch 🡪 Cloud

A-

A

Y

Access Not Successful

D-1.5

h

O1

Branch 🡪 Cloud

RA+

A

A

RSS1

Y

Y

Access Successful

D-1.5

i

O1

Branch 🡪 Cloud

RA-

A

Y

Access Not Successful

D-1.5

j

O1

Branch 🡪 Cloud

RA+

A

A

RSS1

N

Y

Access Not Successful

D-1.5

k

O1

Branch 🡪 Cloud

RA+

A

A

RSS2

N

Y

Access Limited

D-1.5

l

O1

Branch 🡪 Cloud

A+

A

A

RSS1

N

Y

Access Not Successful

D-1.5

m

O1

Branch 🡪 Cloud

A+

A

A

RSS2

N

Y

Access Limited

D-1.5

n

O1

Branch 🡪 Cloud

A+

A

A

RSS1

Y

N

Access Not Successful

D-1.5

o

O1

Branch 🡪 Cloud

A+

A

A

RSS2

Y

N

Access Not Successful

D-1.5

p

O2

Branch 🡪 Cloud

A+

A

A

RSS2

Y

N

Access Not Successful

D-1.6

a

O1

Remote 🡪 Cloud

A+

A

A

RSS1

Y

Y

Access Successful

D-1.6

b

O1

Remote 🡪 Cloud

A+

A

A

RSS2

Y

Y

Access Successful

D-1.6

c

O1

Remote 🡪 Cloud

A-

A

Y

Access Not Successful

D-1.6

d

O2

Remote 🡪 Cloud

A+

A

A

RSS1

Y

Y

Access Not Successful

D-1.6

e

O2

Remote 🡪 Cloud

A+

A

A

RSS2

Y

Y

Access Successful

D-1.6

f

O2

Remote 🡪 Cloud

A-

A

Y

Access Not Successful

D-1.6

g

O3

Remote 🡪 Cloud

A-

A

Y

Access Not Successful

D-1.6

h

O1

Remote 🡪 Cloud

RA+

A

A

RSS1

Y

Y

Access Successful

D-1.6

i

O1

Remote 🡪 Cloud

RA-

A

Y

Access Not Successful

D-1.6

j

O1

Remote 🡪 Cloud

RA+

A

A

RSS1

N

Y

Access Not Successful

D-1.6

k

O1

Remote 🡪 Cloud

RA+

A

A

RSS2

N

Y

Access Limited

D-1.6

l

O1

Remote 🡪 Cloud

A+

A

A

RSS1

N

Y

Access Not Successful

D-1.6

m

O1

Remote 🡪 Cloud

A+

A

A

RSS2

N

Y

Access Limited

D-1.6

n

O1

Remote 🡪 Cloud

A+

A

A

RSS1

Y

N

Access Not Successful

D-1.6

o

O1

Remote 🡪 Cloud

A+

A

A

RSS2

Y

N

Access Not Successful

D-1.6

p

O2

Remote 🡪 Cloud

A+

A

A

RSS2

Y

N

Access Not Successful

Scenario D-2: Full/limited internet access using an enterprise endpoint#

This scenario deals with access from an enterprise-owned device to non-enterprise-managed internet resources using different Enterprise-ID profiles: one with access to the internet, one with limited access to the internet, and one with no access to the internet. This is to simulate an enterprise that may have policies on public Internet access using enterprise-owned endpoints for Other-IDs.

Pre-Condition: The enterprise provides multiple user accounts with different access levels to the internet. The Internet access will be performed using an enterprise-owned endpoint. RSS types are OK for approved and not OK for not-approved internet resources. The approval depends on the user’s policy. User endpoints are checked for compliance (Compl) per demonstration policy.

Demonstration: Each requestor using an enterprise-ID will attempt to successfully access a non-enterprise resource.

Purpose and Outcome: This demonstration focuses on the endpoint location as well as the resource location.

Table 2 - Scenario D-2 Demonstrations

Demo ID

UP

Location Req. 🡪 RSS

Auth Stat User

Auth Stat EP

Access

Compl EP

Compl Out of Hours

Desired Outcome

D-2.1

a

O4

On-Prem 🡪 Internet

A+

A

URL1

Y

N

Access Successful

D-2.1

b

O4

On-Prem 🡪 Internet

A+

A

URL2

Y

N

Access Successful

D-2.1

c

O4

On-Prem 🡪 Internet

A+

A

URL1

Y

Y

Access Successful

D-2.1

d

O4

On-Prem 🡪 Internet

A+

A

URL1

Y

Y

Access Successful

D-2.1

e

O4

On-Prem 🡪 Internet

A-

A

Y

Access Not Successful

D-2.1

f

O5

On-Prem 🡪 Internet

A+

A

URL1

Y

N

Access Not Successful

D-2.1

g

O5

On-Prem 🡪 Internet

A+

A

URL2

Y

N

Access Successful

D-2.1

h

O5

On-Prem 🡪 Internet

A+

A

URL1

Y

Y

Access Not Successful

D-2.1

i

O5

On-Prem 🡪 Internet

A+

A

URL1

Y

Y

Access Not Successful

D-2.1

j

O5

On-Prem 🡪 Internet

A-

A

Y

Access Not Successful

D-2.1

k

O4

On-Prem 🡪 Internet

RA+

A

URL1

Y

Access Successful

D-2.1

l

O4

On-Prem 🡪 Internet

RA-

A

Y

Access Not Successful

D-2.1

m

O4

On-Prem 🡪 Internet

A+

A

URL1

N

Access Not Successful

D-2.1

n

O4

On-Prem 🡪 Internet

A+

A

URL2

N

Access Successful

D-2.1

o

O5

On-Prem 🡪 Internet

A+

A

URL1

N

N

Access Not Successful

D-2.1

p

O5

On-Prem 🡪 Internet

A+

A

URL2

N

N

Access Not Successful

D-2.2

a

O4

Branch 🡪 Internet

A+

A

URL1

Y

N

Access Successful

D-2.2

b

O4

Branch 🡪 Internet

A+

A

URL2

Y

N

Access Successful

D-2.2

c

O4

Branch 🡪 Internet

A+

A

URL1

Y

Y

Access Successful

D-2.2

d

O4

Branch 🡪 Internet

A+

A

URL1

Y

Y

Access Successful

D-2.2

e

O4

Branch 🡪 Internet

A-

A

Y

Access Not Successful

D-2.2

f

O5

Branch 🡪 Internet

A+

A

URL1

Y

N

Access Not Successful

D-2.2

g

O5

Branch 🡪 Internet

A+

A

URL2

Y

N

Access Successful

D-2.2

h

O5

Branch 🡪 Internet

A+

A

URL1

Y

Y

Access Not Successful

D-2.2

i

O5

Branch 🡪 Internet

A+

A

URL1

Y

Y

Access Not Successful

D-2.2

j

O5

Branch 🡪 Internet

A-

A

Y

Access Not Successful

D-2.2

k

O4

Branch 🡪 Internet

RA+

A

URL1

Y

Access Successful

D-2.2

l

O4

Branch 🡪 Internet

RA-

A

Y

Access Not Successful

D-2.2

m

O4

Branch 🡪 Internet

A+

A

URL1

N

Access Not Successful

D-2.2

n

O4

Branch 🡪 Internet

A+

A

URL2

N

Access Successful

D-2.2

o

O5

Branch 🡪 Internet

A+

A

URL1

N

N

Access Not Successful

D-2.2

p

O5

Branch 🡪 Internet

A+

A

URL2

N

N

Access Not Successful

D-2.3

a

O4

Remote 🡪 Internet

A+

A

URL1

Y

N

Access Successful

D-2.3

b

O4

Remote 🡪 Internet

A+

A

URL2

Y

N

Access Successful

D-2.3

c

O4

Remote 🡪 Internet

A+

A

URL1

Y

Y

Access Successful

D-2.3

d

O4

Remote 🡪 Internet

A+

A

URL1

Y

Y

Access Successful

D-2.3

e

O4

Remote 🡪 Internet

A-

A

Y

Access Not Successful

D-2.3

f

O5

Remote 🡪 Internet

A+

A

URL1

Y

N

Access Not Successful

D-2.3

g

O5

Remote 🡪 Internet

A+

A

URL2

Y

N

Access Successful

D-2.3

h

O5

Remote 🡪 Internet

A+

A

URL1

Y

Y

Access Not Successful

D-2.3

i

O5

Remote 🡪 Internet

A+

A

URL1

Y

Y

Access Not Successful

D-2.3

j

O5

Remote 🡪 Internet

A-

A

Y

Access Not Successful

D-2.3

k

O4

Remote 🡪 Internet

RA+

A

URL1

Y

Access Successful

D-2.3

l

O4

Remote 🡪 Internet

RA-

A

Y

Access Not Successful

D-2.3

m

O4

Remote 🡪 Internet

A+

A

URL1

N

Access Not Successful

D-2.3

n

O4

Remote 🡪 Internet

A+

A

URL2

N

Access Successful

D-2.3

o

O5

Remote 🡪 Internet

A+

A

URL1

N

N

Access Not Successful

D-2.3

p

O5

Remote 🡪 Internet

A+

A

URL2

N

N

Access Not Successful

Scenario D-3: Stolen credential using BYOD or enterprise endpoint#

This scenario deals with a request using a stolen credential. It does not matter if the access is performed using an enterprise endpoint or BYOD device.

Pre-Condition: The requestor’s credential is stolen and is used to attempt accessing enterprise resource RSS1 using an enterprise endpoint. The requesting endpoint and requested resource are both in compliance.

Demonstration: Two requests for the same enterprise resource from an enterprise endpoint are performed using the same user credentials. The “Real Request” is performed using the latest credentials, which are modified/replaced after being reported stolen, and that request can succeed. The “Hostile Request” is performed using a stolen Enterprise-ID. All authentication methods are compromised. Re-authentication always follows a previously successful authentication.

Purpose and Outcome: This demonstration focuses on the detection of a stolen requester’s Enterprise-ID and enforcement of isolation.

Table 3 - Scenario D-3 Demonstrations

Demo ID

UP

Location

Real
Hostile
> RSS

Auth Stat

Real Req

Auth Stat

Hostile Req

Rep. Stolen

Desired Outcome for Real Request

Desired Outcome for Hostile Request

D-3.1

a

O6

On-Prem

On-Prem

🡪

On-Prem

A+

N

Access Successful

D-3.1

b

O6

On-Prem

On-Prem

🡪

On-Prem

A-

N

Access Not Successful

D-3.1

c

O6

On-Prem

On-Prem

🡪

On-Prem

A

A+

N

Change to Access Limited

Access Not Successful

D-3.1

d

O6

On-Prem

On-Prem

🡪

On-Prem

A

A-

N

Keep Access

Access Not Successful

D-3.1

e

O6

On-Prem

On-Prem

🡪

On-Prem

A+

N

Access Successful

D-3.1

f

O6

On-Prem

On-Prem

🡪

On-Prem

A-

N

Access Not Successful

D-3.1

g

O6

On-Prem

On-Prem

🡪

On-Prem

A+

A

N

Access Not Successful

Change to Access Limited

D-3.1

h

O6

On-Prem

On-Prem

🡪

On-Prem

A-

A

N

Access Not Successful

Keep Access

D-3.1

i

O7

On-Prem

On-Prem

🡪

On-Prem

A+

Y

Access Successful

D-3.1

j

O7

On-Prem

On-Prem

🡪

On-Prem

A

A-

Y

Keep Access

Access Not Successful

D-3.1

k

O7

On-Prem

On-Prem

🡪

On-Prem

A-

Y

Access Not Successful

D-3.1

l

O7

On-Prem

On-Prem

🡪

On-Prem

RA+

Y

Access Successful

D-3.1

m

O7

On-Prem

On-Prem

🡪

On-Prem

RA-

Y

Access Not Successful

D-3.1

n

O7

On-Prem

On-Prem

🡪

On-Prem

A

Y

All Sessions Terminated

D-3.1

o

O7

On-Prem

On-Prem

🡪

On-Prem

A

Y

All Sessions Terminated

D-3.2

a

O6

On-Prem

Branch 🡪

On-Prem

A+

N

Access Successful

D-3.2

b

O6

On-Prem

Branch 🡪

On-Prem

A-

N

Access Not Successful

D-3.2

c

O6

On-Prem

Branch 🡪

On-Prem

A

A+

N

Change to Access Limited

Access Not Successful

D-3.2

d

O6

On-Prem

Branch 🡪

On-Prem

A

A-

N

Keep Access

Access Not Successful

D-3.2

e

O6

On-Prem

Branch 🡪

On-Prem

A+

N

Access Successful

D-3.2

f

O6

On-Prem

Branch 🡪

On-Prem

A-

N

Access Not Successful

D-3.2

g

O6

On-Prem

Branch 🡪

On-Prem

A+

A

N

Access Not Successful

Change to Access Limited

D-3.2

h

O6

On-Prem

Branch 🡪

On-Prem

A-

A

N

Access Not Successful

Keep Access

D-3.2

i

O7

On-Prem

Branch 🡪

On-Prem

A+

Y

Access Successful

D-3.2

j

O7

On-Prem

Branch 🡪

On-Prem

A

A-

Y

Keep Access

Access Not Successful

D-3.2

k

O7

On-Prem

Branch 🡪

On-Prem

A-

Y

Access Not Successful

D-3.2

l

O7

On-Prem

Branch 🡪

On-Prem

RA+

Y

Access Successful

D-3.2

m

O7

On-Prem

Branch 🡪

On-Prem

RA-

Y

Access Not Successful

D-3.2

n

O7

On-Prem

Branch 🡪

On-Prem

A

Y

Change to Access Limited

D-3.2

o

O7

On-Prem

Branch 🡪

On-Prem

A

Y

Change to Access Limited

D-3.3

a

O6

Branch

On-Prem 🡪

On-Prem

A+

N

Access Successful

D-3.3

b

O6

Branch

On-Prem 🡪

On-Prem

A-

N

Access Not Successful

D-3.3

c

O6

Branch

On-Prem 🡪

On-Prem

A

A+

N

Change to Access Limited

Access Not Successful

D-3.3

d

O6

Branch

On-Prem 🡪

On-Prem

A

A-

N

Keep Access

Access Not Successful

D-3.3

e

O6

Branch

On-Prem 🡪

On-Prem

A+

N

Access Successful

D-3.3

f

O6

Branch

On-Prem 🡪

On-Prem

A-

N

Access Not Successful

D-3.3

g

O6

Branch

On-Prem 🡪

On-Prem

A+

A

N

Access Not Successful

Change to Access Limited

D-3.3

h

O6

Branch

On-Prem 🡪

On-Prem

A-

A

N

Access Not Successful

Keep Access

D-3.3

i

O7

Branch

On-Prem 🡪

On-Prem

A+

Y

Access Successful

D-3.3

j

O7

Branch

On-Prem 🡪

On-Prem

A

A-

Y

Keep Access

Access Not Successful

D-3.3

k

O7

Branch

On-Prem 🡪

On-Prem

A-

Y

Access Not Successful

D-3.3

l

O7

Branch

On-Prem 🡪

On-Prem

RA+

Y

Access Successful

D-3.3

m

O7

Branch

On-Prem 🡪

On-Prem

RA-

Y

Access Not Successful

D-3.3

n

O7

Branch

On-Prem 🡪

On-Prem

A

Y

Change to Access Limited

D-3.3

o

O7

Branch

On-Prem 🡪

On-Prem

A

Y

Change to Access Limited

D-3.4

a

O6

Remote

On-Prem 🡪

On-Prem

A+

N

Access Successful

D-3.4

b

O6

Remote

On-Prem 🡪

On-Prem

A-

N

Access Not Successful

D-3.4

c

O6

Remote

On-Prem 🡪

On-Prem

A

A+

N

Change to Access Limited

Access Not Successful

D-3.4

d

O6

Remote

On-Prem 🡪

On-Prem

A

A-

N

Keep Access

Access Not Successful

D-3.4

e

O6

Remote

On-Prem 🡪

On-Prem

A+

N

Access Successful

D-3.4

f

O6

Remote

On-Prem 🡪

On-Prem

A-

N

Access Not Successful

D-3.4

g

O6

Remote

On-Prem 🡪

On-Prem

A+

A

N

Access Not Successful

Change to Access Limited

D-3.4

h

O6

Remote

On-Prem 🡪

On-Prem

A-

A

N

Access Not Successful

Keep Access

D-3.4

i

O7

Remote

On-Prem 🡪

On-Prem

A+

Y

Access Successful

D-3.4

j

O7

Remote

On-Prem 🡪

On-Prem

A

A-

Y

Keep Access

Access Not Successful

D-3.4

k

O7

Remote

On-Prem 🡪

On-Prem

A-

Y

Access Not Successful

D-3.4

l

O7

Remote

On-Prem 🡪

On-Prem

RA+

Y

Access Successful

D-3.4

m

O7

Remote

On-Prem 🡪

On-Prem

RA-

Y

Access Not Successful

D-3.4

n

O7

Remote

On-Prem 🡪

On-Prem

A

Y

Change to Access Limited

D-3.4

o

O7

Remote

On-Prem 🡪

On-Prem

A

Y

Change to Access Limited

D-3.5

a

O6

On-Prem

Remote 🡪

On-Prem

A+

N

Access Successful

D-3.5

b

O6

On-Prem

Remote 🡪

On-Prem

A-

N

Access Not Successful

D-3.5

c

O6

On-Prem

Remote 🡪

On-Prem

A

A+

N

Change to Access Limited

Access Not Successful

D-3.5

d

O6

On-Prem

Remote 🡪

On-Prem

A

A-

N

Keep Access

Access Not Successful

D-3.5

e

O6

On-Prem

Remote 🡪

On-Prem

A+

N

Access Successful

D-3.5

f

O6

On-Prem

Remote 🡪

On-Prem

A-

N

Access Not Successful

D-3.5

g

O6

On-Prem

Remote 🡪

On-Prem

A+

A

N

Access Not Successful

Change to Access Limited

D-3.5

h

O6

On-Prem

Remote 🡪

On-Prem

A-

A

N

Access Not Successful

Keep Access

D-3.5

i

O7

On-Prem

Remote 🡪

On-Prem

A+

Y

Access Successful

D-3.5

j

O7

On-Prem

Remote 🡪

On-Prem

A

A-

Y

Keep Access

Access Not Successful

D-3.5

k

O7

On-Prem

Remote 🡪

On-Prem

A-

Y

Access Not Successful

D-3.5

l

O7

On-Prem

Remote 🡪

On-Prem

RA+

Y

Access Successful

D-3.5

m

O7

On-Prem

Remote 🡪

On-Prem

RA-

Y

Access Not Successful

D-3.5

n

O7

On-Prem

Remote 🡪

On-Prem

A

Y

Change to Access Limited

D-3.5

o

O7

On-Prem

Remote 🡪

On-Prem

A

Y

Change to Access Limited

Scenario D-4: Full/limited resource access using BYOD#

This scenario deals with a request using different Enterprise-ID profiles, one with access to all provided resources and one with access to a limited set of resources (e.g., only RSS1 but not RSS2) or with limited functionality while accessing an enterprise-controlled resource (e.g., read-only vs. read/write). In this scenario the device used is BYOD.

Pre-Condition: The enterprise provides multiple user accounts with different access levels. The P_FULL access profile specifies access to either all resources (RSS) within the enterprise and/or all capabilities (CAP) of resources within the enterprise. Additionally, the P_LIMITED access profile specifies access to either a subset of the recourses and/or only limited functionality of each resource. Both endpoints’ compliance (Compl) is already verified, and systems are authenticated per demonstration policy.

Demonstration: Each requestor using an Enterprise-ID will attempt to successfully access an enterprise resource or a functionality of an enterprise resource.

Purpose and Outcome: This demonstration focuses on user privilege, authentication/re-authentication, the endpoint and RSS location, as well as the compliance of endpoints.

Table 4 - Scenario D-4 Demonstrations

Demo ID

UP

Location

Req. > RSS

Auth Stat User

Auth Stat EP

Auth Stat RSS

Access

Compl EP

Compl RSS

Desired Outcome

User

EP

RSS

EP

RSS

D-4.1

a

O1

On-Prem 🡪 On-Prem

A+

A

A

RSS1

Y

Y

Access Successful

D-4.1

b

O1

On-Prem 🡪 On-Prem

A+

A

A

RSS2

Y

Y

Access Successful

D-4.1

c

O1

On-Prem 🡪 On-Prem

A-

A

Y

Access Not Successful

D-4.1

d

E2

On-Prem 🡪 On-Prem

A+

A

A

RSS1

Y

Y

Access Not Successful

D-4.1

e

E2

On-Prem 🡪 On-Prem

A+

A

A

RSS2

Y

Y

Access Successful

D-4.1

f

E2

On-Prem 🡪 On-Prem

A-

A

Y

Access Not Successful

D-4.1

g

E3

On-Prem 🡪 On-Prem

A-

A

Y

Access Not Successful

D-4.1

h

O1

On-Prem 🡪 On-Prem

RA+

A

A

RSS1

Y

Y

Access Successful

D-4.1

i

O1

On-Prem 🡪 On-Prem

RA-

A

Y

Access Not Successful

D-4.1

j

O1

On-Prem 🡪 On-Prem

RA+

A

A

RSS1

N

Y

Access Not Successful

D-4.1

k

O1

On-Prem 🡪 On-Prem

RA+

A

A

RSS2

N

Y

Access Limited

D-4.1

l

O1

On-Prem 🡪 On-Prem

A+

A

A

RSS1

N

Y

Access Not Successful

D-4.1

m

O1

On-Prem 🡪 On-Prem

A+

A

A

RSS2

N

Y

Access Limited

D-4.1

n

O1

On-Prem 🡪 On-Prem

A+

A

A

RSS1

Y

N

Access Not Successful

D-4.1

o

O1

On-Prem 🡪 On-Prem

A+

A

A

RSS2

Y

N

Access Not Successful

D-4.1

p

E2

On-Prem 🡪 On-Prem

A+

A

A

RSS2

Y

N

Access Not Successful

D-4.2

a

O1

Branch 🡪 On-Prem

A+

A

A

RSS1

Y

Y

Access Successful

D-4.2

b

O1

Branch 🡪 On-Prem

A+

A

A

RSS2

Y

Y

Access Successful

D-4.2

c

O1

Branch 🡪 On-Prem

A-

A

Y

Access Not Successful

D-4.2

d

O2

Branch 🡪 On-Prem

A+

A

A

RSS1

Y

Y

Access Not Successful

D-4.2

e

O2

Branch 🡪 On-Prem

A+

A

A

RSS2

Y

Y

Access Successful

D-4.2

f

O2

Branch 🡪 On-Prem

A-

A

Y

Access Not Successful

D-4.2

g

E3

Branch 🡪 On-Prem

A-

A

Y

Access Not Successful

D-4.2

h

O1

Branch 🡪 On-Prem

RA+

A

A

RSS1

Y

Y

Access Successful

D-4.2

i

O1

Branch 🡪 On-Prem

RA-

A

Y

Access Not Successful

D-4.2

j

O1

Branch 🡪 On-Prem

RA+

A

A

RSS1

N

Y

Access Not Successful

D-4.2

k

O1

Branch 🡪 On-Prem

RA+

A

A

RSS2

N

Y

Access Limited

D-4.2

l

O1

Branch 🡪 On-Prem

A+

A

A

RSS1

N

Y

Access Not Successful

D-4.2

m

O1

Branch 🡪 On-Prem

A+

A

A

RSS2

N

Y

Access Limited

D-4.2

n

O1

Branch 🡪 On-Prem

A+

A

A

RSS1

Y

N

Access Not Successful

D-4.2

o

O1

Branch 🡪 On-Prem

A+

A

A

RSS2

Y

N

Access Not Successful

D-4.2

p

O2

Branch 🡪 On-Prem

A+

A

A

RSS2

Y

N

Access Not Successful

D-4.3

a

O1

Remote 🡪 On-Prem

A+

A

A

RSS1

Y

Y

Access Successful

D-4.3

b

O1

Remote 🡪 On-Prem

A+

A

A

RSS2

Y

Y

Access Successful

D-4.3

c

O1

Remote 🡪 On-Prem

A-

A

Y

Access Not Successful

D-4.3

d

O2

Remote 🡪 On-Prem

A+

A

A

RSS1

Y

Y

Access Not Successful

D-4.3

e

O2

Remote 🡪 On-Prem

A+

A

A

RSS2

Y

Y

Access Successful

D-4.3

f

O2

Remote 🡪 On-Prem

A-

A

Y

Access Not Successful

D-4.3

g

E3

Remote 🡪 On-Prem

A-

A

Y

Access Not Successful

D-4.3

h

O1

Remote 🡪 On-Prem

RA+

A

A

RSS1

Y

Y

Access Successful

D-4.3

i

O1

Remote 🡪 On-Prem

RA-

A

Y

Access Not Successful

D-4.3

j

O1

Remote 🡪 On-Prem

RA+

A

A

RSS1

N

Y

Access Not Successful

D-4.3

k

O1

Remote 🡪 On-Prem

RA+

A

A

RSS2

N

Y

Access Limited

D-4.3

l

O1

Remote 🡪 On-Prem

A+

A

A

RSS1

N

Y

Access Not Successful

D-4.3

m

O1

Remote 🡪 On-Prem

A+

A

A

RSS2

N

Y

Access Limited

D-4.3

n

O1

Remote 🡪 On-Prem

A+

A

A

RSS1

Y

N

Access Not Successful

D-4.3

o

O1

Remote 🡪 On-Prem

A+

A

A

RSS2

Y

N

Access Not Successful

D-4.3

p

O2

Remote 🡪 On-Prem

A+

A

A

RSS2

Y

N

Access Not Successful

D-4.4

a

O1

On-Prem 🡪 Cloud

A+

A

A

RSS1

Y

Y

Access Successful

D-4.4

b

O1

On-Prem 🡪 Cloud

A+

A

A

RSS2

Y

Y

Access Successful

D-4.4

c

O1

On-Prem 🡪 Cloud

A-

A

Y

Access Not Successful

D-4.4

d

O2

On-Prem 🡪 Cloud

A+

A

A

RSS1

Y

Y

Access Not Successful

D-4.4

e

O2

On-Prem 🡪 Cloud

A+

A

A

RSS2

Y

Y

Access Successful

D-4.4

f

O2

On-Prem 🡪 Cloud

A-

A

Y

Access Not Successful

D-4.4

g

O3

On-Prem 🡪 Cloud

A-

A

Y

Access Not Successful

D-4.4

h

O1

On-Prem 🡪 Cloud

RA+

A

A

RSS1

Y

Y

Access Successful

D-4.4

i

O1

On-Prem 🡪 Cloud

RA-

A

Y

Access Not Successful

D-4.4

j

O1

On-Prem 🡪 Cloud

RA+

A

A

RSS1

N

Y

Access Not Successful

D-4.4

k

O1

On-Prem 🡪 Cloud

RA+

A

A

RSS2

N

Y

Access Limited

D-4.4

l

O1

On-Prem 🡪 Cloud

A+

A

A

RSS1

N

Y

Access Not Successful

D-4.4

m

O1

On-Prem 🡪 Cloud

A+

A

A

RSS2

N

Y

Access Limited

D-4.4

n

O1

On-Prem 🡪 Cloud

A+

A

A

RSS1

Y

N

Access Not Successful

D-4.4

o

O1

On-Prem 🡪 Cloud

A+

A

A

RSS2

Y

N

Access Not Successful

D-4.4

p

O2

On-Prem 🡪 Cloud

A+

A

A

RSS2

Y

N

Access Not Successful

D-4.5

a

O1

Branch 🡪 Cloud

A+

A

A

RSS1

Y

Y

Access Successful

D-4.5

b

O1

Branch 🡪 Cloud

A+

A

A

RSS2

Y

Y

Access Successful

D-4.5

c

O1

Branch 🡪 Cloud

A-

A

Y

Access Not Successful

D-4.5

d

O2

Branch 🡪 Cloud

A+

A

A

RSS1

Y

Y

Access Not Successful

D-4.5

e

O2

Branch 🡪 Cloud

A+

A

A

RSS2

Y

Y

Access Successful

D-4.5

f

O2

Branch 🡪 Cloud

A-

A

Y

Access Not Successful

D-4.5

g

O2

Branch 🡪 Cloud

A-

A

Y

Access Not Successful

D-4.5

h

O1

Branch 🡪 Cloud

RA+

A

A

RSS1

Y

Y

Access Successful

D-4.5

i

O1

Branch 🡪 Cloud

RA-

A

Y

Access Not Successful

D-4.5

j

O1

Branch 🡪 Cloud

RA+

A

A

RSS1

N

Y

Access Not Successful

D-4.5

k

O1

Branch 🡪 Cloud

RA+

A

A

RSS2

N

Y

Access Limited

D-4.5

l

O1

Branch 🡪 Cloud

A+

A

A

RSS1

N

Y

Access Not Successful

D-4.5

m

O1

Branch 🡪 Cloud

A+

A

A

RSS2

N

Y

Access Limited

D-4.5

n

O1

Branch 🡪 Cloud

A+

A

A

RSS1

Y

N

Access Not Successful

D-4.5

o

O1

Branch 🡪 Cloud

A+

A

A

RSS2

Y

N

Access Not Successful

D-4.5

p

O2

Branch 🡪 Cloud

A+

A

A

RSS2

Y

N

Access Not Successful

D-4.6

a

O1

Remote 🡪 Cloud

A+

A

A

RSS1

Y

Y

Access Successful

D-4.6

b

O1

Remote 🡪 Cloud

A+

A

A

RSS2

Y

Y

Access Successful

D-4.6

c

O1

Remote 🡪 Cloud

A-

A

Y

Access Not Successful

D-4.6

d

O2

Remote 🡪 Cloud

A+

A

A

RSS1

Y

Y

Access Not Successful

D-4.6

e

O2

Remote 🡪 Cloud

A+

A

A

RSS2

Y

Y

Access Successful

D-4.6

f

O2

Remote 🡪 Cloud

A-

A

Y

Access Not Successful

D-4.6

g

O3

Remote 🡪 Cloud

A-

A

Y

Access Not Successful

D-4.6

h

O1

Remote 🡪 Cloud

RA+

A

A

RSS1

Y

Y

Access Successful

D-4.6

i

O1

Remote 🡪 Cloud

RA-

A

Y

Access Not Successful

D-4.6

j

O1

Remote 🡪 Cloud

RA+

A

A

RSS1

N

Y

Access Not Successful

D-4.6

k

O1

Remote 🡪 Cloud

RA+

A

A

RSS2

N

Y

Access Limited

D-4.6

l

O1

Remote 🡪 Cloud

A+

A

A

RSS1

N

Y

Access Not Successful

D-4.6

m

O1

Remote 🡪 Cloud

A+

A

A

RSS2

N

Y

Access Limited

D-4.6

n

O1

Remote 🡪 Cloud

A+

A

A

RSS1

Y

N

Access Not Successful

D-4.6

o

O1

Remote 🡪 Cloud

A+

A

A

RSS2

Y

N

Access Not Successful

D-4.6

p

O2

Remote 🡪 Cloud

A+

A

A

RSS2

Y

N

Access Not Successful

Scenario D-5: Full/limited internet access using BYOD#

This scenario deals with access from an enterprise-owned device to non-enterprise-managed internet resources using different Enterprise-ID profiles: one with access to the internet, one with limited access to the internet, and one with no access to the internet.

Pre-Condition: The enterprise provides multiple user accounts with different access levels to the internet. The internet access will be performed using a BYOD endpoint. RSS types are OK for approved and not OK for not-approved internet resources. The approval depends on the user’s policy. User endpoints are checked for compliance (Compl) per demonstration policy.

Demonstration: Each requestor using an Enterprise-ID will attempt to successfully access a non-enterprise resource.

Purpose and Outcome: This demonstration focuses on the endpoint location as well as the resource location.

Table 5 - Scenario D-5 Demonstrations

Demo ID

UP

Location

Req. > RSS

Auth Stat User

Auth Stat EP

Access

Compl EP

Compl Out of Hours

Desired Outcome

D-5.1

a

O4

On-Prem 🡪 Internet

A+

A

URL1

Y

N

Access Successful

D-5.1

b

O4

On-Prem 🡪 Internet

A+

A

URL2

Y

N

Access Successful

D-5.1

c

O4

On-Prem 🡪 Internet

A+

A

URL1

Y

Y

Access Successful

D-5.1

d

O4

On-Prem 🡪 Internet

A+

A

URL1

Y

Y

Access Successful

D-5.1

e

O4

On-Prem 🡪 Internet

A-

A

Y

Access Not Successful

D-5.1

f

O5

On-Prem 🡪 Internet

A+

A

URL1

Y

N

Access Not Successful

D-5.1

g

O5

On-Prem 🡪 Internet

A+

A

URL2

Y

N

Access Successful

D-5.1

h

O5

On-Prem 🡪 Internet

A+

A

URL1

Y

Y

Access Not Successful

D-5.1

i

O5

On-Prem 🡪 Internet

A+

A

URL1

Y

Y

Access Not Successful

D-5.1

j

O5

On-Prem 🡪 Internet

A-

A

Y

Access Not Successful

D-5.1

k

O4

On-Prem 🡪 Internet

RA+

A

URL1

Y

Access Successful

D-5.1

l

O4

On-Prem 🡪 Internet

RA-

A

Y

Access Not Successful

D-5.1

m

O4

On-Prem 🡪 Internet

A+

A

URL1

N

Access Not Successful

D-5.1

n

O4

On-Prem 🡪 Internet

A+

A

URL2

N

Access Successful

D-5.1

o

O5

On-Prem 🡪 Internet

A+

A

URL1

N

N

Access Not Successful

D-5.1

p

O5

On-Prem 🡪 Internet

A+

A

URL2

N

N

Access Not Successful

D-5.2

a

O4

Branch 🡪 Internet

A+

A

URL1

Y

N

Access Successful

D-5.2

b

O4

Branch 🡪 Internet

A+

A

URL2

Y

N

Access Successful

D-5.2

c

O4

Branch 🡪 Internet

A+

A

URL1

Y

Y

Access Successful

D-5.2

d

O4

Branch 🡪 Internet

A+

A

URL1

Y

Y

Access Successful

D-5.2

e

O4

Branch 🡪 Internet

A-

A

Y

Access Not Successful

D-5.2

f

O5

Branch 🡪 Internet

A+

A

URL1

Y

N

Access Not Successful

D-5.2

g

O5

Branch 🡪 Internet

A+

A

URL2

Y

N

Access Successful

D-5.2

h

O5

Branch 🡪 Internet

A+

A

URL1

Y

Y

Access Not Successful

D-5.2

i

O5

Branch 🡪 Internet

A+

A

URL1

Y

Y

Access Not Successful

D-5.2

j

O5

Branch 🡪 Internet

A-

A

Y

Access Not Successful

D-5.2

k

O4

Branch 🡪 Internet

RA+

A

URL1

Y

Access Successful

D-5.2

l

O4

Branch 🡪 Internet

RA-

A

Y

Access Not Successful

D-5.2

m

O4

Branch 🡪 Internet

A+

A

URL1

N

Access Not Successful

D-5.2

n

O4

Branch 🡪 Internet

A+

A

URL2

N

Access Successful

D-5.2

o

O5

Branch 🡪 Internet

A+

A

URL1

N

N

Access Not Successful

D-5.2

p

O5

Branch 🡪 Internet

A+

A

URL2

N

N

Access Not Successful

D-5.3

a

O4

Remote 🡪 Internet

A+

A

URL1

Y

N

Access Successful

D-5.3

b

O4

Remote 🡪 Internet

A+

A

URL2

Y

N

Access Successful

D-5.3

c

O4

Remote 🡪 Internet

A+

A

URL1

Y

Y

Access Successful

D-5.3

d

O4

Remote 🡪 Internet

A+

A

URL1

Y

Y

Access Successful

D-5.3

e

O4

Remote 🡪 Internet

A-

A

Y

Access Not Successful

D-5.3

f

O5

Remote 🡪 Internet

A+

A

URL1

Y

N

Access Not Successful

D-5.3

g

O5

Remote 🡪 Internet

A+

A

URL2

Y

N

Access Successful

D-5.3

h

O5

Remote 🡪 Internet

A+

A

URL1

Y

Y

Access Not Successful

D-5.3

i

O5

Remote 🡪 Internet

A+

A

URL1

Y

Y

Access Not Successful

D-5.3

j

O5

Remote 🡪 Internet

A-

A

Y

Access Not Successful

D-5.3

k

O4

Remote 🡪 Internet

RA+

A

URL1

Y

Access Successful

D-5.3

l

O4

Remote 🡪 Internet

RA-

A

Y

Access Not Successful

D-5.3

m

O4

Remote 🡪 Internet

A+

A

URL1

N

Access Not Successful

D-5.3

n

O4

Remote 🡪 Internet

A+

A

URL2

N

Access Successful

D-5.3

o

O5

Remote 🡪 Internet

A+

A

URL1

N

N

Access Not Successful

D-5.3

p

O5

Remote 🡪 Internet

A+

A

URL2

N

N

Access Not Successful

Scenario D-6: Stolen credential using BYOD#

This scenario deals with a request using a stolen credential. It does not matter if the access is performed using an enterprise endpoint or BYOD device.

Pre-Condition: The requestor’s credential is stolen and is used to attempt accessing enterprise resource RSS1 using a compliant endpoint. The endpoints and requested resources are considered compliant.

Demonstration: One request is performed and is successful, in parallel using the same user identity from two separate devices to one resource. One of the requestors is an attacker using a stolen enterprise-ID who will attempt to access an Enterprise Resource using a BYOD endpoint.

The “Real Req” always uses the latest credentials which are modified/replaced after being reported stolen. Re-authentication always follows a previously successful authentication. The “Hostile Request” is performed using a stolen enterprise-ID. All authentication methods are compromised in that the attacker can successfully respond to challenges. Hostile request re-authentication always follows a previously successful authentication.

Purpose and Outcome: This demonstration focuses on the detection of a stolen enterprise-ID and enforcement of isolation.

Table 6 - Scenario D-6 Demonstrations

Demo ID

UP

Location

Real
Hostile
> RSS

Auth Stat Real Req

Auth Stat Hostile Req

Rep. Stolen

Desired Outcome for Real Request

Desired Outcome for Hostile Request

D-6.1

a

O6

On-Prem

On-Prem 🡪

On-Prem

A+

N

Access Successful

D-6.1

b

O6

On-Prem

On-Prem 🡪

On-Prem

A-

N

Access Not Successful

D-6.1

c

O6

On-Prem

On-Prem 🡪

On-Prem

A

A+

N

Change to Access Limited

Access Not Successful

D-6.1

d

O6

On-Prem

On-Prem 🡪

On-Prem

A

A-

N

Keep Access

Access Not Successful

D-6.1

e

O6

On-Prem

On-Prem 🡪

On-Prem

A+

N

Access Successful

D-6.1

f

O6

On-Prem

On-Prem 🡪

On-Prem

A-

N

Access Not Successful

D-6.1

g

O6

On-Prem

On-Prem 🡪

On-Prem

A+

A

N

Access Not Successful

Change to Access Limited

D-6.1

h

O6

On-Prem

On-Prem 🡪

On-Prem

A-

A

N

Access Not Successful

Keep Access

D-6.1

i

O7

On-Prem

On-Prem 🡪

On-Prem

A+

Y

Access Successful

D-6.1

j

O7

On-Prem

On-Prem 🡪

On-Prem

A

A-

Y

Keep Access

Access Not Successful

D-6.1

k

O7

On-Prem

On-Prem 🡪

On-Prem

A-

Y

Access Not Successful

D-6.1

l

O7

On-Prem

On-Prem 🡪

On-Prem

RA+

Y

Access Successful

D-6.1

m

O7

On-Prem

On-Prem 🡪

On-Prem

RA-

Y

Access Not Successful

D-6.1

n

O7

On-Prem

On-Prem 🡪

On-Prem

A

Y

All Sessions Terminated

D-6.1

o

O7

On-Prem

On-Prem 🡪

On-Prem

A

Y

All Sessions Terminated

D-6.2

a

O6

On-Prem

Branch 🡪

On-Prem

A+

N

Access Successful

D-6.2

b

O6

On-Prem

Branch 🡪

On-Prem

A-

N

Access Not Successful

D-6.2

c

O6

On-Prem

Branch 🡪

On-Prem

A

A+

N

Change to Access Limited

Access Not Successful

D-6.2

d

O6

On-Prem

Branch 🡪

On-Prem

A

A-

N

Keep Access

Access Not Successful

D-6.2

e

O6

On-Prem

Branch 🡪

On-Prem

A+

N

Access Successful

D-6.2

f

O6

On-Prem

Branch 🡪

On-Prem

A-

N

Access Not Successful

D-6.2

g

O6

On-Prem

Branch 🡪

On-Prem

A+

A

N

Access Not Successful

Change to Access Limited

D-6.2

h

O6

On-Prem

Branch 🡪

On-Prem

A-

A

N

Access Not Successful

Keep Access

D-6.2

i

O7

On-Prem

Branch 🡪

On-Prem

A+

Y

Access Successful

D-6.2

j

O7

On-Prem

Branch 🡪

On-Prem

A

A-

Y

Keep Access

Access Not Successful

D-6.2

k

O7

On-Prem

Branch 🡪

On-Prem

A-

Y

Access Not Successful

D-6.2

l

O7

On-Prem

Branch 🡪

On-Prem

RA+

Y

Access Successful

D-6.2

m

O7

On-Prem

Branch 🡪

On-Prem

RA-

Y

Access Not Successful

D-6.2

n

O7

On-Prem

Branch 🡪

On-Prem

A

Y

Change to Access Limited

D-6.2

o

O7

On-Prem

Branch 🡪

On-Prem

A

Y

Change to Access Limited

D-6.3

a

O6

Branch

On-Prem 🡪

On-Prem

A+

N

Access Successful

D-6.3

b

O6

Branch

On-Prem 🡪

On-Prem

A-

N

Access Not Successful

D-6.3

c

O6

Branch

On-Prem 🡪

On-Prem

A

A+

N

Change to Access Limited

Access Not Successful

D-6.3

d

O6

Branch

On-Prem 🡪

On-Prem

A

A-

N

Keep Access

Access Not Successful

D-6.3

e

O6

Branch

On-Prem 🡪

On-Prem

A+

N

Access Successful

D-6.3

f

O6

Branch

On-Prem 🡪

On-Prem

A-

N

Access Not Successful

D-6.3

g

O6

Branch

On-Prem 🡪

On-Prem

A+

A

N

Access Not Successful

Change to Access Limited

D-6.3

h

O6

Branch

On-Prem 🡪

On-Prem

A-

A

N

Access Not Successful

Keep Access

D-6.3

i

O7

Branch

On-Prem 🡪

On-Prem

A+

Y

Access Successful

D-6.3

j

O7

Branch

On-Prem 🡪

On-Prem

A

A-

Y

Keep Access

Access Not Successful

D-6.3

k

O7

Branch

On-Prem 🡪

On-Prem

A-

Y

Access Not Successful

D-6.3

l

O7

Branch

On-Prem 🡪

On-Prem

RA+

Y

Access Successful

D-6.3

m

O7

Branch

On-Prem 🡪

On-Prem

RA-

Y

Access Not Successful

D-6.3

n

O7

Branch

On-Prem 🡪

On-Prem

A

Y

Change to Access Limited

D-6.3

o

O7

Branch

On-Prem 🡪

On-Prem

A

Y

Change to Access Limited

D-6.4

a

O6

Remote

On-Prem 🡪

On-Prem

A+

N

Access Successful

D-6.4

b

O6

Remote

On-Prem 🡪

On-Prem

A-

N

Access Not Successful

D-6.4

c

O6

Remote

On-Prem 🡪

On-Prem

A

A+

N

Change to Access Limited

Access Not Successful

D-6.4

d

O6

Remote

On-Prem 🡪

On-Prem

A

A-

N

Keep Access

Access Not Successful

D-6.4

e

O6

Remote

On-Prem 🡪

On-Prem

A+

N

Access Successful

D-6.4

f

O6

Remote

On-Prem 🡪

On-Prem

A-

N

Access Not Successful

D-6.4

g

O6

Remote

On-Prem 🡪

On-Prem

A+

A

N

Access Not Successful

Change to Access Limited

D-6.4

h

O6

Remote

On-Prem 🡪

On-Prem

A-

A

N

Access Not Successful

Keep Access

D-6.4

i

O7

Remote

On-Prem 🡪

On-Prem

A+

Y

Access Successful

D-6.4

j

O7

Remote

On-Prem 🡪

On-Prem

A

A-

Y

Keep Access

Access Not Successful

D-6.4

k

O7

Remote

On-Prem 🡪

On-Prem

A-

Y

Access Not Successful

D-6.4

l

O7

Remote

On-Prem 🡪

On-Prem

RA+

Y

Access Successful

D-6.4

m

O7

Remote

On-Prem 🡪

On-Prem

RA-

Y

Access Not Successful

D-6.4

n

O7

Remote

On-Prem 🡪

On-Prem

A

Y

Change to Access Limited

D-6.4

o

O7

Remote

On-Prem 🡪

On-Prem

A

Y

Change to Access Limited

D-6.5

a

O6

On-Prem

Remote 🡪

On-Prem

A+

N

Access Successful

D-6.5

b

O6

On-Prem

Remote 🡪

On-Prem

A-

N

Access Not Successful

D-6.5

c

O6

On-Prem

Remote 🡪

On-Prem

A

A+

N

Change to Access Limited

Access Not Successful

D-6.5

d

O6

On-Prem

Remote 🡪

On-Prem

A

A-

N

Keep Access

Access Not Successful

D-6.5

e

O6

On-Prem

Remote 🡪

On-Prem

A+

N

Access Successful

D-6.5

f

O6

On-Prem

Remote 🡪

On-Prem

A-

N

Access Not Successful

D-6.5

g

O6

On-Prem

Remote 🡪

On-Prem

A+

A

N

Access Not Successful

Change to Access Limited

D-6.5

h

O6

On-Prem

Remote 🡪

On-Prem

A-

A

N

Access Not Successful

Keep Access

D-6.5

i

O7

On-Prem

Remote 🡪

On-Prem

A+

Y

Access Successful

D-6.5

j

O7

On-Prem

Remote 🡪

On-Prem

A

A-

Y

Keep Access

Access Not Successful

D-6.5

k

O7

On-Prem

Remote 🡪

On-Prem

A-

Y

Access Not Successful

D-6.5

l

O7

On-Prem

Remote 🡪

On-Prem

RA+

Y

Access Successful

D-6.5

m

O7

On-Prem

Remote 🡪

On-Prem

RA-

Y

Access Not Successful

D-6.5

n

O7

On-Prem

Remote 🡪

On-Prem

A

Y

Change to Access Limited

D-6.5

o

O7

On-Prem

Remote 🡪

On-Prem

A

Y

Change to Access Limited

Scenario D-7: Just-in-Time Access Privileges#

In this demonstration, an enterprise provisions access privileges to a resource based on a single business process flow. Temporary privileges are granted to perform a portion of a business process, then revoked when the process is complete.

Pre-Condition: There is no active sessions from a subject to the resource. Both the subject endpoint and resource are in compliance with enterprise security posture or expected to be in compliance after the session is completed.

Demonstration: A subject is granted privileges to access a resource. The subject then establishes a session with an endpoint to perform some administrative task, then closes the connection. Privilege to access that resource is then removed.

Purpose and Outcome: The enterprise can provide JIT access privileges to resources.

Table 7 - Scenario D-7 Demonstrations

Demo ID

Subject Location

Resource Location

Priv. Provisioned

Desired Outcome

D-7.1

a

On-Prem

On-Prem

No

Access Not Successful

D-7.1

b

On-Prem

On-Prem

Yes

Access Successful

D-7.1

c

On-Prem

Branch

No

Access Not Successful

D-7.1

d

On-Prem

Branch

Yes

Access Successful

D-7.1

e

On-Prem

Remote

No

Access Not Successful

D-7.1

f

On-Prem

Remote

Yes

Access Successful

D-7.1

g

On-Prem

IaaS

No

Access Not Successful

D-7.1

h

On-Prem

IaaS

Yes

Access Successful

D-7.1

i

On-Prem

PaaS

No

Access Not Successful

D-7.1

j

On-Prem

PaaS

Yes

Access Successful

D-7.1

k

On-Prem

SaaS

No

Access Not Successful

D-7.1

l

On-Prem

SaaS

Yes

Access Successful

D-7.1

m

Branch

On-Prem

No

Access Not Successful

D-7.1

n

Branch

On-Prem

Yes

Access Successful

D-7.1

o

Branch

Branch

No

Access Not Successful

D-7.1

p

Branch

Branch

Yes

Access Successful

D-7.1

q

Branch

Remote

No

Access Not Successful

D-7.1

r

Branch

Remote

Yes

Access Successful

D-7.1

s

Branch

IaaS

No

Access Not Successful

D-7.1

t

Branch

IaaS

Yes

Access Successful

D-7.1

u

Branch

PaaS

No

Access Not Successful

D-7.1

v

Branch

PaaS

Yes

Access Successful

D-7.1

w

Branch

SaaS

No

Access Not Successful

D-7.1

x

Branch

SaaS

Yes

Access Successful

D-7.1

y

Remote

On-Prem

No

Access Not Successful

D-7.1

z

Remote

On-Prem

Yes

Access Successful

D-7.1

aa

Remote

Branch

No

Access Not Successful

D-7.1

ab

Remote

Branch

Yes

Access Successful

D-7.1

ac

Remote

Remote

No

Access Not Successful

D-7.1

ad

Remote

Remote

Yes

Access Successful

D-7.1

ae

Remote

IaaS

No

Access Not Successful

D-7.1

af

Remote

IaaS

Yes

Access Successful

D-7.1

ag

Remote

PaaS

No

Access Not Successful

D-7.1

ah

Remote

PaaS

Yes

Access Successful

D-7.1

ai

Remote

SaaS

No

Access Not Successful

D-7.1

aj

Remote

SaaS

Yes

Access Successful

Scenario D-8: Other-ID Step-Up Authentication#

In this demonstration, the subject has an open session to the resource, but requests to perform an action that requires additional authentication checks. If successful, the subject session proceeds as normal, if failed, the session is terminated.

Pre-Condition: The subject has a current session with the resource and has successfully authenticated for the current action. The subject is authorized to perform higher security action. Both the subject endpoint and resource are in compliance with enterprise security posture.

Demonstration: The subject has an open session to the resource and desires to perform a different action that is considered more sensitive. The system prompts the subject to re-authenticate or perform a higher level of authentication (e.g., additional factor of MFA or similar).

Purpose and Outcome: The system can request additional authentication mechanisms to match with an increased sensitive action during an active session.

Table 8 - Scenario D-8 Demonstrations

Demo ID

Subj Type

Subject Location

Auth Success

RSS Loc

Desired Outcome

D-8.1

a

EP

On-prem

Yes

On-Prem

Session Continues

D-8.1

b

BYOD

On-prem

Yes

On-Prem

Session Continues

D-8.1

c

Guest

On-Prem

Yes

On-Prem

Session Continues

D-8.1

d

EP

On-prem

No

On-Prem

Session Terminated

D-8.1

e

BYOD

On-prem

No

On-Prem

Session Terminated

D-8.1

f

Guest

On-Prem

No

On-Prem

Session Terminated

D-8.1

g

EP

Branch

Yes

On-Prem

Session Continues

D-8.1

h

BYOD

Branch

Yes

On-Prem

Session Continues

D-8.1

i

Guest

Branch

Yes

On-Prem

Session Continues

D-8.1

j

EP

Branch

No

On-Prem

Session Terminated

D-8.1

k

BYOD

Branch

No

On-Prem

Session Terminated

D-8.1

l

Guest

Branch

No

On-Prem

Session Terminated

D-8.1

m

EP

Remote

Yes

On-Prem

Session Continues

D-8.1

n

BYOD

Remote

Yes

On-Prem

Session Continues

D-8.1

o

Guest

Remote

Yes

On-Prem

Session Continues

D-8.1

p

EP

Remote

No

On-Prem

Session Terminated

D-8.1

q

BYOD

Remote

No

On-Prem

Session Terminated

D-8.1

r

Guest

Remote

No

On-Prem

Session Terminated

D-8.2

a

EP

On-prem

Yes

On-Prem

Session Continues

D-8.2

b

BYOD

On-prem

Yes

On-Prem

Session Continues

D-8.2

c

Guest

On-Prem

Yes

On-Prem

Session Continues

D-8.2

d

EP

On-prem

No

On-Prem

Session Terminated

D-8.2

e

BYOD

On-prem

No

On-Prem

Session Terminated

D-8.2

f

Guest

On-Prem

No

On-Prem

Session Terminated

D-8.2

g

EP

Branch

Yes

On-Prem

Session Continues

D-8.2

h

BYOD

Branch

Yes

On-Prem

Session Continues

D-8.2

i

Guest

Branch

Yes

On-Prem

Session Continues

D-8.2

j

EP

Branch

No

On-Prem

Session Terminated

D-8.2

k

BYOD

Branch

No

On-Prem

Session Terminated

D-8.2

l

Guest

Branch

No

On-Prem

Session Terminated

D-8.2

m

EP

Remote

Yes

On-Prem

Session Continues

D-8.2

n

BYOD

Remote

Yes

On-Prem

Session Continues

D-8.2

o

Guest

Remote

Yes

On-Prem

Session Continues

D-8.2

p

EP

Remote

No

On-Prem

Session Terminated

D-8.2

q

BYOD

Remote

No

On-Prem

Session Terminated

D-8.2

r

Guest

Remote

No

On-Prem

Session Terminated

D-8.3

a

EP

On-prem

Yes

IaaS

Session Continues

D-8.3

b

BYOD

On-prem

Yes

IaaS

Session Continues

D-8.3

c

Guest

On-Prem

Yes

IaaS

Session Continues

D-8.3

d

EP

On-prem

No

IaaS

Session Terminated

D-8.3

e

BYOD

On-prem

No

IaaS

Session Terminated

D-8.3

f

Guest

On-Prem

No

IaaS

Session Terminated

D-8.3

g

EP

Branch

Yes

IaaS

Session Continues

D-8.3

h

BYOD

Branch

Yes

IaaS

Session Continues

D-8.3

i

Guest

Branch

Yes

IaaS

Session Continues

D-8.3

j

EP

Branch

No

IaaS

Session Terminated

D-8.3

k

BYOD

Branch

No

IaaS

Session Terminated

D-8.3

l

Guest

Branch

No

IaaS

Session Terminated

D-8.3

m

EP

Remote

Yes

IaaS

Session Continues

D-8.3

n

BYOD

Remote

Yes

IaaS

Session Continues

D-8.3

o

Guest

Remote

Yes

IaaS

Session Continues

D-8.3

p

EP

Remote

No

IaaS

Session Terminated

D-8.3

q

BYOD

Remote

No

IaaS

Session Terminated

D-8.3

r

Guest

Remote

No

IaaS

Session Terminated

D-8.4

a

EP

On-prem

Yes

PaaS

Session Continues

D-8.4

b

BYOD

On-prem

Yes

PaaS

Session Continues

D-8.4

c

Guest

On-Prem

Yes

PaaS

Session Continues

D-8.4

d

EP

On-prem

No

PaaS

Session Terminated

D-8.4

e

BYOD

On-prem

No

PaaS

Session Terminated

D-8.4

f

Guest

On-Prem

No

PaaS

Session Terminated

D-8.4

g

EP

Branch

Yes

PaaS

Session Continues

D-8.4

h

BYOD

Branch

Yes

PaaS

Session Continues

D-8.4

i

Guest

Branch

Yes

PaaS

Session Continues

D-8.4

j

EP

Branch

No

PaaS

Session Terminated

D-8.4

k

BYOD

Branch

No

PaaS

Session Terminated

D-8.4

l

Guest

Branch

No

PaaS

Session Terminated

D-8.4

m

EP

Remote

Yes

PaaS

Session Continues

D-8.4

n

BYOD

Remote

Yes

PaaS

Session Continues

D-8.4

o

Guest

Remote

Yes

PaaS

Session Continues

D-8.4

p

EP

Remote

No

PaaS

Session Terminated

D-8.4

q

BYOD

Remote

No

PaaS

Session Terminated

D-8.4

r

Guest

Remote

No

PaaS

Session Terminated

D-8.5

a

EP

On-prem

Yes

SaaS

Session Continues

D-8.5

b

BYOD

On-prem

Yes

SaaS

Session Continues

D-8.5

c

Guest

On-Prem

Yes

SaaS

Session Continues

D-8.5

d

EP

On-prem

No

SaaS

Session Terminated

D-8.5

e

BYOD

On-prem

No

SaaS

Session Terminated

D-8.5

f

Guest

On-Prem

No

SaaS

Session Terminated

D-8.5

g

EP

Branch

Yes

SaaS

Session Continues

D-8.5

h

BYOD

Branch

Yes

SaaS

Session Continues

D-8.5

i

Guest

Branch

Yes

SaaS

Session Continues

D-8.5

j

EP

Branch

No

SaaS

Session Terminated

D-8.5

k

BYOD

Branch

No

SaaS

Session Terminated

D-8.5

l

Guest

Branch

No

SaaS

Session Terminated

D-8.5

m

EP

Remote

Yes

SaaS

Session Continues

D-8.5

n

BYOD

Remote

Yes

SaaS

Session Continues

D-8.5

o

Guest

Remote

Yes

SaaS

Session Continues

D-8.5

p

EP

Remote

No

SaaS

Session Terminated

D-8.5

q

BYOD

Remote

No

SaaS

Session Terminated

D-8.5

r

Guest

Remote

No

SaaS

Session Terminated