EIG Run Phase Demonstration Results#
Note
This page is supplementary material for the NIST SP 1800-35 publication.
This section lists the full demonstration results for each of the builds that was implemented as part of the EIG run phase: E1B2, E3B2, and E4B3.
Enterprise 3 Build 2 (E3B2) - EIG Run - Microsoft Azure AD Conditional Access (later renamed Entra Conditional Access), Microsoft Intune, Forescout eyeControl, and Forescout eyeExtend as PEs Detailed Demonstration Results#
Table 2 lists the full demonstration results for all EIG run phase demonstrations run in Enterprise 3 Build 2 (E3B2). The technology deployed in E3B2 was able to determine endpoint compliance for Windows, macOS, and mobile devices and prevent noncompliant endpoints from accessing private resources.
Table 2 - Detailed Demonstration Results for E3B2
Demo ID |
Expected Outcome |
Observed Outcome |
Comments |
---|---|---|---|
A-1.1.a-d |
Access to Network |
Access to Network |
Success: Resource has access to network in accordance with Forescout policy. |
A-1.1.b, A-1.1.c, A-1.1.g |
No Access to Network |
No Access to Network |
Partial success: In the current configuration, the endpoint has access limited to the local subnet in accordance with Forescout policy. |
A-1.1.d |
No Access to Network |
N/A |
Demonstration cannot be completed. By Scenario A-1 definition, a resource has already undergone onboarding. |
A-1.1.e |
Access to Network |
Access to Network |
Success: Endpoint has access to network in accordance with Forescout policy. |
A-1.1.f |
Max. Limited Access to Network |
Max. Limited Access to Network |
Success: Endpoint has access limited in accordance with Forescout policy. |
A-1.1.h |
Access to Public Network |
N/A |
Demonstration cannot be completed. By Scenario A-1 definition, an endpoint has already undergone onboarding. |
A-1.1.i |
Access to Network |
Access to Network |
Success: BYOD has access to network in accordance with Forescout policy. |
A-1.1.j |
Limited Access to Network |
Limited Access to Network |
Success: Endpoint has access limited to the local subnet in accordance with Forescout policy. |
A-1.1.k |
No Access to Network |
No Access to Network |
Partial success: In the current configuration, the endpoint has access limited to the local subnet in accordance with Forescout policy. |
A-1.1.l |
Access to Public Network |
N/A |
Demonstration cannot be completed. By Scenario A-1 definition, the BYOD has already undergone onboarding. |
A-1.1.m |
Access to Public Network |
Access to Public Network |
Success: BYOD has access to network in accordance with Forescout policy. |
A-1.2.a-m |
Access to Network |
N/A |
Demonstration cannot be completed. There is no branch office configured for Enterprise 3. |
A-1.3.a |
Access to Network |
Access to Network |
Success: Endpoint has access to network in accordance with Forescout policy. |
A-1.3.b |
Max. Limited Access to Network |
Max. Limited Access to Network |
Success: Endpoint has access limited in accordance with Forescout policy. |
A-1.3.c |
No Access to Network |
No Access to Network |
Success: Endpoint is denied access to the network after failing to authenticate to the GlobalProtect VPN. |
A-1.3.d |
Access to Network |
Access to Network |
Success: BYOD has access to network in accordance with Forescout policy. |
A-1.3.e |
Max. Limited Access to Network |
Max. Limited Access to Network |
Success: Endpoint has access limited in accordance with Forescout policy. |
A-1.3.f |
No Access to Network |
No Access to Network |
Success: BYOD is denied access to the network after failing to authenticate to the GlobalProtect VPN. |
A-1.4.a-g |
N/A |
N/A |
Partial Success: Using Azure roles, a user could be allowed, denied, or provided with limited access to cloud resources. With Azure AD Conditional Access and Microsoft Intune, a device can be given access to a cloud application. |
A-2.1.a |
Keep Access to Network |
Keep Access to Network |
Success: Resource has access to network in accordance with Forescout policy. |
A-2.1.b |
Terminate Access to Network |
Limit Access to Network |
Partial Success: Resource has access limited to the local subnet in accordance with Forescout policy. |
A-2.1.c |
Terminate Access to Network |
Limit Access to Network |
Partial Success: Resource has access limited to the local subnet in accordance with Forescout policy. |
A-2.1.d |
Keep Access to Network |
Keep Access to Network |
Success: Endpoint has access to network in accordance with Forescout policy. |
A-2.1.e |
Max. Limited Access to Network |
Max. Limited Access to Network |
Success: Endpoint has access limited in accordance with Forescout policy. |
A-2.1.f |
Terminate Access to Network |
Limit Access to Network |
Partial Success: Resource has access limited to the local subnet in accordance with Forescout policy. |
A-2.1.g |
Keep Access to Network |
Keep Access to Network |
Success: BYOD has access to network in accordance with Forescout policy. |
A-2.1.h |
Max. Limited Access to Network |
Max. Limited Access to Network |
Success: Endpoint has access limited in accordance with Forescout policy. |
A-2.1.i |
Terminate Access to Network |
Limit Access to Network |
Partial success: BYOD has access limited to the local subnet in accordance with Forescout policy. |
A-2.2.a-i |
N/A |
N/A |
Demonstration cannot be completed. There is no branch office configured for Enterprise 3. |
A-2.3.a |
Keep Access to Network |
Keep Access to Network |
Success: Endpoint has access to network in accordance with Forescout policy. |
A-2.3.b |
Max. Limited Access to Network |
Max. Limited Access to Network |
Success: Endpoint has access limited in accordance with Forescout policy. |
A-2.3.c |
Terminate Access to Network |
Terminate Access to Network |
Success: Endpoint has access terminated after failing to reauthenticate to the GlobalProtect VPN. |
A-2.3.d |
Keep Access to Network |
Keep Access to Network |
Success: BYOD has access to network in accordance with Forescout policy. |
A-2.3.e |
Max. Limited Access to Network |
Max. Limited Access to Network |
Success: BYOD has access limited in accordance with Forescout policy. |
A-2.3.f |
Terminate Access to Network |
Terminate Access to Network |
Success: BYOD has access terminated after failing to reauthenticate to the GlobalProtect VPN. |
A-2.4.a,d |
Keep Access to Network |
Keep Access to Network |
Success: Azure is able to allow access to cloud endpoints and resources. |
A-2.4.b,c,f |
Terminate Access to Network |
Terminate Access to Network |
Success: Azure is able to limit access to cloud endpoints and resources. |
A-2.4.e |
Max. Limited Access to Network |
Max. Limited Access to Network |
Success: Azure is able to limit access to cloud endpoints and resources. |
A-3.1.a |
User request and action is recorded |
User request is recorded |
Partial Success: User activity and transaction flow is logged using Forescout. Individual user actions are not visible within this build. |
A-3.2.a |
User request and action is recorded |
User request is recorded |
Partial Success: User activity and transaction flow is logged using Forescout and Azure AD. Individual user actions are not visible within this build. |
A-3.3.a, A-3.4.a, |
User request and action is recorded |
N/A |
Branch testing is not available for this build. |
A-3.5.a, A-3.6.a |
User request and action is recorded |
User request is recorded |
Partial Success: User activity and transaction flow is logged. Individual user actions are not visible. |
A-3.1.b, A-3.2.b, A-3.3.b, A-3.4.b |
API call is recorded |
Activity and transaction flow is recorded |
Partial Success: Service activity and transaction flow is logged by Forescout. Individual API calls are not visible. |
B-1.1.a |
Access Successful |
Access Successful |
Success: Users access RSS1 based on the EP and RSS compliance with Forescout and Azure AD policy. |
B-1.1.b |
Access Successful |
Access Successful |
Success: Users access RSS2 based on the EP and RSS compliance with Forescout and Azure AD policy. |
B-1.1.c |
Access Not Successful |
Access Not Successful |
Success: User authentication failure to Azure AD prevents access. |
B-1.1.d |
Access Not Successful |
Access Not Successful |
Success: E2 is not authorized to access RSS1 in accordance with Azure AD policy. |
B-1.1.e |
Access Successful |
Access Successful |
Success: Users access RSS2 based on the EP and RSS compliance with Forescout and Azure AD policy. |
B-1.1.f, B-1.1.g, |
Access Not Successful |
Access Not Successful |
Success: User authentication failure to Azure AD prevents access. |
B-1.1.h |
Access Successful |
Access Successful |
Success: Session timeout is set to one minute for demonstration purposes. After session timed out, user was reauthenticated to Azure AD. |
B-1.1.i |
Access Not Successful |
Access Not Successful |
Success: Users were prevented from accessing resources after reauthentication failure to Azure AD. |
B-1.1.j |
Access Not Successful |
Access Not Successful |
Success: Initial user authentication to Azure AD was successful and user was granted access to RSS1. After E1 became noncompliant, user access to RSS1 was blocked in accordance with Forescout policy, and the user was unable to reauthenticate to Azure AD. |
B-1.1.k |
Access Limited |
Access Not Successful |
Partial success: Initial user authentication to Azure AD was successful and user was granted access to RSS2. In this case, changing the user’s access level on RSS2 would require application-level control that is not available at this time. After E1 became noncompliant, user access to RSS2 was blocked in accordance with Forescout policy, and the user was unable to reauthenticate to Azure AD. |
B-1.1.l |
Access Not Successful |
Access Not Successful |
Success: After E1 became noncompliant, user access to RSS1 was blocked in accordance with Forescout policy, and the user was unable to authenticate to Azure AD. |
B-1.1.m |
Access Limited |
Access Not Successful |
Partial success: In this case, changing the user’s access level on RSS2 would require application-level control that is not available at this time. After E1 became noncompliant, user access to RSS2 was blocked in accordance with Forescout policy, and the user was unable to authenticate to Azure AD. |
B-1.1.n-p |
Access Not Successful |
Access Not Successful |
Success: After the RSS became noncompliant, user access to the RSS was blocked in accordance with Forescout policy, and the user was unable to authenticate to Azure AD. |
B-1.2.a-p |
N/A |
N/A |
Cannot test because there is no branch office in Ent. 3. |
B-1.3.a-p |
The results are the same as B-1.1, given that network policies allow the user/device to access the enterprise remotely using a VPN connection. See results from B-1.1. |
||
B-1.4.a |
Access Successful |
Access Successful |
Success: Users access RSS1 based on the EP compliance with Forescout and Azure AD policy. |
B-1.4.b |
Access Successful |
Access Successful |
Success: Users access RSS2 based on the EP compliance with Forescout and Azure AD policy. |
B-1.4.c |
Access Not Successful |
Access Not Successful |
Success: User authentication failure to Azure AD prevents access. |
B-1.4.d |
Access Not Successful |
Access Not Successful |
Success: E2 is not authorized to access RSS1 in accordance with Azure AD policy. |
B-1.4.e |
Access Successful |
Access Successful |
Success: Users access RSS2 based on the EP and RSS compliance with Forescout and Azure AD policy. |
B-1.4.f, B-1.4.g |
Access Not Successful |
Access Not Successful |
Success: User authentication failure to Azure AD prevents access. |
B-1.4.h |
Access Successful |
Access Successful |
Success: Session timeout is set to one minute for demonstration purposes. After session timed out, user was reauthenticated to Azure AD. |
B-1.4.i |
Access Not Successful |
Access Not Successful |
Success: Users were prevented from accessing resources after reauthentication failure to Azure AD. |
B-1.4.j |
Access Not Successful |
Access Not Successful |
Success: Initial user authentication to Azure AD was successful and user was granted access to RSS1. After E1 became noncompliant, user access to RSS1 was blocked in accordance with Forescout policy, and the user was unable to reauthenticate to Azure AD. |
B-1.4.k |
Access Limited |
Access Not Successful |
Partial success: Initial user authentication to Azure AD was successful and user was granted access to RSS2. In this case, changing the user’s access level on RSS2 would require application-level control that is not available at this time. After E1 became noncompliant, user access to RSS2 was blocked in accordance with Forescout policy, and the user was unable to reauthenticate to Azure AD. |
B-1.4.l |
Access Not Successful |
Access Not Successful |
Success: After E1 became noncompliant, user access to RSS1 was blocked in accordance with Forescout policy, and the user was unable to authenticate to Azure AD. |
B-1.4.m |
Access Limited |
Access Not Successful |
Partial success: In this case, changing the user’s access level on RSS2 would require application-level control that is not available at this time. After E1 became noncompliant, user access to RSS2 was blocked in accordance with Forescout policy, and the user was unable to authenticate to Azure AD. |
B-1.4.n-p |
N/A |
N/A |
Demonstration cannot be performed as verification of cloud resource compliance is not available at this time. |
B-1.5.a-p |
N/A |
N/A |
Demonstration cannot be performed as branch office is not available at this time. |
B-1.6.a-p |
In the current implementation, remote users are connected to a VPN that routes network traffic through the on-prem environment. All test results are similar to B-1.4.a-p. |
||
B-2.1.a-d, g, n |
Access Successful |
Access Successful |
Success: Access allowed in accordance with Forescout policy. |
B2.1.e, f, l, m, o, p |
Access Not Successful |
Access Not Successful |
Success: Access denied in accordance with Forescout policy. |
B-2.2 |
N/A |
N/A |
Demonstration cannot be performed as branch office is not available at this time. |
B-2.3 |
In the current implementation, remote users are connected to a VPN that routes network traffic through the on-prem environment. All test results are similar to B-2.1.a-p. |
||
B-3.1.a, B-3.4.a, B-3.5.a |
Real Req Success |
Real Req Success |
Success: Real Request successfully authenticated. |
B-3.1.b, B-3.4.b, B-3.5.b |
Real Req Fail |
Real Req Fail |
Success: Incorrect credentials were entered, and the Real Request failed as expected. |
B-3.1.c, B-3.4.c, B-3.5.c |
Limit Access for Real Request, Deny Access to Hostile Request |
N/A |
Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context. |
B-3.1.d, B-3.4.d, B-3.5.d |
Real Request Keep Access, Deny Access to Hostile Request |
N/A |
Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context. |
B-3.1.e, B-3.4.e, B-3.5.e |
Hostile Request Successful |
Hostile Request Successful |
Success: Hostile Request successfully authenticated. |
B-3.1.f, B-3.4.f, B-3.5.f |
Hostile Request Unsuccessful |
Hostile Request Unsuccessful |
Success: Incorrect credentials were entered, and the Hostile Request failed as expected. |
B-3.1.g, B-3.4.g, B-3.5.g |
Real Request Fail, Hostile Request Access Limited |
N/A |
Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context. |
B-3.1.h, B-3.4.h, B-3.5.h |
Real Request Fail, Hostile Request remains authenticated |
N/A |
Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context. |
B-3.1.i, B-3.4.i, B-3.5.i |
Real Req Success |
Real Req Success |
Success: Real Request successfully authenticated. |
B-3.1.j, B-3.4.j, B-3.5.j |
Real Request remains authenticated, Hostile Request Fail |
N/A |
Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context. |
B-3.1.k, B-3.4.k, B-3.5.k |
Hostile Request Fail |
Hostile Request Fail |
Success: Incorrect credentials were entered, and the Hostile Request failed as expected. |
B-3.1.l, B-3.4.l, B-3.5.l |
Real Request Access Successful |
Real Request Access Successful |
Success: Real Request successfully reauthenticated. |
B-3.1.m, B-3.4.m, B-3.5.m |
Hostile Request Access Denied |
Hostile Request Access Denied |
Success: Hostile Request reauthentication fails. |
B-3.1.n, B-3.4.n, B-3.5.n |
Hostile Request Session Terminated |
Hostile Request Session Terminated |
Success: Azure AD sessions terminated. |
B-3.1.o, B-3.4.o, B-3.5.o |
Real Request Session Terminated |
Real Request Session Terminated |
Success: Azure AD sessions terminated. |
B-3.2, B-3.3 |
N/A |
N/A |
Branch office is not included in Build 3. |
B-4 |
All demonstrations here are the same as B-1 since the device is both authenticated and compliant. |
||
B-5 |
All demonstrations here are the same as B-2 since the device is both authenticated and compliant. |
||
B-6 |
All demonstrations here are the same as B-3 since the device is both authenticated and compliant. |
||
All C Use Cases |
N/A |
N/A |
Demonstrations cannot be performed. Currently, no federation configuration has been set up between Ent1, Ent2, and Ent3. |
All D Use Cases |
All demonstrations here are the same as B since the device is both authenticated and compliant. Note that the user is a contractor. |
||
E-1.1.a, b |
Access Successful |
Access Successful |
Success: Guests can access public resources and internet in accordance with policy using Forescout. |
E-1.2.a, b |
N/A |
N/A |
Demonstration cannot be performed as branch office is not available at this time. |
All F Use Cases |
N/A |
N/A |
Confidence level use cases are considered out of scope for the EIG run phase. |
Enterprise 4 Build 3 (E4B3) - EIG Run - IBM Security Verify as PE Detailed Demonstration Results#
Table 3 lists the full demonstration results for EIG run phase demonstrations in Enterprise 4 Build 3 (E4B3). The technology deployed in E4B3 was able to determine endpoint compliance for Windows and mobile devices and prevent noncompliant endpoints from accessing private resources.
Table 3 - Detailed Demonstration Results for E4B3
Demo ID |
Expected Outcome |
Observed Outcome |
Comments |
---|---|---|---|
A-1.1.a-d, A-1.1.f, A-1.1.j |
N/A |
N/A |
IBM considers RSS management and granting the endpoint limited access to the network out of scope for their products. Other technologies should be used to perform this function. |
A-1.1.e, A-1.1.i |
Access to Network |
Access to Network |
Success: MaaS360 configuration allowed iOS and Android devices to successfully authenticate to the Enterprise 4 wireless network. |
A-1.1.g, A-1.1.k |
No Access to Network |
No Access to Network |
Success: iOS and Android devices were denied access after failing network authentication. |
A-1.1.h, A-1.1.l, A-1.1.m |
Access to Public Network |
Access to Public Network |
Success: The devices are able to access the Public Network. |
A-1.2.a-m, A-1.3.a-f, A-1.4.a-g |
N/A |
N/A |
Not demonstrated in this build due to no branch in Ent 4. |
A-1.3.a, A-1.3.d |
Access to Network |
Access to Network |
Success: MaaS360 configuration allowed iOS and Android devices to successfully authenticate to the Enterprise 4 wireless network. |
A-1.3.c, A-1.3.f |
No Access to Network |
No Access to Network |
Success: iOS and Android devices were denied access after failing network authentication. |
A-1.3.b, A-1.3.e |
N/A |
N/A |
IBM considers limited network access out of scope for their products. Other technologies should be used to perform this function. |
A-2 |
A-2 results match results from A-1. |
||
A-3.1.a, A-3.3.a, A-3.5.a |
User request and action is recorded |
User login to an application is logged |
Success: IBM Security Verify and QRadar record user application requests. |
A-3.2.a, A-3.4.a, A-3.6.a |
User request and action is recorded |
User login to an application is logged |
Success: IBM Security Verify and QRadar record user application logins. |
A-3.1.b, A-3.3.b, A-3.2.b, A-3.4.b, A-3.6.a |
N/A |
N/A |
IBM considers API call visibility out of scope for their products. Other technologies should be used to perform this function. |
B-1.1.a, B-1.3.a, B-1.4.a, B-4.1.a, B-4.2.a, B-4.3.a, D-1.1.a, D-1.2.a, D-1.3.a, D-4.1.a, D-4.2.a, D-4.3.a |
Access Successful |
Access Successful |
Partial Success: User is successfully authenticated and granted access to the resource. However, RSS compliance was not obtained. |
B-1.1.b, B-1.3.b, B-1.4.b, B-4.1.b, B-4.2.b, B-4.3.b, D-1.1.b, D-1.2.b, D-1.3.b, D-4.1.b, D-4.2.b, D-4.3.b |
Access Successful |
Access Successful |
Partial Success: User is successfully authenticated and granted access to the resource. However, RSS compliance was not obtained. |
B-1.1.c, B-1.3.c, B-1.4.c, B-4.1.c, B-4.2.c, B-4.3.c, D-1.1.c, D-1.2.c, D-1.3.c, D-4.1.c, D-4.2.c, D-4.3.c |
Access Not Successful |
Access Not Successful |
Success: Demonstration completed with user not able to log in to resource. |
B-1.1.d, B-1.3.d, B-1.4.d, B-4.1.d, B-4.2.d, B-4.3.d, D-1.1.d, D-1.2.d, D-1.3.d, D-4.1.d, D-4.2.d, D-4.3.d |
Access Not Successful |
Access Not Successful |
Success: User was denied access due to policy constraints. |
B-1.1.e, B-1.3.e, B-1.4.e, B-4.1.e, B-4.2.e, B-4.3.e, D-1.1.e, D-1.2.e, D-1.3.e, D-4.1.e, D-4.2.e, D-4.3.e |
Access Successful |
Access Successful |
Partial Success: User is successfully authenticated and granted access to the resource. However, RSS compliance was not obtained. |
B-1.1.f, B-1.3.f, B-1.4.f, B-4.1.f, B-4.2.f, B-4.3.f, D-1.1.f, D-1.2.f, D-1.3.f, D-4.1.f, D-4.2.f, D-4.3.f |
Access Not Successful |
Access Not Successful |
Success: Without user authentication for the resource the access attempt did not succeed. |
B-1.1.g, B-1.3.g, B-1.4.g, B-4.1.g, B-4.2.g, B-4.3.g, D-1.1.g, D-1.2.g, D-1.3.g, D-4.1.g, D-4.2.g, D-4.3.g |
Access Not Successful |
Access Not Successful |
Success: Without user authentication for the resource, the access attempt did not succeed. |
B-1.1.h, B-1.3.h, B-1.4.h, B-4.1.h, B-4.2.h, B-4.3.h, D-1.1.h, D-1.2.h, D-1.3.h, D-4.1.h, D-4.2.h, D-4.3.h |
Access Successful |
Access Successful |
Partial Success: GitLab session timeout is set to one minute for demonstration purposes. After session timed out, user was reauthenticated. However, RSS compliance was not obtained. |
B-1.1.i, B-1.3.i, B-1.4.i, B-4.1.i, B-4.2.i, B-4.3.i, D-1.1.i, D-1.2.i, D-1.3.i, D-4.1.i, D-4.2.i, D-4.3.i |
Access Not Successful |
Access Not Successful |
Success: After session timeout, user tried to login with incorrect credentials and access was denied. |
B-1.1.j, B-1.3.j, B-1.4.j, B-4.1.j, B-4.2.j, B-4.3.j, D-1.1.j, D-1.2.j, D-1.3.j, D-4.1.j, D-4.2.j, D-4.3.j |
Access Not Successful |
Access Not Successful |
Success: User was denied access due to endpoint noncompliance. |
B-1.1.k, B-1.3.k, B-1.4.k, B-4.1.k, B-4.2.k, B-4.3.k, D-1.1.k, D-1.2.k, D-1.3.k, D-4.1.k, D-4.2.k, D-4.3.k |
Access Limited |
Access Limited |
Partial Success: User access was downgraded due to having a noncompliant endpoint. However, RSS compliance was not obtained. |
B-1.1.l-m, B-1.3.l-m, B-1.4.l-m, B-4.1.l-m, B-4.2.l-m, B-4.3.l-m, D-1.1.l-m, D-1.2.l-m, D-1.3.l-m, D-4.1.l-m, D-4.2.l-m, D-4.3.l-m |
Access Denied |
Access Denied |
Partial Success: User access was downgraded due to having a noncompliant endpoint. However, RSS compliance was not obtained. |
B-1.1.n-p, B-1.3.n-p, B-1.4.n-p, B-4.1.n-p, B-4.2.n-p, B-4.3.n-p, D-1.1.n-p, D-1.2.n-p, D-1.3.n-p, D-4.1.n-p, D-4.2.n-p, D-4.3.n-p |
N/A |
N/A |
Not demonstrated in this build due to lack of resource compliance verification. |
B-1.2.a-p |
N/A |
N/A |
Branch not available in Enterprise 4 |
B-2.1.a-d, B-2.3.a-d |
Access Successful |
Access Successful |
Success: When using the secure browser on iOS and Android, user was allowed access per policy. |
B-2.1.e, B-2.3.e, B-5.1.e, B-5.3.e |
Access Not Successful |
Access Not Successful |
Success: When using the secure browser on iOS and Android, user was allowed access per policy. |
B-2.1.f, B-2.3.f, B-5.1.f, B-5.3.f |
Access Not Successful |
Access Not Successful |
Success: When using the secure browser on iOS and Android, user was denied access per policy. |
B-2.1.g, B-2.3.g, B-5.1.g, B-5.3.g |
N/A |
N/A |
Not demonstrated in this build due to MaaS360 limitation, as all MaaS360 resources like the secure browser are unavailable outside of the policy hours. |
B-2.1.h-i, B-2.3.h-i, B-5.1.h-i, B-5.3.h-i |
Access Not Successful |
Access Not Successful |
Success: User was denied access due to policy constraints. |
B-2.1.j-p, B-2.2.j-p, B-2.3.j-p, B-5.1.j-p, B-5.2.j-p, B-5.3.j-p |
N/A |
N/A |
Not demonstrated in this build. Due to security of MaaS360 certificate storage, we were unable to invalidate the credentials and produce a unsuccessful authentication. Resource compliance is not available in Ent4. |
B-3.1.a, B-3.4.a, B-3.5.a, B-6.1.a, B-6.4.a, B-6.5.a |
Real Req Success |
Real Req Success |
Success: User is able to successfully authenticate and access the RSS. |
B-3.1.b, B-3.4.b, B-3.5.b, B-6.1.b, B-6.4.b, B-6.5.b |
Real Req Fail |
Real Req Fail |
Success: User is unable to successfully authenticate and access the RSS. |
B-3.1.c, B-3.4.c, B-3.5.c, B-6.1.c, B-6.4.c, B-6.5.c |
Limit Access for Real Request, Deny Access to Hostile Request |
N/A |
Due to security of MaaS360 certificate storage, we were unable to copy the credentials and produce a Hostile authentication. A stolen username/password is insufficient to successfully authenticate. |
B-3.1.d, B-3.4.d, B-3.5.d, B-6.1.d, B-6.4.d, B-6.5.d |
Real Request Keep Access, Deny Access to Hostile Request |
N/A |
Due to security of MaaS360 certificate storage, we were unable to copy the credentials and produce a successful Hostile authentication. A stolen username/password is insufficient to successfully authenticate. |
B-3.1.e, B-3.4.e, B-3.5.e, B-6.1.e, B-6.4.e, B-6.5.e |
Hostile Request Successful |
N/A |
Due to security of MaaS360 certificate storage, we were unable to copy the credentials and produce a successful Hostile authentication. A stolen username/password is insufficient to successfully authenticate. |
B-3.1.f, B-3.4.f, B-3.5.f, B-6.1.f, B-6.4.f, B-6.5.f |
Hostile Request Unsuccessful |
Hostile Request Unsuccessful |
Success: Hostile user fails to properly authenticate and is unable to access the RSS. |
B-3.1.g, B-3.4.g, B-3.5.g, B-6.1.g, B-6.4.g, B-6.5.g |
Real Request Fail, Hostile Request Access Limited |
N/A |
Due to security of MaaS360 certificate storage, we were unable to copy the credentials and produce a successful Hostile authentication. A stolen username/password is insufficient to successfully authenticate. |
B-3.1.h, B-3.4.h, B-3.5.h, B-6.1.h, B-6.4.h, B-6.5.h |
Real Request Fail, Hostile Request remains authenticated |
N/A |
Due to security of MaaS360 certificate storage, we were unable to copy the credentials and produce a successful Hostile authentication. A stolen username/password is insufficient to successfully authenticate. |
B-3.1.i, B-3.4.i, B-3.5.i, B-6.1.i, B-6.4.i, B-6.5.i |
Real Req Success |
Real Req Success |
Success: User is able to successfully authenticate after new credentials are provisioned. |
B-3.1.j, B-3.4.j, B-3.5.j, B-6.1.j, B-6.4.j, B-6.5.j |
Real Request remains authenticated, Hostile Request Fail |
N/A |
Due to security of MaaS360 certificate storage, we were unable to copy the credentials and produce a Hostile authentication. A stolen username/password is insufficient to successfully authenticate. |
B-3.1.k, B-3.4.k, B-3.5.k, B-6.1.k, B-6.4.k, B-6.5.k |
Hostile Request Fail |
Hostile Request Fail |
Success: Stolen credentials are wiped from device using stolen credentials due to administrative action. |
B-3.1.l, B-3.4.l, B-3.5.l, B-6.1.l, B-6.4.l, B-6.5.l |
Real Request Access Successful |
Real Requet Access Successful |
Success: User is able to successfully reauthenticate after new credentials are provisioned. |
B-3.1.m, B-3.4.m, B-3.5.m, B-6.1.m, B-6.4.m, B-6.5.m |
Hostile Request Access Denied |
Hostile Request Access Denied |
Success: Hostile User is unable to successfully reauthenticate after stolen credentials are wiped and new credentials are provisioned to the user. |
B-3.1.n, B-3.4.n, B-3.5.n, B-6.1.n, B-6.4.n, B-6.5.n |
All sessions terminated |
All sessions terminated |
Success: All user sessions for GitLab RSS were terminated. |
B-3.1.o, B-3.4.o, B-3.5.o, B-6.1.o, B-6.4.o, B-6.5.o |
All sessions terminated |
All sessions terminated |
Success: All user sessions for GitLab RSS were terminated. |
B-7 |
Success |
Partial Success |
Partial Success: Just-in-time privileges can be manually completed to allow a user to access a resource. However, just-in-time access privileges with automation are not tested and require integration with other zero trust tools which have the capabilities to manage access for users. |
B-8 |
N/A |
N/A |
Not demonstrated in this build, as the ability to prompt for reauthentication in the middle of an active session is not included in Ent 4. |
All C Use Cases |
N/A |
N/A |
Use Case C is out of scope for this phase. |
All E Use Cases |
N/A |
N/A |
IBM considers this out of scope for their products. Other technologies should be used to perform this function. |
F-1.1.a, F-1.3.a, F-1.4.a, F-1.6.a |
Access Remains |
Access Remains |
Success: User successfully reauthenticates a locked RDP session and retains access to RSS. |
F-1.1.b, F-1.3.b, F-1.4.b, F-1.6.n |
Access Denied |
Access Denied |
Success: User unsuccessfully reauthenticates a locked RDP session and access is denied to RSS. |
F1.2.a-b, F-1.5.a-b |
N/A |
N/A |
Demonstration cannot be performed as branch office is not available at this time. |
F-2 |
N/A |
N/A |
Not demonstrated in this build. Due to security of MaaS360 certificate storage, we were unable to invalidate the credentials and produce an unsuccessful endpoint authentication. |
F-3 |
N/A |
N/A |
IBM considers resource authentication out of scope for their product. Other technologies should be used for this use case. |
F-4.1.a, F-4.3.a, F-4.4.a, F-4.6.a |
Endpoint compliant, access to resource remains |
Endpoint compliant, access to resource remains |
Success: Access to the RSS remains as long as the endpoint maintains compliance. |
F-4.1.b, F-4.3.b, F-4.4.b, F-4.6.b |
Endpoint drops out of compliance, access revoked |
Endpoint drops out of compliance, access revoked |
Success: When the endpoint drops out of compliance, access to the RSS is revoked. Future access is prevented by Verify. |
F-4.2.a-b, F-4.5.a-b |
N/A |
N/A |
Demonstration cannot be performed as branch office is not available at this time. |
F-5.1.a, F-5.3.a, F-5.4.a, F-5.6.a |
Endpoint not compliant, No access to resource |
Endpoint not compliant, No access to resource |
Success: Access to the GitLab resource fails if the device is not in compliance. |
F-5.1b, F-5.3.b, F-5.4.b, F-5.6.b |
Endpoint compliant, Access granted to resource |
Endpoint compliant, Access granted to resource |
Success: Once the endpoint is brought back into compliance, access to the GitLab RSS is granted. |
F-5.2a-b, F-5.5.a-b |
N/A |
N/A |
Demonstration cannot be performed as branch office is not available at this time. |
F-6.1.a, F-6.1.d, F-6.1.f, F-6.2.a, F-6.2.d, F-6.2.f |
Access revoked from resource, account disabled |
Access revoked from resource, account disabled |
Success: Access to SQL database RSS is revoked when sensitive data is accessed and events are logged in QRadar. Offenses are created in QRadar and remediation is completed with CloudPak 4 Security to disable the offending account in Verify. |
F-6.1.b-c, F-6.1.e, F6.1.g-l, F-6.2.b-c, F-6.2.e, F-6.2.g-l |
N/A |
N/A |
PaaS and SaaS services were not available for this build. |
F-7 |
Access revoked from resource |
Violation logged, Access not revoked |
All demonstrations here are the same as F-6. |
F-8.1.a, F-8.1.c-d, F-8.1.f, F-8.2.a, F-8.2.c-d, F-8.2.f, |
Access to resource revoked |
Access to resource revoked |
Success: On accessing a known bad URL with the MaaS360 Secure Browser on a mobile device, access to a GitLab resource is revoked via CloudPak for Security and Verify disabled the user’s account. |
F-8.1.b, F-8.1.e, F-8.1.h, F-8.1.k, F-8.2.b, F-8.2.e, F-8.2.h, F-8.2.k |
N/A |
N/A |
Demonstration cannot be performed as branch office is not available at this time. |
F-8.1.g, F-8.1.i-j, F-8.1.l, F-8.2.g, F-8.2.i-j, F-8.2.l |
N/A |
N/A |
PaaS and SaaS services were not available for this build. |
F-8.3.a-l |
N/A |
N/A |
IBM considers guest network access out of scope for their product. Other technologies should be used for this use case. |
F-9 (all use cases) |
All demonstrations here are the same as F-8 since the device is both authenticated and compliant. |
||
F-10.1.a-b, F-10.1.i-j, F-10.1.m-n, F-10.1.u-v, F-10.2.a-b, F-10.2.i-j, F-10.2.m-n, F-10.2.u-v |
Access not successful, access revoked to current resource, access revoked to all future resources |
Access not successful, access revoked to current resource, access revoked to all future resources |
Success: If the user attempts to access an unauthorized resource, their access to their current GitLab active session is revoked and their account is disabled in Verify. |
F-10.1.c-h, F-10.1.k-l, F-10.1.o-t, F-10.1.w-av, F-10.2.c-h, F-10.2.k-l, F-10.2.o-t, F-10.2.w-av |
N/A |
N/A |
Branch, PaaS, and SaaS services were not available for this build |
F-10.3.a-av |
N/A |
N/A |
IBM considers guest network access out of scope for their product. Other technologies should be used for this use case. |
F-11.1.a-b, F-11.1.i-j, F-11.1.m-n, F-11.1.u-v, F-11.2.a-b, F-11.2.i-j, F-11.2.m-n, F-11.2.u-v |
Bad URL detected, active session revoked, User account disabled in Verify |
Bad URL detected, active session revoked, User account disabled in Verify |
Success: Once the bad URL was detected, the user session from GitLab was revoked and the user’s account was disabled in Verify. NOTE: This scenario was only tested with mobile devices running IBM MaaS360 Secure Browser to detect the bad URL. |
F-11.1.c-h, F-11.1.k-l, F-11.1-t, F-11.1.w-av, F-11.2.c-h, F-11.2.k-l, F-11.2.o-t, F-11.2.w-av |
N/A |
N/A |
Branch, PaaS, and SaaS services were not configured for this build |
F-11.3.a-av |
N/A |
N/A |
IBM considers guest network access out of scope for their product. Other technologies should be used for this use case. |
F-12 (all use cases) |
All demonstrations here are the same as F-10 since the device is both authenticated and compliant. |
||
F-13 (all use cases) |
All demonstrations here are the same as F-11 since the device is both authenticated and compliant. |
||
F-14, F-15, F-16, F-17 |
IBM considers suspicious activity/network monitoring out of scope for their product. Other technologies should be used for these scenarios. |
||
All G Use Cases |
N/A |
N/A |
IBM considers service-to-service use cases out of scope for their product. Other technologies should be used for this use case. |
H-1.1.a, H.1.1.b, H-1.2.c, H-1.5.i, H-1.5.j, H-1.6.k, H-1.9.q, H-1.9.r, H-1.10.s |
Access Successful |
Access Successful |
Success: Access granted in accordance with applied policy. |
H-1.2.d, H-1.6.l, H-1.10.t |
Access Not Successful |
Access Not Successful |
Success: Access to sensitive data was blocked in accordance with applied policy. |
H-1.3, H-1.4, H-1.7, H-1.8 |
N/A |
N/A |
Branch services were not configured for this build. |
H-2, H-3, H-4, H-5, H-6, H-7 |
N/A |
N/A |
IBM considers these use cases to be out of scope for their product. Other technologies should be used for these use cases. |