Use Case D: Other-ID Access#
Note
This page is supplementary material for the NIST SP 1800-35 publication.
Demonstrations in this use case deal with different scenarios using access to enterprise resources as well as non-enterprise resources located on-premises, in the cloud, and on the internet. Each activity demonstrates the capability of authentication from within a given setting. The access is authenticated with an “Other-ID” using enterprise-owned endpoints (EP) as well as privately owned endpoints (BYOD). Each scenario provides a set of pre-conditions as well as multiple demonstrations.
Scenario D-1: Full/limited resource access using an enterprise endpoint#
This scenario deals with a request using different “other-ID” profiles, one with access to all provided resources and one with access to a limited set of resources (e.g., only RSS1 but not RSS2) or with limited functionality while accessing an enterprise-controlled resource (e.g., read-only vs. read/write).
Pre-Condition: The enterprise provides multiple User accounts with different access levels. The P_FULL access profile specifies access to all resources (RSS) within the enterprise and/or access to all capabilities (CAP) of resources within the enterprise. Additionally, the P_LIMITED access profile specifies access to either a subset of the recourses and/or only limited functionality of each resource. Both endpoints’ compliance (Compl) is already verified, and systems are authenticated per demonstration policy.
Demonstration: Each requestor using an “Other-ID” will attempt to successfully access an enterprise resource or a functionality of an enterprise resource.
Purpose and Outcome: This demonstration focuses on user privilege, authentication/re-authentication, and endpoint and RSS location, as well as the compliance of endpoints.
Table 1 - Scenario D-1 Demonstrations
Demo ID |
UP |
Location Req. > RSS |
Auth Stat User |
Auth Stat EP |
Auth Stat RSS |
Access |
Compl EP |
Compl RSS |
Desired Outcome |
|
---|---|---|---|---|---|---|---|---|---|---|
D-1.1 |
a |
O1 |
On-Prem 🡪 On-Prem |
A+ |
A |
A |
RSS1 |
Y |
Y |
Access Successful |
D-1.1 |
b |
O1 |
On-Prem 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
Y |
Y |
Access Successful |
D-1.1 |
c |
O1 |
On-Prem 🡪 On-Prem |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-1.1 |
d |
E2 |
On-Prem 🡪 On-Prem |
A+ |
A |
A |
RSS1 |
Y |
Y |
Access Not Successful |
D-1.1 |
e |
E2 |
On-Prem 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
Y |
Y |
Access Successful |
D-1.1 |
f |
E2 |
On-Prem 🡪 On-Prem |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-1.1 |
g |
E3 |
On-Prem 🡪 On-Prem |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-1.1 |
h |
O1 |
On-Prem 🡪 On-Prem |
RA+ |
A |
A |
RSS1 |
Y |
Y |
Access Successful |
D-1.1 |
i |
O1 |
On-Prem 🡪 On-Prem |
RA- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-1.1 |
j |
O1 |
On-Prem 🡪 On-Prem |
RA+ |
A |
A |
RSS1 |
N |
Y |
Access Not Successful |
D-1.1 |
k |
O1 |
On-Prem 🡪 On-Prem |
RA+ |
A |
A |
RSS2 |
N |
Y |
Access Limited |
D-1.1 |
l |
O1 |
On-Prem 🡪 On-Prem |
A+ |
A |
A |
RSS1 |
N |
Y |
Access Not Successful |
D-1.1 |
m |
O1 |
On-Prem 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
N |
Y |
Access Limited |
D-1.1 |
n |
O1 |
On-Prem 🡪 On-Prem |
A+ |
A |
A |
RSS1 |
Y |
N |
Access Not Successful |
D-1.1 |
o |
O1 |
On-Prem 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
Y |
N |
Access Not Successful |
D-1.1 |
p |
E2 |
On-Prem 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
Y |
N |
Access Not Successful |
D-1.2 |
a |
O1 |
Branch 🡪 On-Prem |
A+ |
A |
A |
RSS1 |
Y |
Y |
Access Successful |
D-1.2 |
b |
O1 |
Branch 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
Y |
Y |
Access Successful |
D-1.2 |
c |
O1 |
Branch 🡪 On-Prem |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-1.2 |
d |
E2 |
Branch 🡪 On-Prem |
A+ |
A |
A |
RSS1 |
Y |
Y |
Access Not Successful |
D-1.2 |
e |
E2 |
Branch 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
Y |
Y |
Access Successful |
D-1.2 |
f |
E2 |
Branch 🡪 On-Prem |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-1.2 |
g |
E3 |
Branch 🡪 On-Prem |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-1.2 |
h |
O1 |
Branch 🡪 On-Prem |
RA+ |
A |
A |
RSS1 |
Y |
Y |
Access Successful |
D-1.2 |
i |
O1 |
Branch 🡪 On-Prem |
RA- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-1.2 |
j |
O1 |
Branch 🡪 On-Prem |
RA+ |
A |
A |
RSS1 |
N |
Y |
Access Not Successful |
D-1.2 |
k |
O1 |
Branch 🡪 On-Prem |
RA+ |
A |
A |
RSS2 |
N |
Y |
Access Limited |
D-1.2 |
l |
O1 |
Branch 🡪 On-Prem |
A+ |
A |
A |
RSS1 |
N |
Y |
Access Not Successful |
D-1.2 |
m |
O1 |
Branch 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
N |
Y |
Access Limited |
D-1.2 |
n |
O1 |
Branch 🡪 On-Prem |
A+ |
A |
A |
RSS1 |
Y |
N |
Access Not Successful |
D-1.2 |
o |
O1 |
Branch 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
Y |
N |
Access Not Successful |
D-1.2 |
p |
E2 |
Branch 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
Y |
N |
Access Not Successful |
D-1.3 |
a |
O1 |
Remote 🡪 On-Prem |
A+ |
A |
A |
RSS1 |
Y |
Y |
Access Successful |
D-1.3 |
b |
O1 |
Remote 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
Y |
Y |
Access Successful |
D-1.3 |
c |
O1 |
Remote 🡪 On-Prem |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-1.3 |
d |
E2 |
Remote 🡪 On-Prem |
A+ |
A |
A |
RSS1 |
Y |
Y |
Access Not Successful |
D-1.3 |
e |
E2 |
Remote 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
Y |
Y |
Access Successful |
D-1.3 |
f |
E2 |
Remote 🡪 On-Prem |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-1.3 |
g |
E3 |
Remote 🡪 On-Prem |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-1.3 |
h |
O1 |
Remote 🡪 On-Prem |
RA+ |
A |
A |
RSS1 |
Y |
Y |
Access Successful |
D-1.3 |
i |
O1 |
Remote 🡪 On-Prem |
RA- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-1.3 |
j |
O1 |
Remote 🡪 On-Prem |
RA+ |
A |
A |
RSS1 |
N |
Y |
Access Not Successful |
D-1.3 |
k |
O1 |
Remote 🡪 On-Prem |
RA+ |
A |
A |
RSS2 |
N |
Y |
Access Limited |
D-1.3 |
l |
O1 |
Remote 🡪 On-Prem |
A+ |
A |
A |
RSS1 |
N |
Y |
Access Not Successful |
D-1.3 |
m |
O1 |
Remote 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
N |
Y |
Access Limited |
D-1.3 |
n |
O1 |
Remote 🡪 On-Prem |
A+ |
A |
A |
RSS1 |
Y |
N |
Access Not Successful |
D-1.3 |
o |
O1 |
Remote 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
Y |
N |
Access Not Successful |
D-1.3 |
p |
E2 |
Remote 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
Y |
N |
Access Not Successful |
D-1.4 |
a |
O1 |
On-Prem 🡪 Cloud |
A+ |
A |
A |
RSS1 |
Y |
Y |
Access Successful |
D-1.4 |
b |
O1 |
On-Prem 🡪 Cloud |
A+ |
A |
A |
RSS2 |
Y |
Y |
Access Successful |
D-1.4 |
c |
O1 |
On-Prem 🡪 Cloud |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-1.4 |
d |
E2 |
On-Prem 🡪 Cloud |
A+ |
A |
A |
RSS1 |
Y |
Y |
Access Not Successful |
D-1.4 |
e |
E2 |
On-Prem 🡪 Cloud |
A+ |
A |
A |
RSS2 |
Y |
Y |
Access Successful |
D-1.4 |
f |
E2 |
On-Prem 🡪 Cloud |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-1.4 |
g |
E3 |
On-Prem 🡪 Cloud |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-1.4 |
h |
O1 |
On-Prem 🡪 Cloud |
RA+ |
A |
A |
RSS1 |
Y |
Y |
Access Successful |
D-1.4 |
i |
O1 |
On-Prem 🡪 Cloud |
RA- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-1.4 |
j |
O1 |
On-Prem 🡪 Cloud |
RA+ |
A |
A |
RSS1 |
N |
Y |
Access Not Successful |
D-1.4 |
k |
O1 |
On-Prem 🡪 Cloud |
RA+ |
A |
A |
RSS2 |
N |
Y |
Access Limited |
D-1.4 |
l |
O1 |
On-Prem 🡪 Cloud |
A+ |
A |
A |
RSS1 |
N |
Y |
Access Not Successful |
D-1.4 |
m |
O1 |
On-Prem 🡪 Cloud |
A+ |
A |
A |
RSS2 |
N |
Y |
Access Limited |
D-1.4 |
n |
O1 |
On-Prem 🡪 Cloud |
A+ |
A |
A |
RSS1 |
Y |
N |
Access Not Successful |
D-1.4 |
o |
O1 |
On-Prem 🡪 Cloud |
A+ |
A |
A |
RSS2 |
Y |
N |
Access Not Successful |
D-1.4 |
p |
E2 |
On-Prem 🡪 Cloud |
A+ |
A |
A |
RSS2 |
Y |
N |
Access Not Successful |
D-1.5 |
a |
O1 |
Branch 🡪 Cloud |
A+ |
A |
A |
RSS1 |
Y |
Y |
Access Successful |
D-1.5 |
b |
O1 |
Branch 🡪 Cloud |
A+ |
A |
A |
RSS2 |
Y |
Y |
Access Successful |
D-1.5 |
c |
O1 |
Branch 🡪 Cloud |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-1.5 |
d |
O2 |
Branch 🡪 Cloud |
A+ |
A |
A |
RSS1 |
Y |
Y |
Access Not Successful |
D-1.5 |
e |
O2 |
Branch 🡪 Cloud |
A+ |
A |
A |
RSS2 |
Y |
Y |
Access Successful |
D-1.5 |
f |
O2 |
Branch 🡪 Cloud |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-1.5 |
g |
O3 |
Branch 🡪 Cloud |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-1.5 |
h |
O1 |
Branch 🡪 Cloud |
RA+ |
A |
A |
RSS1 |
Y |
Y |
Access Successful |
D-1.5 |
i |
O1 |
Branch 🡪 Cloud |
RA- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-1.5 |
j |
O1 |
Branch 🡪 Cloud |
RA+ |
A |
A |
RSS1 |
N |
Y |
Access Not Successful |
D-1.5 |
k |
O1 |
Branch 🡪 Cloud |
RA+ |
A |
A |
RSS2 |
N |
Y |
Access Limited |
D-1.5 |
l |
O1 |
Branch 🡪 Cloud |
A+ |
A |
A |
RSS1 |
N |
Y |
Access Not Successful |
D-1.5 |
m |
O1 |
Branch 🡪 Cloud |
A+ |
A |
A |
RSS2 |
N |
Y |
Access Limited |
D-1.5 |
n |
O1 |
Branch 🡪 Cloud |
A+ |
A |
A |
RSS1 |
Y |
N |
Access Not Successful |
D-1.5 |
o |
O1 |
Branch 🡪 Cloud |
A+ |
A |
A |
RSS2 |
Y |
N |
Access Not Successful |
D-1.5 |
p |
O2 |
Branch 🡪 Cloud |
A+ |
A |
A |
RSS2 |
Y |
N |
Access Not Successful |
D-1.6 |
a |
O1 |
Remote 🡪 Cloud |
A+ |
A |
A |
RSS1 |
Y |
Y |
Access Successful |
D-1.6 |
b |
O1 |
Remote 🡪 Cloud |
A+ |
A |
A |
RSS2 |
Y |
Y |
Access Successful |
D-1.6 |
c |
O1 |
Remote 🡪 Cloud |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-1.6 |
d |
O2 |
Remote 🡪 Cloud |
A+ |
A |
A |
RSS1 |
Y |
Y |
Access Not Successful |
D-1.6 |
e |
O2 |
Remote 🡪 Cloud |
A+ |
A |
A |
RSS2 |
Y |
Y |
Access Successful |
D-1.6 |
f |
O2 |
Remote 🡪 Cloud |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-1.6 |
g |
O3 |
Remote 🡪 Cloud |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-1.6 |
h |
O1 |
Remote 🡪 Cloud |
RA+ |
A |
A |
RSS1 |
Y |
Y |
Access Successful |
D-1.6 |
i |
O1 |
Remote 🡪 Cloud |
RA- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-1.6 |
j |
O1 |
Remote 🡪 Cloud |
RA+ |
A |
A |
RSS1 |
N |
Y |
Access Not Successful |
D-1.6 |
k |
O1 |
Remote 🡪 Cloud |
RA+ |
A |
A |
RSS2 |
N |
Y |
Access Limited |
D-1.6 |
l |
O1 |
Remote 🡪 Cloud |
A+ |
A |
A |
RSS1 |
N |
Y |
Access Not Successful |
D-1.6 |
m |
O1 |
Remote 🡪 Cloud |
A+ |
A |
A |
RSS2 |
N |
Y |
Access Limited |
D-1.6 |
n |
O1 |
Remote 🡪 Cloud |
A+ |
A |
A |
RSS1 |
Y |
N |
Access Not Successful |
D-1.6 |
o |
O1 |
Remote 🡪 Cloud |
A+ |
A |
A |
RSS2 |
Y |
N |
Access Not Successful |
D-1.6 |
p |
O2 |
Remote 🡪 Cloud |
A+ |
A |
A |
RSS2 |
Y |
N |
Access Not Successful |
Scenario D-2: Full/limited internet access using an enterprise endpoint#
This scenario deals with access from an enterprise-owned device to non-enterprise-managed internet resources using different Enterprise-ID profiles: one with access to the internet, one with limited access to the internet, and one with no access to the internet. This is to simulate an enterprise that may have policies on public Internet access using enterprise-owned endpoints for Other-IDs.
Pre-Condition: The enterprise provides multiple user accounts with different access levels to the internet. The Internet access will be performed using an enterprise-owned endpoint. RSS types are OK for approved and not OK for not-approved internet resources. The approval depends on the user’s policy. User endpoints are checked for compliance (Compl) per demonstration policy.
Demonstration: Each requestor using an enterprise-ID will attempt to successfully access a non-enterprise resource.
Purpose and Outcome: This demonstration focuses on the endpoint location as well as the resource location.
Table 2 - Scenario D-2 Demonstrations
Demo ID |
UP |
Location Req. 🡪 RSS |
Auth Stat User |
Auth Stat EP |
Access |
Compl EP |
Compl Out of Hours |
Desired Outcome |
|
---|---|---|---|---|---|---|---|---|---|
D-2.1 |
a |
O4 |
On-Prem 🡪 Internet |
A+ |
A |
URL1 |
Y |
N |
Access Successful |
D-2.1 |
b |
O4 |
On-Prem 🡪 Internet |
A+ |
A |
URL2 |
Y |
N |
Access Successful |
D-2.1 |
c |
O4 |
On-Prem 🡪 Internet |
A+ |
A |
URL1 |
Y |
Y |
Access Successful |
D-2.1 |
d |
O4 |
On-Prem 🡪 Internet |
A+ |
A |
URL1 |
Y |
Y |
Access Successful |
D-2.1 |
e |
O4 |
On-Prem 🡪 Internet |
A- |
A |
— |
Y |
— |
Access Not Successful |
D-2.1 |
f |
O5 |
On-Prem 🡪 Internet |
A+ |
A |
URL1 |
Y |
N |
Access Not Successful |
D-2.1 |
g |
O5 |
On-Prem 🡪 Internet |
A+ |
A |
URL2 |
Y |
N |
Access Successful |
D-2.1 |
h |
O5 |
On-Prem 🡪 Internet |
A+ |
A |
URL1 |
Y |
Y |
Access Not Successful |
D-2.1 |
i |
O5 |
On-Prem 🡪 Internet |
A+ |
A |
URL1 |
Y |
Y |
Access Not Successful |
D-2.1 |
j |
O5 |
On-Prem 🡪 Internet |
A- |
A |
— |
Y |
— |
Access Not Successful |
D-2.1 |
k |
O4 |
On-Prem 🡪 Internet |
RA+ |
A |
URL1 |
Y |
— |
Access Successful |
D-2.1 |
l |
O4 |
On-Prem 🡪 Internet |
RA- |
A |
— |
Y |
— |
Access Not Successful |
D-2.1 |
m |
O4 |
On-Prem 🡪 Internet |
A+ |
A |
URL1 |
N |
— |
Access Not Successful |
D-2.1 |
n |
O4 |
On-Prem 🡪 Internet |
A+ |
A |
URL2 |
N |
— |
Access Successful |
D-2.1 |
o |
O5 |
On-Prem 🡪 Internet |
A+ |
A |
URL1 |
N |
N |
Access Not Successful |
D-2.1 |
p |
O5 |
On-Prem 🡪 Internet |
A+ |
A |
URL2 |
N |
N |
Access Not Successful |
D-2.2 |
a |
O4 |
Branch 🡪 Internet |
A+ |
A |
URL1 |
Y |
N |
Access Successful |
D-2.2 |
b |
O4 |
Branch 🡪 Internet |
A+ |
A |
URL2 |
Y |
N |
Access Successful |
D-2.2 |
c |
O4 |
Branch 🡪 Internet |
A+ |
A |
URL1 |
Y |
Y |
Access Successful |
D-2.2 |
d |
O4 |
Branch 🡪 Internet |
A+ |
A |
URL1 |
Y |
Y |
Access Successful |
D-2.2 |
e |
O4 |
Branch 🡪 Internet |
A- |
A |
— |
Y |
— |
Access Not Successful |
D-2.2 |
f |
O5 |
Branch 🡪 Internet |
A+ |
A |
URL1 |
Y |
N |
Access Not Successful |
D-2.2 |
g |
O5 |
Branch 🡪 Internet |
A+ |
A |
URL2 |
Y |
N |
Access Successful |
D-2.2 |
h |
O5 |
Branch 🡪 Internet |
A+ |
A |
URL1 |
Y |
Y |
Access Not Successful |
D-2.2 |
i |
O5 |
Branch 🡪 Internet |
A+ |
A |
URL1 |
Y |
Y |
Access Not Successful |
D-2.2 |
j |
O5 |
Branch 🡪 Internet |
A- |
A |
— |
Y |
— |
Access Not Successful |
D-2.2 |
k |
O4 |
Branch 🡪 Internet |
RA+ |
A |
URL1 |
Y |
— |
Access Successful |
D-2.2 |
l |
O4 |
Branch 🡪 Internet |
RA- |
A |
— |
Y |
— |
Access Not Successful |
D-2.2 |
m |
O4 |
Branch 🡪 Internet |
A+ |
A |
URL1 |
N |
— |
Access Not Successful |
D-2.2 |
n |
O4 |
Branch 🡪 Internet |
A+ |
A |
URL2 |
N |
— |
Access Successful |
D-2.2 |
o |
O5 |
Branch 🡪 Internet |
A+ |
A |
URL1 |
N |
N |
Access Not Successful |
D-2.2 |
p |
O5 |
Branch 🡪 Internet |
A+ |
A |
URL2 |
N |
N |
Access Not Successful |
D-2.3 |
a |
O4 |
Remote 🡪 Internet |
A+ |
A |
URL1 |
Y |
N |
Access Successful |
D-2.3 |
b |
O4 |
Remote 🡪 Internet |
A+ |
A |
URL2 |
Y |
N |
Access Successful |
D-2.3 |
c |
O4 |
Remote 🡪 Internet |
A+ |
A |
URL1 |
Y |
Y |
Access Successful |
D-2.3 |
d |
O4 |
Remote 🡪 Internet |
A+ |
A |
URL1 |
Y |
Y |
Access Successful |
D-2.3 |
e |
O4 |
Remote 🡪 Internet |
A- |
A |
— |
Y |
— |
Access Not Successful |
D-2.3 |
f |
O5 |
Remote 🡪 Internet |
A+ |
A |
URL1 |
Y |
N |
Access Not Successful |
D-2.3 |
g |
O5 |
Remote 🡪 Internet |
A+ |
A |
URL2 |
Y |
N |
Access Successful |
D-2.3 |
h |
O5 |
Remote 🡪 Internet |
A+ |
A |
URL1 |
Y |
Y |
Access Not Successful |
D-2.3 |
i |
O5 |
Remote 🡪 Internet |
A+ |
A |
URL1 |
Y |
Y |
Access Not Successful |
D-2.3 |
j |
O5 |
Remote 🡪 Internet |
A- |
A |
— |
Y |
— |
Access Not Successful |
D-2.3 |
k |
O4 |
Remote 🡪 Internet |
RA+ |
A |
URL1 |
Y |
— |
Access Successful |
D-2.3 |
l |
O4 |
Remote 🡪 Internet |
RA- |
A |
— |
Y |
— |
Access Not Successful |
D-2.3 |
m |
O4 |
Remote 🡪 Internet |
A+ |
A |
URL1 |
N |
— |
Access Not Successful |
D-2.3 |
n |
O4 |
Remote 🡪 Internet |
A+ |
A |
URL2 |
N |
— |
Access Successful |
D-2.3 |
o |
O5 |
Remote 🡪 Internet |
A+ |
A |
URL1 |
N |
N |
Access Not Successful |
D-2.3 |
p |
O5 |
Remote 🡪 Internet |
A+ |
A |
URL2 |
N |
N |
Access Not Successful |
Scenario D-3: Stolen credential using BYOD or enterprise endpoint#
This scenario deals with a request using a stolen credential. It does not matter if the access is performed using an enterprise endpoint or BYOD device.
Pre-Condition: The requestor’s credential is stolen and is used to attempt accessing enterprise resource RSS1 using an enterprise endpoint. The requesting endpoint and requested resource are both in compliance.
Demonstration: Two requests for the same enterprise resource from an enterprise endpoint are performed using the same user credentials. The “Real Request” is performed using the latest credentials, which are modified/replaced after being reported stolen, and that request can succeed. The “Hostile Request” is performed using a stolen Enterprise-ID. All authentication methods are compromised. Re-authentication always follows a previously successful authentication.
Purpose and Outcome: This demonstration focuses on the detection of a stolen requester’s Enterprise-ID and enforcement of isolation.
Table 3 - Scenario D-3 Demonstrations
Demo ID |
UP |
Location Real
Hostile
> RSS
|
Auth Stat Real Req |
Auth Stat Hostile Req |
Rep. Stolen |
Desired Outcome for Real Request |
Desired Outcome for Hostile Request |
|
---|---|---|---|---|---|---|---|---|
D-3.1 |
a |
O6 |
On-Prem On-Prem 🡪 On-Prem |
A+ |
— |
N |
Access Successful |
— |
D-3.1 |
b |
O6 |
On-Prem On-Prem 🡪 On-Prem |
A- |
— |
N |
Access Not Successful |
— |
D-3.1 |
c |
O6 |
On-Prem On-Prem 🡪 On-Prem |
A |
A+ |
N |
Change to Access Limited |
Access Not Successful |
D-3.1 |
d |
O6 |
On-Prem On-Prem 🡪 On-Prem |
A |
A- |
N |
Keep Access |
Access Not Successful |
D-3.1 |
e |
O6 |
On-Prem On-Prem 🡪 On-Prem |
— |
A+ |
N |
— |
Access Successful |
D-3.1 |
f |
O6 |
On-Prem On-Prem 🡪 On-Prem |
— |
A- |
N |
— |
Access Not Successful |
D-3.1 |
g |
O6 |
On-Prem On-Prem 🡪 On-Prem |
A+ |
A |
N |
Access Not Successful |
Change to Access Limited |
D-3.1 |
h |
O6 |
On-Prem On-Prem 🡪 On-Prem |
A- |
A |
N |
Access Not Successful |
Keep Access |
D-3.1 |
i |
O7 |
On-Prem On-Prem 🡪 On-Prem |
A+ |
— |
Y |
Access Successful |
— |
D-3.1 |
j |
O7 |
On-Prem On-Prem 🡪 On-Prem |
A |
A- |
Y |
Keep Access |
Access Not Successful |
D-3.1 |
k |
O7 |
On-Prem On-Prem 🡪 On-Prem |
— |
A- |
Y |
— |
Access Not Successful |
D-3.1 |
l |
O7 |
On-Prem On-Prem 🡪 On-Prem |
RA+ |
— |
Y |
Access Successful |
— |
D-3.1 |
m |
O7 |
On-Prem On-Prem 🡪 On-Prem |
— |
RA- |
Y |
— |
Access Not Successful |
D-3.1 |
n |
O7 |
On-Prem On-Prem 🡪 On-Prem |
— |
A |
Y |
— |
All Sessions Terminated |
D-3.1 |
o |
O7 |
On-Prem On-Prem 🡪 On-Prem |
A |
— |
Y |
All Sessions Terminated |
— |
D-3.2 |
a |
O6 |
On-Prem Branch 🡪 On-Prem |
A+ |
— |
N |
Access Successful |
— |
D-3.2 |
b |
O6 |
On-Prem Branch 🡪 On-Prem |
A- |
— |
N |
Access Not Successful |
— |
D-3.2 |
c |
O6 |
On-Prem Branch 🡪 On-Prem |
A |
A+ |
N |
Change to Access Limited |
Access Not Successful |
D-3.2 |
d |
O6 |
On-Prem Branch 🡪 On-Prem |
A |
A- |
N |
Keep Access |
Access Not Successful |
D-3.2 |
e |
O6 |
On-Prem Branch 🡪 On-Prem |
— |
A+ |
N |
— |
Access Successful |
D-3.2 |
f |
O6 |
On-Prem Branch 🡪 On-Prem |
— |
A- |
N |
— |
Access Not Successful |
D-3.2 |
g |
O6 |
On-Prem Branch 🡪 On-Prem |
A+ |
A |
N |
Access Not Successful |
Change to Access Limited |
D-3.2 |
h |
O6 |
On-Prem Branch 🡪 On-Prem |
A- |
A |
N |
Access Not Successful |
Keep Access |
D-3.2 |
i |
O7 |
On-Prem Branch 🡪 On-Prem |
A+ |
— |
Y |
Access Successful |
— |
D-3.2 |
j |
O7 |
On-Prem Branch 🡪 On-Prem |
A |
A- |
Y |
Keep Access |
Access Not Successful |
D-3.2 |
k |
O7 |
On-Prem Branch 🡪 On-Prem |
— |
A- |
Y |
— |
Access Not Successful |
D-3.2 |
l |
O7 |
On-Prem Branch 🡪 On-Prem |
RA+ |
— |
Y |
Access Successful |
— |
D-3.2 |
m |
O7 |
On-Prem Branch 🡪 On-Prem |
— |
RA- |
Y |
— |
Access Not Successful |
D-3.2 |
n |
O7 |
On-Prem Branch 🡪 On-Prem |
— |
A |
Y |
— |
Change to Access Limited |
D-3.2 |
o |
O7 |
On-Prem Branch 🡪 On-Prem |
A |
— |
Y |
Change to Access Limited |
— |
D-3.3 |
a |
O6 |
Branch On-Prem 🡪 On-Prem |
A+ |
— |
N |
Access Successful |
— |
D-3.3 |
b |
O6 |
Branch On-Prem 🡪 On-Prem |
A- |
— |
N |
Access Not Successful |
— |
D-3.3 |
c |
O6 |
Branch On-Prem 🡪 On-Prem |
A |
A+ |
N |
Change to Access Limited |
Access Not Successful |
D-3.3 |
d |
O6 |
Branch On-Prem 🡪 On-Prem |
A |
A- |
N |
Keep Access |
Access Not Successful |
D-3.3 |
e |
O6 |
Branch On-Prem 🡪 On-Prem |
— |
A+ |
N |
— |
Access Successful |
D-3.3 |
f |
O6 |
Branch On-Prem 🡪 On-Prem |
— |
A- |
N |
— |
Access Not Successful |
D-3.3 |
g |
O6 |
Branch On-Prem 🡪 On-Prem |
A+ |
A |
N |
Access Not Successful |
Change to Access Limited |
D-3.3 |
h |
O6 |
Branch On-Prem 🡪 On-Prem |
A- |
A |
N |
Access Not Successful |
Keep Access |
D-3.3 |
i |
O7 |
Branch On-Prem 🡪 On-Prem |
A+ |
— |
Y |
Access Successful |
— |
D-3.3 |
j |
O7 |
Branch On-Prem 🡪 On-Prem |
A |
A- |
Y |
Keep Access |
Access Not Successful |
D-3.3 |
k |
O7 |
Branch On-Prem 🡪 On-Prem |
— |
A- |
Y |
— |
Access Not Successful |
D-3.3 |
l |
O7 |
Branch On-Prem 🡪 On-Prem |
RA+ |
— |
Y |
Access Successful |
— |
D-3.3 |
m |
O7 |
Branch On-Prem 🡪 On-Prem |
— |
RA- |
Y |
— |
Access Not Successful |
D-3.3 |
n |
O7 |
Branch On-Prem 🡪 On-Prem |
— |
A |
Y |
— |
Change to Access Limited |
D-3.3 |
o |
O7 |
Branch On-Prem 🡪 On-Prem |
A |
— |
Y |
Change to Access Limited |
— |
D-3.4 |
a |
O6 |
Remote On-Prem 🡪 On-Prem |
A+ |
— |
N |
Access Successful |
— |
D-3.4 |
b |
O6 |
Remote On-Prem 🡪 On-Prem |
A- |
— |
N |
Access Not Successful |
— |
D-3.4 |
c |
O6 |
Remote On-Prem 🡪 On-Prem |
A |
A+ |
N |
Change to Access Limited |
Access Not Successful |
D-3.4 |
d |
O6 |
Remote On-Prem 🡪 On-Prem |
A |
A- |
N |
Keep Access |
Access Not Successful |
D-3.4 |
e |
O6 |
Remote On-Prem 🡪 On-Prem |
— |
A+ |
N |
— |
Access Successful |
D-3.4 |
f |
O6 |
Remote On-Prem 🡪 On-Prem |
— |
A- |
N |
— |
Access Not Successful |
D-3.4 |
g |
O6 |
Remote On-Prem 🡪 On-Prem |
A+ |
A |
N |
Access Not Successful |
Change to Access Limited |
D-3.4 |
h |
O6 |
Remote On-Prem 🡪 On-Prem |
A- |
A |
N |
Access Not Successful |
Keep Access |
D-3.4 |
i |
O7 |
Remote On-Prem 🡪 On-Prem |
A+ |
— |
Y |
Access Successful |
— |
D-3.4 |
j |
O7 |
Remote On-Prem 🡪 On-Prem |
A |
A- |
Y |
Keep Access |
Access Not Successful |
D-3.4 |
k |
O7 |
Remote On-Prem 🡪 On-Prem |
— |
A- |
Y |
— |
Access Not Successful |
D-3.4 |
l |
O7 |
Remote On-Prem 🡪 On-Prem |
RA+ |
— |
Y |
Access Successful |
— |
D-3.4 |
m |
O7 |
Remote On-Prem 🡪 On-Prem |
— |
RA- |
Y |
— |
Access Not Successful |
D-3.4 |
n |
O7 |
Remote On-Prem 🡪 On-Prem |
— |
A |
Y |
— |
Change to Access Limited |
D-3.4 |
o |
O7 |
Remote On-Prem 🡪 On-Prem |
A |
— |
Y |
Change to Access Limited |
— |
D-3.5 |
a |
O6 |
On-Prem Remote 🡪 On-Prem |
A+ |
— |
N |
Access Successful |
— |
D-3.5 |
b |
O6 |
On-Prem Remote 🡪 On-Prem |
A- |
— |
N |
Access Not Successful |
— |
D-3.5 |
c |
O6 |
On-Prem Remote 🡪 On-Prem |
A |
A+ |
N |
Change to Access Limited |
Access Not Successful |
D-3.5 |
d |
O6 |
On-Prem Remote 🡪 On-Prem |
A |
A- |
N |
Keep Access |
Access Not Successful |
D-3.5 |
e |
O6 |
On-Prem Remote 🡪 On-Prem |
— |
A+ |
N |
— |
Access Successful |
D-3.5 |
f |
O6 |
On-Prem Remote 🡪 On-Prem |
— |
A- |
N |
— |
Access Not Successful |
D-3.5 |
g |
O6 |
On-Prem Remote 🡪 On-Prem |
A+ |
A |
N |
Access Not Successful |
Change to Access Limited |
D-3.5 |
h |
O6 |
On-Prem Remote 🡪 On-Prem |
A- |
A |
N |
Access Not Successful |
Keep Access |
D-3.5 |
i |
O7 |
On-Prem Remote 🡪 On-Prem |
A+ |
— |
Y |
Access Successful |
— |
D-3.5 |
j |
O7 |
On-Prem Remote 🡪 On-Prem |
A |
A- |
Y |
Keep Access |
Access Not Successful |
D-3.5 |
k |
O7 |
On-Prem Remote 🡪 On-Prem |
— |
A- |
Y |
— |
Access Not Successful |
D-3.5 |
l |
O7 |
On-Prem Remote 🡪 On-Prem |
RA+ |
— |
Y |
Access Successful |
— |
D-3.5 |
m |
O7 |
On-Prem Remote 🡪 On-Prem |
— |
RA- |
Y |
— |
Access Not Successful |
D-3.5 |
n |
O7 |
On-Prem Remote 🡪 On-Prem |
— |
A |
Y |
— |
Change to Access Limited |
D-3.5 |
o |
O7 |
On-Prem Remote 🡪 On-Prem |
A |
— |
Y |
Change to Access Limited |
— |
Scenario D-4: Full/limited resource access using BYOD#
This scenario deals with a request using different Enterprise-ID profiles, one with access to all provided resources and one with access to a limited set of resources (e.g., only RSS1 but not RSS2) or with limited functionality while accessing an enterprise-controlled resource (e.g., read-only vs. read/write). In this scenario the device used is BYOD.
Pre-Condition: The enterprise provides multiple user accounts with different access levels. The P_FULL access profile specifies access to either all resources (RSS) within the enterprise and/or all capabilities (CAP) of resources within the enterprise. Additionally, the P_LIMITED access profile specifies access to either a subset of the recourses and/or only limited functionality of each resource. Both endpoints’ compliance (Compl) is already verified, and systems are authenticated per demonstration policy.
Demonstration: Each requestor using an Enterprise-ID will attempt to successfully access an enterprise resource or a functionality of an enterprise resource.
Purpose and Outcome: This demonstration focuses on user privilege, authentication/re-authentication, the endpoint and RSS location, as well as the compliance of endpoints.
Table 4 - Scenario D-4 Demonstrations
Demo ID |
UP |
Location Req. > RSS |
Auth Stat User |
Auth Stat EP |
Auth Stat RSS |
Access |
Compl EP |
Compl RSS |
Desired Outcome |
|
---|---|---|---|---|---|---|---|---|---|---|
User |
EP |
RSS |
EP |
RSS |
||||||
D-4.1 |
a |
O1 |
On-Prem 🡪 On-Prem |
A+ |
A |
A |
RSS1 |
Y |
Y |
Access Successful |
D-4.1 |
b |
O1 |
On-Prem 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
Y |
Y |
Access Successful |
D-4.1 |
c |
O1 |
On-Prem 🡪 On-Prem |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-4.1 |
d |
E2 |
On-Prem 🡪 On-Prem |
A+ |
A |
A |
RSS1 |
Y |
Y |
Access Not Successful |
D-4.1 |
e |
E2 |
On-Prem 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
Y |
Y |
Access Successful |
D-4.1 |
f |
E2 |
On-Prem 🡪 On-Prem |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-4.1 |
g |
E3 |
On-Prem 🡪 On-Prem |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-4.1 |
h |
O1 |
On-Prem 🡪 On-Prem |
RA+ |
A |
A |
RSS1 |
Y |
Y |
Access Successful |
D-4.1 |
i |
O1 |
On-Prem 🡪 On-Prem |
RA- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-4.1 |
j |
O1 |
On-Prem 🡪 On-Prem |
RA+ |
A |
A |
RSS1 |
N |
Y |
Access Not Successful |
D-4.1 |
k |
O1 |
On-Prem 🡪 On-Prem |
RA+ |
A |
A |
RSS2 |
N |
Y |
Access Limited |
D-4.1 |
l |
O1 |
On-Prem 🡪 On-Prem |
A+ |
A |
A |
RSS1 |
N |
Y |
Access Not Successful |
D-4.1 |
m |
O1 |
On-Prem 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
N |
Y |
Access Limited |
D-4.1 |
n |
O1 |
On-Prem 🡪 On-Prem |
A+ |
A |
A |
RSS1 |
Y |
N |
Access Not Successful |
D-4.1 |
o |
O1 |
On-Prem 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
Y |
N |
Access Not Successful |
D-4.1 |
p |
E2 |
On-Prem 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
Y |
N |
Access Not Successful |
D-4.2 |
a |
O1 |
Branch 🡪 On-Prem |
A+ |
A |
A |
RSS1 |
Y |
Y |
Access Successful |
D-4.2 |
b |
O1 |
Branch 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
Y |
Y |
Access Successful |
D-4.2 |
c |
O1 |
Branch 🡪 On-Prem |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-4.2 |
d |
O2 |
Branch 🡪 On-Prem |
A+ |
A |
A |
RSS1 |
Y |
Y |
Access Not Successful |
D-4.2 |
e |
O2 |
Branch 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
Y |
Y |
Access Successful |
D-4.2 |
f |
O2 |
Branch 🡪 On-Prem |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-4.2 |
g |
E3 |
Branch 🡪 On-Prem |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-4.2 |
h |
O1 |
Branch 🡪 On-Prem |
RA+ |
A |
A |
RSS1 |
Y |
Y |
Access Successful |
D-4.2 |
i |
O1 |
Branch 🡪 On-Prem |
RA- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-4.2 |
j |
O1 |
Branch 🡪 On-Prem |
RA+ |
A |
A |
RSS1 |
N |
Y |
Access Not Successful |
D-4.2 |
k |
O1 |
Branch 🡪 On-Prem |
RA+ |
A |
A |
RSS2 |
N |
Y |
Access Limited |
D-4.2 |
l |
O1 |
Branch 🡪 On-Prem |
A+ |
A |
A |
RSS1 |
N |
Y |
Access Not Successful |
D-4.2 |
m |
O1 |
Branch 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
N |
Y |
Access Limited |
D-4.2 |
n |
O1 |
Branch 🡪 On-Prem |
A+ |
A |
A |
RSS1 |
Y |
N |
Access Not Successful |
D-4.2 |
o |
O1 |
Branch 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
Y |
N |
Access Not Successful |
D-4.2 |
p |
O2 |
Branch 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
Y |
N |
Access Not Successful |
D-4.3 |
a |
O1 |
Remote 🡪 On-Prem |
A+ |
A |
A |
RSS1 |
Y |
Y |
Access Successful |
D-4.3 |
b |
O1 |
Remote 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
Y |
Y |
Access Successful |
D-4.3 |
c |
O1 |
Remote 🡪 On-Prem |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-4.3 |
d |
O2 |
Remote 🡪 On-Prem |
A+ |
A |
A |
RSS1 |
Y |
Y |
Access Not Successful |
D-4.3 |
e |
O2 |
Remote 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
Y |
Y |
Access Successful |
D-4.3 |
f |
O2 |
Remote 🡪 On-Prem |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-4.3 |
g |
E3 |
Remote 🡪 On-Prem |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-4.3 |
h |
O1 |
Remote 🡪 On-Prem |
RA+ |
A |
A |
RSS1 |
Y |
Y |
Access Successful |
D-4.3 |
i |
O1 |
Remote 🡪 On-Prem |
RA- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-4.3 |
j |
O1 |
Remote 🡪 On-Prem |
RA+ |
A |
A |
RSS1 |
N |
Y |
Access Not Successful |
D-4.3 |
k |
O1 |
Remote 🡪 On-Prem |
RA+ |
A |
A |
RSS2 |
N |
Y |
Access Limited |
D-4.3 |
l |
O1 |
Remote 🡪 On-Prem |
A+ |
A |
A |
RSS1 |
N |
Y |
Access Not Successful |
D-4.3 |
m |
O1 |
Remote 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
N |
Y |
Access Limited |
D-4.3 |
n |
O1 |
Remote 🡪 On-Prem |
A+ |
A |
A |
RSS1 |
Y |
N |
Access Not Successful |
D-4.3 |
o |
O1 |
Remote 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
Y |
N |
Access Not Successful |
D-4.3 |
p |
O2 |
Remote 🡪 On-Prem |
A+ |
A |
A |
RSS2 |
Y |
N |
Access Not Successful |
D-4.4 |
a |
O1 |
On-Prem 🡪 Cloud |
A+ |
A |
A |
RSS1 |
Y |
Y |
Access Successful |
D-4.4 |
b |
O1 |
On-Prem 🡪 Cloud |
A+ |
A |
A |
RSS2 |
Y |
Y |
Access Successful |
D-4.4 |
c |
O1 |
On-Prem 🡪 Cloud |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-4.4 |
d |
O2 |
On-Prem 🡪 Cloud |
A+ |
A |
A |
RSS1 |
Y |
Y |
Access Not Successful |
D-4.4 |
e |
O2 |
On-Prem 🡪 Cloud |
A+ |
A |
A |
RSS2 |
Y |
Y |
Access Successful |
D-4.4 |
f |
O2 |
On-Prem 🡪 Cloud |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-4.4 |
g |
O3 |
On-Prem 🡪 Cloud |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-4.4 |
h |
O1 |
On-Prem 🡪 Cloud |
RA+ |
A |
A |
RSS1 |
Y |
Y |
Access Successful |
D-4.4 |
i |
O1 |
On-Prem 🡪 Cloud |
RA- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-4.4 |
j |
O1 |
On-Prem 🡪 Cloud |
RA+ |
A |
A |
RSS1 |
N |
Y |
Access Not Successful |
D-4.4 |
k |
O1 |
On-Prem 🡪 Cloud |
RA+ |
A |
A |
RSS2 |
N |
Y |
Access Limited |
D-4.4 |
l |
O1 |
On-Prem 🡪 Cloud |
A+ |
A |
A |
RSS1 |
N |
Y |
Access Not Successful |
D-4.4 |
m |
O1 |
On-Prem 🡪 Cloud |
A+ |
A |
A |
RSS2 |
N |
Y |
Access Limited |
D-4.4 |
n |
O1 |
On-Prem 🡪 Cloud |
A+ |
A |
A |
RSS1 |
Y |
N |
Access Not Successful |
D-4.4 |
o |
O1 |
On-Prem 🡪 Cloud |
A+ |
A |
A |
RSS2 |
Y |
N |
Access Not Successful |
D-4.4 |
p |
O2 |
On-Prem 🡪 Cloud |
A+ |
A |
A |
RSS2 |
Y |
N |
Access Not Successful |
D-4.5 |
a |
O1 |
Branch 🡪 Cloud |
A+ |
A |
A |
RSS1 |
Y |
Y |
Access Successful |
D-4.5 |
b |
O1 |
Branch 🡪 Cloud |
A+ |
A |
A |
RSS2 |
Y |
Y |
Access Successful |
D-4.5 |
c |
O1 |
Branch 🡪 Cloud |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-4.5 |
d |
O2 |
Branch 🡪 Cloud |
A+ |
A |
A |
RSS1 |
Y |
Y |
Access Not Successful |
D-4.5 |
e |
O2 |
Branch 🡪 Cloud |
A+ |
A |
A |
RSS2 |
Y |
Y |
Access Successful |
D-4.5 |
f |
O2 |
Branch 🡪 Cloud |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-4.5 |
g |
O2 |
Branch 🡪 Cloud |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-4.5 |
h |
O1 |
Branch 🡪 Cloud |
RA+ |
A |
A |
RSS1 |
Y |
Y |
Access Successful |
D-4.5 |
i |
O1 |
Branch 🡪 Cloud |
RA- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-4.5 |
j |
O1 |
Branch 🡪 Cloud |
RA+ |
A |
A |
RSS1 |
N |
Y |
Access Not Successful |
D-4.5 |
k |
O1 |
Branch 🡪 Cloud |
RA+ |
A |
A |
RSS2 |
N |
Y |
Access Limited |
D-4.5 |
l |
O1 |
Branch 🡪 Cloud |
A+ |
A |
A |
RSS1 |
N |
Y |
Access Not Successful |
D-4.5 |
m |
O1 |
Branch 🡪 Cloud |
A+ |
A |
A |
RSS2 |
N |
Y |
Access Limited |
D-4.5 |
n |
O1 |
Branch 🡪 Cloud |
A+ |
A |
A |
RSS1 |
Y |
N |
Access Not Successful |
D-4.5 |
o |
O1 |
Branch 🡪 Cloud |
A+ |
A |
A |
RSS2 |
Y |
N |
Access Not Successful |
D-4.5 |
p |
O2 |
Branch 🡪 Cloud |
A+ |
A |
A |
RSS2 |
Y |
N |
Access Not Successful |
D-4.6 |
a |
O1 |
Remote 🡪 Cloud |
A+ |
A |
A |
RSS1 |
Y |
Y |
Access Successful |
D-4.6 |
b |
O1 |
Remote 🡪 Cloud |
A+ |
A |
A |
RSS2 |
Y |
Y |
Access Successful |
D-4.6 |
c |
O1 |
Remote 🡪 Cloud |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-4.6 |
d |
O2 |
Remote 🡪 Cloud |
A+ |
A |
A |
RSS1 |
Y |
Y |
Access Not Successful |
D-4.6 |
e |
O2 |
Remote 🡪 Cloud |
A+ |
A |
A |
RSS2 |
Y |
Y |
Access Successful |
D-4.6 |
f |
O2 |
Remote 🡪 Cloud |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-4.6 |
g |
O3 |
Remote 🡪 Cloud |
A- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-4.6 |
h |
O1 |
Remote 🡪 Cloud |
RA+ |
A |
A |
RSS1 |
Y |
Y |
Access Successful |
D-4.6 |
i |
O1 |
Remote 🡪 Cloud |
RA- |
A |
— |
— |
Y |
— |
Access Not Successful |
D-4.6 |
j |
O1 |
Remote 🡪 Cloud |
RA+ |
A |
A |
RSS1 |
N |
Y |
Access Not Successful |
D-4.6 |
k |
O1 |
Remote 🡪 Cloud |
RA+ |
A |
A |
RSS2 |
N |
Y |
Access Limited |
D-4.6 |
l |
O1 |
Remote 🡪 Cloud |
A+ |
A |
A |
RSS1 |
N |
Y |
Access Not Successful |
D-4.6 |
m |
O1 |
Remote 🡪 Cloud |
A+ |
A |
A |
RSS2 |
N |
Y |
Access Limited |
D-4.6 |
n |
O1 |
Remote 🡪 Cloud |
A+ |
A |
A |
RSS1 |
Y |
N |
Access Not Successful |
D-4.6 |
o |
O1 |
Remote 🡪 Cloud |
A+ |
A |
A |
RSS2 |
Y |
N |
Access Not Successful |
D-4.6 |
p |
O2 |
Remote 🡪 Cloud |
A+ |
A |
A |
RSS2 |
Y |
N |
Access Not Successful |
Scenario D-5: Full/limited internet access using BYOD#
This scenario deals with access from an enterprise-owned device to non-enterprise-managed internet resources using different Enterprise-ID profiles: one with access to the internet, one with limited access to the internet, and one with no access to the internet.
Pre-Condition: The enterprise provides multiple user accounts with different access levels to the internet. The internet access will be performed using a BYOD endpoint. RSS types are OK for approved and not OK for not-approved internet resources. The approval depends on the user’s policy. User endpoints are checked for compliance (Compl) per demonstration policy.
Demonstration: Each requestor using an Enterprise-ID will attempt to successfully access a non-enterprise resource.
Purpose and Outcome: This demonstration focuses on the endpoint location as well as the resource location.
Table 5 - Scenario D-5 Demonstrations
Demo ID |
UP |
Location Req. > RSS |
Auth Stat User |
Auth Stat EP |
Access |
Compl EP |
Compl Out of Hours |
Desired Outcome |
|
---|---|---|---|---|---|---|---|---|---|
D-5.1 |
a |
O4 |
On-Prem 🡪 Internet |
A+ |
A |
URL1 |
Y |
N |
Access Successful |
D-5.1 |
b |
O4 |
On-Prem 🡪 Internet |
A+ |
A |
URL2 |
Y |
N |
Access Successful |
D-5.1 |
c |
O4 |
On-Prem 🡪 Internet |
A+ |
A |
URL1 |
Y |
Y |
Access Successful |
D-5.1 |
d |
O4 |
On-Prem 🡪 Internet |
A+ |
A |
URL1 |
Y |
Y |
Access Successful |
D-5.1 |
e |
O4 |
On-Prem 🡪 Internet |
A- |
A |
— |
Y |
— |
Access Not Successful |
D-5.1 |
f |
O5 |
On-Prem 🡪 Internet |
A+ |
A |
URL1 |
Y |
N |
Access Not Successful |
D-5.1 |
g |
O5 |
On-Prem 🡪 Internet |
A+ |
A |
URL2 |
Y |
N |
Access Successful |
D-5.1 |
h |
O5 |
On-Prem 🡪 Internet |
A+ |
A |
URL1 |
Y |
Y |
Access Not Successful |
D-5.1 |
i |
O5 |
On-Prem 🡪 Internet |
A+ |
A |
URL1 |
Y |
Y |
Access Not Successful |
D-5.1 |
j |
O5 |
On-Prem 🡪 Internet |
A- |
A |
— |
Y |
— |
Access Not Successful |
D-5.1 |
k |
O4 |
On-Prem 🡪 Internet |
RA+ |
A |
URL1 |
Y |
— |
Access Successful |
D-5.1 |
l |
O4 |
On-Prem 🡪 Internet |
RA- |
A |
— |
Y |
— |
Access Not Successful |
D-5.1 |
m |
O4 |
On-Prem 🡪 Internet |
A+ |
A |
URL1 |
N |
— |
Access Not Successful |
D-5.1 |
n |
O4 |
On-Prem 🡪 Internet |
A+ |
A |
URL2 |
N |
— |
Access Successful |
D-5.1 |
o |
O5 |
On-Prem 🡪 Internet |
A+ |
A |
URL1 |
N |
N |
Access Not Successful |
D-5.1 |
p |
O5 |
On-Prem 🡪 Internet |
A+ |
A |
URL2 |
N |
N |
Access Not Successful |
D-5.2 |
a |
O4 |
Branch 🡪 Internet |
A+ |
A |
URL1 |
Y |
N |
Access Successful |
D-5.2 |
b |
O4 |
Branch 🡪 Internet |
A+ |
A |
URL2 |
Y |
N |
Access Successful |
D-5.2 |
c |
O4 |
Branch 🡪 Internet |
A+ |
A |
URL1 |
Y |
Y |
Access Successful |
D-5.2 |
d |
O4 |
Branch 🡪 Internet |
A+ |
A |
URL1 |
Y |
Y |
Access Successful |
D-5.2 |
e |
O4 |
Branch 🡪 Internet |
A- |
A |
— |
Y |
— |
Access Not Successful |
D-5.2 |
f |
O5 |
Branch 🡪 Internet |
A+ |
A |
URL1 |
Y |
N |
Access Not Successful |
D-5.2 |
g |
O5 |
Branch 🡪 Internet |
A+ |
A |
URL2 |
Y |
N |
Access Successful |
D-5.2 |
h |
O5 |
Branch 🡪 Internet |
A+ |
A |
URL1 |
Y |
Y |
Access Not Successful |
D-5.2 |
i |
O5 |
Branch 🡪 Internet |
A+ |
A |
URL1 |
Y |
Y |
Access Not Successful |
D-5.2 |
j |
O5 |
Branch 🡪 Internet |
A- |
A |
— |
Y |
— |
Access Not Successful |
D-5.2 |
k |
O4 |
Branch 🡪 Internet |
RA+ |
A |
URL1 |
Y |
— |
Access Successful |
D-5.2 |
l |
O4 |
Branch 🡪 Internet |
RA- |
A |
— |
Y |
— |
Access Not Successful |
D-5.2 |
m |
O4 |
Branch 🡪 Internet |
A+ |
A |
URL1 |
N |
— |
Access Not Successful |
D-5.2 |
n |
O4 |
Branch 🡪 Internet |
A+ |
A |
URL2 |
N |
— |
Access Successful |
D-5.2 |
o |
O5 |
Branch 🡪 Internet |
A+ |
A |
URL1 |
N |
N |
Access Not Successful |
D-5.2 |
p |
O5 |
Branch 🡪 Internet |
A+ |
A |
URL2 |
N |
N |
Access Not Successful |
D-5.3 |
a |
O4 |
Remote 🡪 Internet |
A+ |
A |
URL1 |
Y |
N |
Access Successful |
D-5.3 |
b |
O4 |
Remote 🡪 Internet |
A+ |
A |
URL2 |
Y |
N |
Access Successful |
D-5.3 |
c |
O4 |
Remote 🡪 Internet |
A+ |
A |
URL1 |
Y |
Y |
Access Successful |
D-5.3 |
d |
O4 |
Remote 🡪 Internet |
A+ |
A |
URL1 |
Y |
Y |
Access Successful |
D-5.3 |
e |
O4 |
Remote 🡪 Internet |
A- |
A |
— |
Y |
— |
Access Not Successful |
D-5.3 |
f |
O5 |
Remote 🡪 Internet |
A+ |
A |
URL1 |
Y |
N |
Access Not Successful |
D-5.3 |
g |
O5 |
Remote 🡪 Internet |
A+ |
A |
URL2 |
Y |
N |
Access Successful |
D-5.3 |
h |
O5 |
Remote 🡪 Internet |
A+ |
A |
URL1 |
Y |
Y |
Access Not Successful |
D-5.3 |
i |
O5 |
Remote 🡪 Internet |
A+ |
A |
URL1 |
Y |
Y |
Access Not Successful |
D-5.3 |
j |
O5 |
Remote 🡪 Internet |
A- |
A |
— |
Y |
— |
Access Not Successful |
D-5.3 |
k |
O4 |
Remote 🡪 Internet |
RA+ |
A |
URL1 |
Y |
— |
Access Successful |
D-5.3 |
l |
O4 |
Remote 🡪 Internet |
RA- |
A |
— |
Y |
— |
Access Not Successful |
D-5.3 |
m |
O4 |
Remote 🡪 Internet |
A+ |
A |
URL1 |
N |
— |
Access Not Successful |
D-5.3 |
n |
O4 |
Remote 🡪 Internet |
A+ |
A |
URL2 |
N |
— |
Access Successful |
D-5.3 |
o |
O5 |
Remote 🡪 Internet |
A+ |
A |
URL1 |
N |
N |
Access Not Successful |
D-5.3 |
p |
O5 |
Remote 🡪 Internet |
A+ |
A |
URL2 |
N |
N |
Access Not Successful |
Scenario D-6: Stolen credential using BYOD#
This scenario deals with a request using a stolen credential. It does not matter if the access is performed using an enterprise endpoint or BYOD device.
Pre-Condition: The requestor’s credential is stolen and is used to attempt accessing enterprise resource RSS1 using a compliant endpoint. The endpoints and requested resources are considered compliant.
Demonstration: One request is performed and is successful, in parallel using the same user identity from two separate devices to one resource. One of the requestors is an attacker using a stolen enterprise-ID who will attempt to access an Enterprise Resource using a BYOD endpoint.
The “Real Req” always uses the latest credentials which are modified/replaced after being reported stolen. Re-authentication always follows a previously successful authentication. The “Hostile Request” is performed using a stolen enterprise-ID. All authentication methods are compromised in that the attacker can successfully respond to challenges. Hostile request re-authentication always follows a previously successful authentication.
Purpose and Outcome: This demonstration focuses on the detection of a stolen enterprise-ID and enforcement of isolation.
Table 6 - Scenario D-6 Demonstrations
Demo ID |
UP |
Location Real
Hostile
> RSS
|
Auth Stat Real Req |
Auth Stat Hostile Req |
Rep. Stolen |
Desired Outcome for Real Request |
Desired Outcome for Hostile Request |
|
---|---|---|---|---|---|---|---|---|
D-6.1 |
a |
O6 |
On-Prem On-Prem 🡪 On-Prem |
A+ |
— |
N |
Access Successful |
— |
D-6.1 |
b |
O6 |
On-Prem On-Prem 🡪 On-Prem |
A- |
— |
N |
Access Not Successful |
— |
D-6.1 |
c |
O6 |
On-Prem On-Prem 🡪 On-Prem |
A |
A+ |
N |
Change to Access Limited |
Access Not Successful |
D-6.1 |
d |
O6 |
On-Prem On-Prem 🡪 On-Prem |
A |
A- |
N |
Keep Access |
Access Not Successful |
D-6.1 |
e |
O6 |
On-Prem On-Prem 🡪 On-Prem |
— |
A+ |
N |
— |
Access Successful |
D-6.1 |
f |
O6 |
On-Prem On-Prem 🡪 On-Prem |
— |
A- |
N |
— |
Access Not Successful |
D-6.1 |
g |
O6 |
On-Prem On-Prem 🡪 On-Prem |
A+ |
A |
N |
Access Not Successful |
Change to Access Limited |
D-6.1 |
h |
O6 |
On-Prem On-Prem 🡪 On-Prem |
A- |
A |
N |
Access Not Successful |
Keep Access |
D-6.1 |
i |
O7 |
On-Prem On-Prem 🡪 On-Prem |
A+ |
— |
Y |
Access Successful |
— |
D-6.1 |
j |
O7 |
On-Prem On-Prem 🡪 On-Prem |
A |
A- |
Y |
Keep Access |
Access Not Successful |
D-6.1 |
k |
O7 |
On-Prem On-Prem 🡪 On-Prem |
— |
A- |
Y |
— |
Access Not Successful |
D-6.1 |
l |
O7 |
On-Prem On-Prem 🡪 On-Prem |
RA+ |
— |
Y |
Access Successful |
— |
D-6.1 |
m |
O7 |
On-Prem On-Prem 🡪 On-Prem |
— |
RA- |
Y |
— |
Access Not Successful |
D-6.1 |
n |
O7 |
On-Prem On-Prem 🡪 On-Prem |
— |
A |
Y |
— |
All Sessions Terminated |
D-6.1 |
o |
O7 |
On-Prem On-Prem 🡪 On-Prem |
A |
— |
Y |
All Sessions Terminated |
— |
D-6.2 |
a |
O6 |
On-Prem Branch 🡪 On-Prem |
A+ |
— |
N |
Access Successful |
— |
D-6.2 |
b |
O6 |
On-Prem Branch 🡪 On-Prem |
A- |
— |
N |
Access Not Successful |
— |
D-6.2 |
c |
O6 |
On-Prem Branch 🡪 On-Prem |
A |
A+ |
N |
Change to Access Limited |
Access Not Successful |
D-6.2 |
d |
O6 |
On-Prem Branch 🡪 On-Prem |
A |
A- |
N |
Keep Access |
Access Not Successful |
D-6.2 |
e |
O6 |
On-Prem Branch 🡪 On-Prem |
— |
A+ |
N |
— |
Access Successful |
D-6.2 |
f |
O6 |
On-Prem Branch 🡪 On-Prem |
— |
A- |
N |
— |
Access Not Successful |
D-6.2 |
g |
O6 |
On-Prem Branch 🡪 On-Prem |
A+ |
A |
N |
Access Not Successful |
Change to Access Limited |
D-6.2 |
h |
O6 |
On-Prem Branch 🡪 On-Prem |
A- |
A |
N |
Access Not Successful |
Keep Access |
D-6.2 |
i |
O7 |
On-Prem Branch 🡪 On-Prem |
A+ |
— |
Y |
Access Successful |
— |
D-6.2 |
j |
O7 |
On-Prem Branch 🡪 On-Prem |
A |
A- |
Y |
Keep Access |
Access Not Successful |
D-6.2 |
k |
O7 |
On-Prem Branch 🡪 On-Prem |
— |
A- |
Y |
— |
Access Not Successful |
D-6.2 |
l |
O7 |
On-Prem Branch 🡪 On-Prem |
RA+ |
— |
Y |
Access Successful |
— |
D-6.2 |
m |
O7 |
On-Prem Branch 🡪 On-Prem |
— |
RA- |
Y |
— |
Access Not Successful |
D-6.2 |
n |
O7 |
On-Prem Branch 🡪 On-Prem |
— |
A |
Y |
— |
Change to Access Limited |
D-6.2 |
o |
O7 |
On-Prem Branch 🡪 On-Prem |
A |
— |
Y |
Change to Access Limited |
— |
D-6.3 |
a |
O6 |
Branch On-Prem 🡪 On-Prem |
A+ |
— |
N |
Access Successful |
— |
D-6.3 |
b |
O6 |
Branch On-Prem 🡪 On-Prem |
A- |
— |
N |
Access Not Successful |
— |
D-6.3 |
c |
O6 |
Branch On-Prem 🡪 On-Prem |
A |
A+ |
N |
Change to Access Limited |
Access Not Successful |
D-6.3 |
d |
O6 |
Branch On-Prem 🡪 On-Prem |
A |
A- |
N |
Keep Access |
Access Not Successful |
D-6.3 |
e |
O6 |
Branch On-Prem 🡪 On-Prem |
— |
A+ |
N |
— |
Access Successful |
D-6.3 |
f |
O6 |
Branch On-Prem 🡪 On-Prem |
— |
A- |
N |
— |
Access Not Successful |
D-6.3 |
g |
O6 |
Branch On-Prem 🡪 On-Prem |
A+ |
A |
N |
Access Not Successful |
Change to Access Limited |
D-6.3 |
h |
O6 |
Branch On-Prem 🡪 On-Prem |
A- |
A |
N |
Access Not Successful |
Keep Access |
D-6.3 |
i |
O7 |
Branch On-Prem 🡪 On-Prem |
A+ |
— |
Y |
Access Successful |
— |
D-6.3 |
j |
O7 |
Branch On-Prem 🡪 On-Prem |
A |
A- |
Y |
Keep Access |
Access Not Successful |
D-6.3 |
k |
O7 |
Branch On-Prem 🡪 On-Prem |
— |
A- |
Y |
— |
Access Not Successful |
D-6.3 |
l |
O7 |
Branch On-Prem 🡪 On-Prem |
RA+ |
— |
Y |
Access Successful |
— |
D-6.3 |
m |
O7 |
Branch On-Prem 🡪 On-Prem |
— |
RA- |
Y |
— |
Access Not Successful |
D-6.3 |
n |
O7 |
Branch On-Prem 🡪 On-Prem |
— |
A |
Y |
— |
Change to Access Limited |
D-6.3 |
o |
O7 |
Branch On-Prem 🡪 On-Prem |
A |
— |
Y |
Change to Access Limited |
— |
D-6.4 |
a |
O6 |
Remote On-Prem 🡪 On-Prem |
A+ |
— |
N |
Access Successful |
— |
D-6.4 |
b |
O6 |
Remote On-Prem 🡪 On-Prem |
A- |
— |
N |
Access Not Successful |
— |
D-6.4 |
c |
O6 |
Remote On-Prem 🡪 On-Prem |
A |
A+ |
N |
Change to Access Limited |
Access Not Successful |
D-6.4 |
d |
O6 |
Remote On-Prem 🡪 On-Prem |
A |
A- |
N |
Keep Access |
Access Not Successful |
D-6.4 |
e |
O6 |
Remote On-Prem 🡪 On-Prem |
— |
A+ |
N |
— |
Access Successful |
D-6.4 |
f |
O6 |
Remote On-Prem 🡪 On-Prem |
— |
A- |
N |
— |
Access Not Successful |
D-6.4 |
g |
O6 |
Remote On-Prem 🡪 On-Prem |
A+ |
A |
N |
Access Not Successful |
Change to Access Limited |
D-6.4 |
h |
O6 |
Remote On-Prem 🡪 On-Prem |
A- |
A |
N |
Access Not Successful |
Keep Access |
D-6.4 |
i |
O7 |
Remote On-Prem 🡪 On-Prem |
A+ |
— |
Y |
Access Successful |
— |
D-6.4 |
j |
O7 |
Remote On-Prem 🡪 On-Prem |
A |
A- |
Y |
Keep Access |
Access Not Successful |
D-6.4 |
k |
O7 |
Remote On-Prem 🡪 On-Prem |
— |
A- |
Y |
— |
Access Not Successful |
D-6.4 |
l |
O7 |
Remote On-Prem 🡪 On-Prem |
RA+ |
— |
Y |
Access Successful |
— |
D-6.4 |
m |
O7 |
Remote On-Prem 🡪 On-Prem |
— |
RA- |
Y |
— |
Access Not Successful |
D-6.4 |
n |
O7 |
Remote On-Prem 🡪 On-Prem |
— |
A |
Y |
— |
Change to Access Limited |
D-6.4 |
o |
O7 |
Remote On-Prem 🡪 On-Prem |
A |
— |
Y |
Change to Access Limited |
— |
D-6.5 |
a |
O6 |
On-Prem Remote 🡪 On-Prem |
A+ |
— |
N |
Access Successful |
— |
D-6.5 |
b |
O6 |
On-Prem Remote 🡪 On-Prem |
A- |
— |
N |
Access Not Successful |
— |
D-6.5 |
c |
O6 |
On-Prem Remote 🡪 On-Prem |
A |
A+ |
N |
Change to Access Limited |
Access Not Successful |
D-6.5 |
d |
O6 |
On-Prem Remote 🡪 On-Prem |
A |
A- |
N |
Keep Access |
Access Not Successful |
D-6.5 |
e |
O6 |
On-Prem Remote 🡪 On-Prem |
— |
A+ |
N |
— |
Access Successful |
D-6.5 |
f |
O6 |
On-Prem Remote 🡪 On-Prem |
— |
A- |
N |
— |
Access Not Successful |
D-6.5 |
g |
O6 |
On-Prem Remote 🡪 On-Prem |
A+ |
A |
N |
Access Not Successful |
Change to Access Limited |
D-6.5 |
h |
O6 |
On-Prem Remote 🡪 On-Prem |
A- |
A |
N |
Access Not Successful |
Keep Access |
D-6.5 |
i |
O7 |
On-Prem Remote 🡪 On-Prem |
A+ |
— |
Y |
Access Successful |
— |
D-6.5 |
j |
O7 |
On-Prem Remote 🡪 On-Prem |
A |
A- |
Y |
Keep Access |
Access Not Successful |
D-6.5 |
k |
O7 |
On-Prem Remote 🡪 On-Prem |
— |
A- |
Y |
— |
Access Not Successful |
D-6.5 |
l |
O7 |
On-Prem Remote 🡪 On-Prem |
RA+ |
— |
Y |
Access Successful |
— |
D-6.5 |
m |
O7 |
On-Prem Remote 🡪 On-Prem |
— |
RA- |
Y |
— |
Access Not Successful |
D-6.5 |
n |
O7 |
On-Prem Remote 🡪 On-Prem |
— |
A |
Y |
— |
Change to Access Limited |
D-6.5 |
o |
O7 |
On-Prem Remote 🡪 On-Prem |
A |
— |
Y |
Change to Access Limited |
— |
Scenario D-7: Just-in-Time Access Privileges#
In this demonstration, an enterprise provisions access privileges to a resource based on a single business process flow. Temporary privileges are granted to perform a portion of a business process, then revoked when the process is complete.
Pre-Condition: There is no active sessions from a subject to the resource. Both the subject endpoint and resource are in compliance with enterprise security posture or expected to be in compliance after the session is completed.
Demonstration: A subject is granted privileges to access a resource. The subject then establishes a session with an endpoint to perform some administrative task, then closes the connection. Privilege to access that resource is then removed.
Purpose and Outcome: The enterprise can provide JIT access privileges to resources.
Table 7 - Scenario D-7 Demonstrations
Demo ID |
Subject Location |
Resource Location |
Priv. Provisioned |
Desired Outcome |
|
---|---|---|---|---|---|
D-7.1 |
a |
On-Prem |
On-Prem |
No |
Access Not Successful |
D-7.1 |
b |
On-Prem |
On-Prem |
Yes |
Access Successful |
D-7.1 |
c |
On-Prem |
Branch |
No |
Access Not Successful |
D-7.1 |
d |
On-Prem |
Branch |
Yes |
Access Successful |
D-7.1 |
e |
On-Prem |
Remote |
No |
Access Not Successful |
D-7.1 |
f |
On-Prem |
Remote |
Yes |
Access Successful |
D-7.1 |
g |
On-Prem |
IaaS |
No |
Access Not Successful |
D-7.1 |
h |
On-Prem |
IaaS |
Yes |
Access Successful |
D-7.1 |
i |
On-Prem |
PaaS |
No |
Access Not Successful |
D-7.1 |
j |
On-Prem |
PaaS |
Yes |
Access Successful |
D-7.1 |
k |
On-Prem |
SaaS |
No |
Access Not Successful |
D-7.1 |
l |
On-Prem |
SaaS |
Yes |
Access Successful |
D-7.1 |
m |
Branch |
On-Prem |
No |
Access Not Successful |
D-7.1 |
n |
Branch |
On-Prem |
Yes |
Access Successful |
D-7.1 |
o |
Branch |
Branch |
No |
Access Not Successful |
D-7.1 |
p |
Branch |
Branch |
Yes |
Access Successful |
D-7.1 |
q |
Branch |
Remote |
No |
Access Not Successful |
D-7.1 |
r |
Branch |
Remote |
Yes |
Access Successful |
D-7.1 |
s |
Branch |
IaaS |
No |
Access Not Successful |
D-7.1 |
t |
Branch |
IaaS |
Yes |
Access Successful |
D-7.1 |
u |
Branch |
PaaS |
No |
Access Not Successful |
D-7.1 |
v |
Branch |
PaaS |
Yes |
Access Successful |
D-7.1 |
w |
Branch |
SaaS |
No |
Access Not Successful |
D-7.1 |
x |
Branch |
SaaS |
Yes |
Access Successful |
D-7.1 |
y |
Remote |
On-Prem |
No |
Access Not Successful |
D-7.1 |
z |
Remote |
On-Prem |
Yes |
Access Successful |
D-7.1 |
aa |
Remote |
Branch |
No |
Access Not Successful |
D-7.1 |
ab |
Remote |
Branch |
Yes |
Access Successful |
D-7.1 |
ac |
Remote |
Remote |
No |
Access Not Successful |
D-7.1 |
ad |
Remote |
Remote |
Yes |
Access Successful |
D-7.1 |
ae |
Remote |
IaaS |
No |
Access Not Successful |
D-7.1 |
af |
Remote |
IaaS |
Yes |
Access Successful |
D-7.1 |
ag |
Remote |
PaaS |
No |
Access Not Successful |
D-7.1 |
ah |
Remote |
PaaS |
Yes |
Access Successful |
D-7.1 |
ai |
Remote |
SaaS |
No |
Access Not Successful |
D-7.1 |
aj |
Remote |
SaaS |
Yes |
Access Successful |
Scenario D-8: Other-ID Step-Up Authentication#
In this demonstration, the subject has an open session to the resource, but requests to perform an action that requires additional authentication checks. If successful, the subject session proceeds as normal, if failed, the session is terminated.
Pre-Condition: The subject has a current session with the resource and has successfully authenticated for the current action. The subject is authorized to perform higher security action. Both the subject endpoint and resource are in compliance with enterprise security posture.
Demonstration: The subject has an open session to the resource and desires to perform a different action that is considered more sensitive. The system prompts the subject to re-authenticate or perform a higher level of authentication (e.g., additional factor of MFA or similar).
Purpose and Outcome: The system can request additional authentication mechanisms to match with an increased sensitive action during an active session.
Table 8 - Scenario D-8 Demonstrations
Demo ID |
Subj Type |
Subject Location |
Auth Success |
RSS Loc |
Desired Outcome |
|
---|---|---|---|---|---|---|
D-8.1 |
a |
EP |
On-prem |
Yes |
On-Prem |
Session Continues |
D-8.1 |
b |
BYOD |
On-prem |
Yes |
On-Prem |
Session Continues |
D-8.1 |
c |
Guest |
On-Prem |
Yes |
On-Prem |
Session Continues |
D-8.1 |
d |
EP |
On-prem |
No |
On-Prem |
Session Terminated |
D-8.1 |
e |
BYOD |
On-prem |
No |
On-Prem |
Session Terminated |
D-8.1 |
f |
Guest |
On-Prem |
No |
On-Prem |
Session Terminated |
D-8.1 |
g |
EP |
Branch |
Yes |
On-Prem |
Session Continues |
D-8.1 |
h |
BYOD |
Branch |
Yes |
On-Prem |
Session Continues |
D-8.1 |
i |
Guest |
Branch |
Yes |
On-Prem |
Session Continues |
D-8.1 |
j |
EP |
Branch |
No |
On-Prem |
Session Terminated |
D-8.1 |
k |
BYOD |
Branch |
No |
On-Prem |
Session Terminated |
D-8.1 |
l |
Guest |
Branch |
No |
On-Prem |
Session Terminated |
D-8.1 |
m |
EP |
Remote |
Yes |
On-Prem |
Session Continues |
D-8.1 |
n |
BYOD |
Remote |
Yes |
On-Prem |
Session Continues |
D-8.1 |
o |
Guest |
Remote |
Yes |
On-Prem |
Session Continues |
D-8.1 |
p |
EP |
Remote |
No |
On-Prem |
Session Terminated |
D-8.1 |
q |
BYOD |
Remote |
No |
On-Prem |
Session Terminated |
D-8.1 |
r |
Guest |
Remote |
No |
On-Prem |
Session Terminated |
D-8.2 |
a |
EP |
On-prem |
Yes |
On-Prem |
Session Continues |
D-8.2 |
b |
BYOD |
On-prem |
Yes |
On-Prem |
Session Continues |
D-8.2 |
c |
Guest |
On-Prem |
Yes |
On-Prem |
Session Continues |
D-8.2 |
d |
EP |
On-prem |
No |
On-Prem |
Session Terminated |
D-8.2 |
e |
BYOD |
On-prem |
No |
On-Prem |
Session Terminated |
D-8.2 |
f |
Guest |
On-Prem |
No |
On-Prem |
Session Terminated |
D-8.2 |
g |
EP |
Branch |
Yes |
On-Prem |
Session Continues |
D-8.2 |
h |
BYOD |
Branch |
Yes |
On-Prem |
Session Continues |
D-8.2 |
i |
Guest |
Branch |
Yes |
On-Prem |
Session Continues |
D-8.2 |
j |
EP |
Branch |
No |
On-Prem |
Session Terminated |
D-8.2 |
k |
BYOD |
Branch |
No |
On-Prem |
Session Terminated |
D-8.2 |
l |
Guest |
Branch |
No |
On-Prem |
Session Terminated |
D-8.2 |
m |
EP |
Remote |
Yes |
On-Prem |
Session Continues |
D-8.2 |
n |
BYOD |
Remote |
Yes |
On-Prem |
Session Continues |
D-8.2 |
o |
Guest |
Remote |
Yes |
On-Prem |
Session Continues |
D-8.2 |
p |
EP |
Remote |
No |
On-Prem |
Session Terminated |
D-8.2 |
q |
BYOD |
Remote |
No |
On-Prem |
Session Terminated |
D-8.2 |
r |
Guest |
Remote |
No |
On-Prem |
Session Terminated |
D-8.3 |
a |
EP |
On-prem |
Yes |
IaaS |
Session Continues |
D-8.3 |
b |
BYOD |
On-prem |
Yes |
IaaS |
Session Continues |
D-8.3 |
c |
Guest |
On-Prem |
Yes |
IaaS |
Session Continues |
D-8.3 |
d |
EP |
On-prem |
No |
IaaS |
Session Terminated |
D-8.3 |
e |
BYOD |
On-prem |
No |
IaaS |
Session Terminated |
D-8.3 |
f |
Guest |
On-Prem |
No |
IaaS |
Session Terminated |
D-8.3 |
g |
EP |
Branch |
Yes |
IaaS |
Session Continues |
D-8.3 |
h |
BYOD |
Branch |
Yes |
IaaS |
Session Continues |
D-8.3 |
i |
Guest |
Branch |
Yes |
IaaS |
Session Continues |
D-8.3 |
j |
EP |
Branch |
No |
IaaS |
Session Terminated |
D-8.3 |
k |
BYOD |
Branch |
No |
IaaS |
Session Terminated |
D-8.3 |
l |
Guest |
Branch |
No |
IaaS |
Session Terminated |
D-8.3 |
m |
EP |
Remote |
Yes |
IaaS |
Session Continues |
D-8.3 |
n |
BYOD |
Remote |
Yes |
IaaS |
Session Continues |
D-8.3 |
o |
Guest |
Remote |
Yes |
IaaS |
Session Continues |
D-8.3 |
p |
EP |
Remote |
No |
IaaS |
Session Terminated |
D-8.3 |
q |
BYOD |
Remote |
No |
IaaS |
Session Terminated |
D-8.3 |
r |
Guest |
Remote |
No |
IaaS |
Session Terminated |
D-8.4 |
a |
EP |
On-prem |
Yes |
PaaS |
Session Continues |
D-8.4 |
b |
BYOD |
On-prem |
Yes |
PaaS |
Session Continues |
D-8.4 |
c |
Guest |
On-Prem |
Yes |
PaaS |
Session Continues |
D-8.4 |
d |
EP |
On-prem |
No |
PaaS |
Session Terminated |
D-8.4 |
e |
BYOD |
On-prem |
No |
PaaS |
Session Terminated |
D-8.4 |
f |
Guest |
On-Prem |
No |
PaaS |
Session Terminated |
D-8.4 |
g |
EP |
Branch |
Yes |
PaaS |
Session Continues |
D-8.4 |
h |
BYOD |
Branch |
Yes |
PaaS |
Session Continues |
D-8.4 |
i |
Guest |
Branch |
Yes |
PaaS |
Session Continues |
D-8.4 |
j |
EP |
Branch |
No |
PaaS |
Session Terminated |
D-8.4 |
k |
BYOD |
Branch |
No |
PaaS |
Session Terminated |
D-8.4 |
l |
Guest |
Branch |
No |
PaaS |
Session Terminated |
D-8.4 |
m |
EP |
Remote |
Yes |
PaaS |
Session Continues |
D-8.4 |
n |
BYOD |
Remote |
Yes |
PaaS |
Session Continues |
D-8.4 |
o |
Guest |
Remote |
Yes |
PaaS |
Session Continues |
D-8.4 |
p |
EP |
Remote |
No |
PaaS |
Session Terminated |
D-8.4 |
q |
BYOD |
Remote |
No |
PaaS |
Session Terminated |
D-8.4 |
r |
Guest |
Remote |
No |
PaaS |
Session Terminated |
D-8.5 |
a |
EP |
On-prem |
Yes |
SaaS |
Session Continues |
D-8.5 |
b |
BYOD |
On-prem |
Yes |
SaaS |
Session Continues |
D-8.5 |
c |
Guest |
On-Prem |
Yes |
SaaS |
Session Continues |
D-8.5 |
d |
EP |
On-prem |
No |
SaaS |
Session Terminated |
D-8.5 |
e |
BYOD |
On-prem |
No |
SaaS |
Session Terminated |
D-8.5 |
f |
Guest |
On-Prem |
No |
SaaS |
Session Terminated |
D-8.5 |
g |
EP |
Branch |
Yes |
SaaS |
Session Continues |
D-8.5 |
h |
BYOD |
Branch |
Yes |
SaaS |
Session Continues |
D-8.5 |
i |
Guest |
Branch |
Yes |
SaaS |
Session Continues |
D-8.5 |
j |
EP |
Branch |
No |
SaaS |
Session Terminated |
D-8.5 |
k |
BYOD |
Branch |
No |
SaaS |
Session Terminated |
D-8.5 |
l |
Guest |
Branch |
No |
SaaS |
Session Terminated |
D-8.5 |
m |
EP |
Remote |
Yes |
SaaS |
Session Continues |
D-8.5 |
n |
BYOD |
Remote |
Yes |
SaaS |
Session Continues |
D-8.5 |
o |
Guest |
Remote |
Yes |
SaaS |
Session Continues |
D-8.5 |
p |
EP |
Remote |
No |
SaaS |
Session Terminated |
D-8.5 |
q |
BYOD |
Remote |
No |
SaaS |
Session Terminated |
D-8.5 |
r |
Guest |
Remote |
No |
SaaS |
Session Terminated |