EIG Run Phase Demonstration Results#

Note

This page is supplementary material for the NIST SP 1800-35 publication.

This section lists the full demonstration results for each of the builds that was implemented as part of the EIG run phase: E1B2, E3B2, and E4B3.

Enterprise 1 Build 2 (E1B2) - EIG Run - Zscaler ZPA Central Authority (CA) as PE Detailed Demonstration Results#

Table 1 lists the full demonstration results for all EIG run phase demonstrations run in Enterprise 1 Build 2 (E1B2). The technology deployed in E1B2 was able to determine endpoint compliance for Windows, Linux, macOS, and mobile devices and prevent noncompliant endpoints from accessing private resources.

Table 1 - Detailed Demonstration Results for E1B2

Demo ID

Expected Outcome

Observed Outcome

Comments

A-1.1.a-m

N/A

N/A

Demonstration cannot be completed. There is no network-level enforcement present in this build. Zscaler uses the client connector to allow a user on a device to access specific resources only, whether on-prem or remote. Users cannot readily access resources in the enterprise (or network) if they do not have permissions to access them. Resources are not authenticated or checked for compliance in this phase.

A-1.2.a-m, A-1.3.a-f, A-1.4.a-g

N/A

N/A

Same as in A-1. Demonstration cannot be completed. There is no network-level enforcement present in this build.

A-2.1.a-I, A-2.2.a-I, A-2.3.a-f, A-2.4.a-f

N/A

N/A

Same as in A-1. Demonstration cannot be completed. There is no network-level enforcement present in this build.

A-3.1.a, A-3.3.a, A-3.5.a

User request and action is recorded

User login to an application is logged

Success: Okta records the authentication logs. Administrators can log in to Okta and view logs of when a user logged onto an application and whether the authentication was successful or not. Zscaler Private Access (ZPA) records relevant information about the connection between the endpoint and resource.

A-3.1.b, A-3.3.b

API call is recorded

Logs contain relevant API information

Success: Okta records the authentication logs. Administrators can log in to Okta and view logs of when a user logged onto an application and whether the authentication was successful or not. Zscaler ZPA records relevant information about the connection between the endpoint and resource.

A-3.2.a, A-3.4.a, A-3.6.a

User request and action is recorded

User login to an application is logged

Success: Okta records the authentication logs. Administrators can log in to Okta and view logs of when a user logged onto an application and whether the authentication was successful or not. Zscaler ZPA records relevant information about the connection between the endpoint and resource.

A-3.2.b, A-3.4.b, A-3.6.a

API call is recorded

Logs contain relevant API information

Success: Okta records the authentication logs. Administrators can log in to Okta and view logs of when a user logged onto an application and whether the authentication was successful or not. Zscaler ZPA records relevant information about the connection between the endpoint and resource.

B-1.1.a, B-1.2.a, B-1.3.a, B-4.1.a, B-4.2.a, B-4.3.a, D-1.1.a, D-1.2.a, D-1.3.a, D-4.1.a, D-4.2.a, D-4.3.a

Access Successful

Access Successful

Partial success: User is authenticated via Okta when accessing the resource. User logs into Zscaler client connector as part of login process to the endpoint and policies are applied to the user/endpoint (including laptops, workstations, and mobile devices). User successfully connects to RSS1. However, we cannot validate compliance of RSS1.

B-1.1.b, B-1.2.b, B-1.3.b, B-4.1.b, B-4.2.b, B-4.3.b, D-1.1.b, D-1.2.b, D-1.3.b, D-4.1.b, D-4.2.b, D-4.3.b

Access Successful

Access Successful

Partial success: User is authenticated via Okta when accessing the resource. User logs into Zscaler client connector as part of login process to the endpoint and policies are applied to the user/endpoint (including laptops, workstations, and mobile devices). User successfully connects to RSS1. However, we cannot validate compliance of RSS1.

B-1.1.c, B-1.2.c, B-1.3.c, B-4.1.c, B-4.2.c, B-4.3.c, D-1.1.c, D-1.2.c, D-1.3.c, D-4.1.c, D-4.2.c, D-4.3.c

Access Not Successful

Access Not Successful

Success: Demonstration completed with user not able to log in to resource.

B-1.1.d, B-1.2.d, B-1.3.d, B-4.1.d, B-4.2.d, B-4.3.d, D-1.1.d, D-1.2.d, D-1.3.d, D-4.1.d, D-4.2.d, D-4.3.d

Access Not Successful

Access Not Successful

Partial success: Based on configuration in Ent1, the E2 is not authorized to access RSS1 based on enterprise governance policy. ZPA will deny access to the resource.

Also, RSS compliance cannot be demonstrated in this phase. In this case, user is not granted access to RSS1.

B-1.1.e, B-1.2.e, B-1.3.e, B-4.1.e, B-4.2.e, B-4.3.e, D-1.1.e, D-1.2.e, D-1.3.e, D-4.1.e, D-4.2.e, D-4.3.e

Access Successful

Access Successful

Partial success: User is authenticated via Okta when accessing the resource. User logs into Zscaler client connector as part of login process to the endpoint and policies are applied to the user/endpoint (including laptops, workstations, and mobile devices). User successfully connects to RSS2. However, we cannot validate compliance of RSS2.

B-1.1.f, B-1.2.f, B-1.3.f, B-4.1.f, B-4.2.f, B-4.3.f, D-1.1.f, D-1.2.f, D-1.3.f, D-4.1.f, D-4.2.f, D-4.3.f

Access Not Successful

Access Not Successful

Success: Without user authentication for the resource, the access attempt did not succeed.

B-1.1.g, B-1.2.g, B-1.3.g, B-4.1.g, B-4.2.g, B-4.3.g, D-1.1.g, D-1.2.g, D-1.3.g, D-4.1.g, D-4.2.g, D-4.3.g

Access Not Successful

Access Not Successful

Success: Without user authentication for the resource, the access attempt did not succeed.

B-1.1.h, B-1.2.h, B-1.3.h, B-4.1.h, B-4.2.h, B-4.3.h, D-1.1.h, D-1.2.h, D-1.3.h, D-4.1.h, D-4.2.h, D-4.3.h

Access Successful

Access Successful

Success: GitLab session timeout is set to one minute for demonstration purposes. After session timed out, user was reauthenticated.

B-1.1.i, B-1.2.i, B-1.3.i, B-4.1.i, B-4.2.i, B-4.3.i, D-1.1.i, D-1.2.i, D-1.3.i, D-4.1.i, D-4.2.i, D-4.3.i

Access Not Successful

Access Not Successful

Success: After session timeout, user tried to login with incorrect password and was denied.

B-1.1.j, B-1.2.j, B-1.3.j, B-4.1.j, B-4.2.j, B-4.3.j, D-1.1.j, D-1.2.j, D-1.3.j, D-4.1.j, D-4.2.j, D-4.3.j

Access Not Successful

Access Not Successful

Success: Device posture failure detected by ZPA, so access was denied.

B-1.1.k, B-1.2.k, B-1.3.k, B-4.1.k, B-4.2.k, B-4.3.k, D-1.1.k, D-1.2.k, D-1.3.k, D-4.1.k, D-4.2.k, D-4.3.k

Access Limited

N/A

Partial success: Access to RSS2 is blocked. Currently cannot perform limited access.

B-1.1.l-m, B-1.2.l-m, B-1.3.l-m, B-4.1.l-m, B-4.2.l-m, B-4.3.l-m, D-1.1.l-m, D-1.2.l-m, D-1.3.l-m, D-4.1.l-m, D-4.2.l-m, D-4.3.l-m

Access Denied

Access Denied

Success: User was denied access because the endpoint was noncompliant. Device posture failure detected by ZPA.

B-1.1.n-p, B-1.2.n-p, B-1.3.n-p, B-4.1.n-p, B-4.2.n-p, B-4.3.n-p, D-1.1.n-p, D-1.2.n-p, D-1.3.n-p, D-4.1.n-p, D-4.2.n-p, D-4.3.n-p

N/A

N/A

Demonstration cannot be run. Unable to perform compliance checks on RSS.

B-1.2.a-p

The results are the same as B-1.1 since network policies allow access from branch to Ent1. See results from B-1.1.

B-1.3.a-p

The results are the same as B-1.1, given that ZPA policies allow the user/device to access the enterprise remotely the same way that user/device would access a resource within the enterprise. See results from B-1.1.

B-1.4.a-p, B-1.5.a-p, B-1.6.a-p, B-4.4.a-p, B-4.5.a-q, and B-4.6.a-p

Access to cloud-based resources (RSS1 and RSS2) are the same as on-prem. See results from B-1.1.

B-2.1.a-d, B-2.2.a-d, B-2.3.a-d, B-5

Access Successful

Access Successful

Success: Employee is granted access to URL1 and URL2 regardless of hourly access time because employees have full access to both URLs at all times per ZScaler policy.

B-2.1.e, B-2.2.e, B-2.3.e

Access Not Successful

Access Not Successful

Success: The only way the user is not authenticated is if the user inputs the incorrect password or does not have a second factor during Zscaler Client Connector (ZCC) login. With incorrect 1st or 2nd factor, ZCC will fail to connect with ZIA and will not be able to access the internet.

B-2.1.f, B-2.2.f, B-2.3.f

Access Not Successful

Access Not Successful

Success: Contractor is blocked from URL1 as expected per Zscaler policy.

B-2.1.g, B-2.2.g, B-2.3.g

Access Successful

Access Successful

Success: Contractor is granted access to URL2 as expected per Zscaler policy.

B-2.1.h-I, B-2.2.h-I, B-2.3.h-i

Access Not Successful

Access Not Successful

Success: Contractor is blocked from accessing URL1 due to failed authentication.

B-2.1.j, B-2.2.j, B-2.3.j

Access Not Successful

Access Successful

The only way the user is not authenticated is if the user inputs the incorrect password or does not have a second factor during ZCC login. Access is successful because internet access is required for ZIA to function. If not authenticated to ZIA, internet access is unrestricted unless blocked by company firewall.

B-2.1.k, B-2.2.k, B-2.3.k

Access Successful

Access Successful

Success: Employee is granted access after successful reauthentication per Zscaler policy as expected.

B-2.1.l, B-2.2.l, B-2.3.l

Access Not Successful

Access Not Successful

Success: Employee cannot access URL1 or URL2 after reauthentication to Zscaler fails as expected.

B-2.1.m-p, B-2.2.m-p, B-2.3.m-p

N/A

N/A

Demonstration cannot be completed. ZIA does not perform device posture/compliance checks on endpoints without integration of a third-party EPP product.

B-3.1.a, B-3.4.a, B-3.5.a

Real Req Success

Real Req Success

Success: Real Request successfully authenticated.

B-3.1.b, B-3.4.b, B-3.5.b

Real Req Fail

Real Req Fail

Success: Incorrect credentials were entered, and the Real Request failed as expected.

B-3.1.c, B-3.4.c, B-3.5.c

Limit Access for Real Request, Deny Access to Hostile Request

N/A

Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.d, B-3.4.d, B-3.5.d

Real Request Keep Access, Deny Access to Hostile Request

N/A

Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.e, B-3.4.e, B-3.5.e

Hostile Request Successful

Hostile Request Successful

Success: Hostile Request successfully authenticated.

B-3.1.f, B-3.4.f, B-3.5.f

Hostile Request Unsuccessful

Hostile Request Unsuccessful

Success: Incorrect credentials were entered, and the Hostile Request failed as expected.

B-3.1.g, B-3.4.g, B-3.5.g

Real Request Fail, Hostile Request Access Limited

N/A

Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.h, B-3.4.h, B-3.5.h

Real Request Fail, Hostile Request remains authenticated

N/A

Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.i, B-3.4.i, B-3.5.i

Real Req Success

Real Req Success

Success: Real Request successfully authenticated.

B-3.1.j, B-3.4.j, B-3.5.j

Real Request remains authenticated, Hostile Request Fail

N/A

Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.k, B-3.4.k, B-3.5.k

Hostile Request Fail

Hostile Request Fail

Success: Incorrect credentials were entered, and the Hostile Request failed as expected.

B-3.1.l, B-3.4.l, B-3.5.l

Real Request Access Successful

Real Requet Access Successful

Success: Real Request successfully reauthenticated.

B-3.1.m, B-3.4.m, B-3.5.m

Hostile Request Access Denied

Hostile Request Access Denied

Success: Hostile Request reauthentication failed.

B-3.1.n, B-3.4.n, B-3.5.n

N/A

N/A

Demonstration could not be completed due to build not supporting session termination at this level.

B-3.1.o, B-3.4.o, B-3.5.o

N/A

N/A

Demonstration could not be completed due to build not supporting session termination at this level.

B-4

As documented in the rows above, the results of all B-4 use case demonstrations are the same as the results of the B-1 use cases because the device is both authenticated and compliant. In this case, a BYOD device will have to install the ZCC client. See results from B-1.1 for B-4.1, B-4.2, and B-4.3.

All C Use Cases

N/A

N/A

Demonstrations cannot be performed. Currently, no federation configuration has been set up between Ent1, Ent2, and Ent3.

All D Use Cases

As documented in the rows above, the results of all D use case demonstrations are the same as the results of the B use cases. Note that the user is a contractor and will have access to resources based on need. The Ivanti Neurons for UEM agent and Okta Verify App will have to be installed on the contractor’s device, whether it’s provided by the enterprise or BYOD.

E-1.1.a, E-1.2.a

Success

Success

Success: User/device is recognized by Zscaler Internet Access (ZIA) as unmanaged and given access to the internet. Per ZIA enterprise policies, resources on the internet that are deemed safe for access are reachable by the user with No-ID, which includes a public resource from Enterprise 1.

E-1.1.b, E-1.2.b

Success

Success

Success: User/device is recognized by ZIA as unmanaged and given access to the internet. Per ZIA enterprise policies, resources on the internet that are deemed safe for access are reachable by the user with No-ID.

All F Use Cases

N/A

N/A

Test cannot be completed without third-party integration with an endpoint protection platform (EPP).

Enterprise 3 Build 2 (E3B2) - EIG Run - Microsoft Azure AD Conditional Access (later renamed Entra Conditional Access), Microsoft Intune, Forescout eyeControl, and Forescout eyeExtend as PEs Detailed Demonstration Results#

Table 2 lists the full demonstration results for all EIG run phase demonstrations run in Enterprise 3 Build 2 (E3B2). The technology deployed in E3B2 was able to determine endpoint compliance for Windows, macOS, and mobile devices and prevent noncompliant endpoints from accessing private resources.

Table 2 - Detailed Demonstration Results for E3B2

Demo ID

Expected Outcome

Observed Outcome

Comments

A-1.1.a-d

Access to Network

Access to Network

Success: Resource has access to network in accordance with Forescout policy.

A-1.1.b, A-1.1.c, A-1.1.g

No Access to Network

No Access to Network

Partial success: In the current configuration, the endpoint has access limited to the local subnet in accordance with Forescout policy.

A-1.1.d

No Access to Network

N/A

Demonstration cannot be completed. By Scenario A-1 definition, a resource has already undergone onboarding.

A-1.1.e

Access to Network

Access to Network

Success: Endpoint has access to network in accordance with Forescout policy.

A-1.1.f

Max. Limited Access to Network

Max. Limited Access to Network

Success: Endpoint has access limited in accordance with Forescout policy.

A-1.1.h

Access to Public Network

N/A

Demonstration cannot be completed. By Scenario A-1 definition, an endpoint has already undergone onboarding.

A-1.1.i

Access to Network

Access to Network

Success: BYOD has access to network in accordance with Forescout policy.

A-1.1.j

Limited Access to Network

Limited Access to Network

Success: Endpoint has access limited to the local subnet in accordance with Forescout policy.

A-1.1.k

No Access to Network

No Access to Network

Partial success: In the current configuration, the endpoint has access limited to the local subnet in accordance with Forescout policy.

A-1.1.l

Access to Public Network

N/A

Demonstration cannot be completed. By Scenario A-1 definition, the BYOD has already undergone onboarding.

A-1.1.m

Access to Public Network

Access to Public Network

Success: BYOD has access to network in accordance with Forescout policy.

A-1.2.a-m

Access to Network

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

A-1.3.a

Access to Network

Access to Network

Success: Endpoint has access to network in accordance with Forescout policy.

A-1.3.b

Max. Limited Access to Network

Max. Limited Access to Network

Success: Endpoint has access limited in accordance with Forescout policy.

A-1.3.c

No Access to Network

No Access to Network

Success: Endpoint is denied access to the network after failing to authenticate to the GlobalProtect VPN.

A-1.3.d

Access to Network

Access to Network

Success: BYOD has access to network in accordance with Forescout policy.

A-1.3.e

Max. Limited Access to Network

Max. Limited Access to Network

Success: Endpoint has access limited in accordance with Forescout policy.

A-1.3.f

No Access to Network

No Access to Network

Success: BYOD is denied access to the network after failing to authenticate to the GlobalProtect VPN.

A-1.4.a-g

N/A

N/A

Partial Success: Using Azure roles, a user could be allowed, denied, or provided with limited access to cloud resources. With Azure AD Conditional Access and Microsoft Intune, a device can be given access to a cloud application.

A-2.1.a

Keep Access to Network

Keep Access to Network

Success: Resource has access to network in accordance with Forescout policy.

A-2.1.b

Terminate Access to Network

Limit Access to Network

Partial Success: Resource has access limited to the local subnet in accordance with Forescout policy.

A-2.1.c

Terminate Access to Network

Limit Access to Network

Partial Success: Resource has access limited to the local subnet in accordance with Forescout policy.

A-2.1.d

Keep Access to Network

Keep Access to Network

Success: Endpoint has access to network in accordance with Forescout policy.

A-2.1.e

Max. Limited Access to Network

Max. Limited Access to Network

Success: Endpoint has access limited in accordance with Forescout policy.

A-2.1.f

Terminate Access to Network

Limit Access to Network

Partial Success: Resource has access limited to the local subnet in accordance with Forescout policy.

A-2.1.g

Keep Access to Network

Keep Access to Network

Success: BYOD has access to network in accordance with Forescout policy.

A-2.1.h

Max. Limited Access to Network

Max. Limited Access to Network

Success: Endpoint has access limited in accordance with Forescout policy.

A-2.1.i

Terminate Access to Network

Limit Access to Network

Partial success: BYOD has access limited to the local subnet in accordance with Forescout policy.

A-2.2.a-i

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

A-2.3.a

Keep Access to Network

Keep Access to Network

Success: Endpoint has access to network in accordance with Forescout policy.

A-2.3.b

Max. Limited Access to Network

Max. Limited Access to Network

Success: Endpoint has access limited in accordance with Forescout policy.

A-2.3.c

Terminate Access to Network

Terminate Access to Network

Success: Endpoint has access terminated after failing to reauthenticate to the GlobalProtect VPN.

A-2.3.d

Keep Access to Network

Keep Access to Network

Success: BYOD has access to network in accordance with Forescout policy.

A-2.3.e

Max. Limited Access to Network

Max. Limited Access to Network

Success: BYOD has access limited in accordance with Forescout policy.

A-2.3.f

Terminate Access to Network

Terminate Access to Network

Success: BYOD has access terminated after failing to reauthenticate to the GlobalProtect VPN.

A-2.4.a,d

Keep Access to Network

Keep Access to Network

Success: Azure is able to allow access to cloud endpoints and resources.

A-2.4.b,c,f

Terminate Access to Network

Terminate Access to Network

Success: Azure is able to limit access to cloud endpoints and resources.

A-2.4.e

Max. Limited Access to Network

Max. Limited Access to Network

Success: Azure is able to limit access to cloud endpoints and resources.

A-3.1.a

User request and action is recorded

User request is recorded

Partial Success: User activity and transaction flow is logged using Forescout. Individual user actions are not visible within this build.

A-3.2.a

User request and action is recorded

User request is recorded

Partial Success: User activity and transaction flow is logged using Forescout and Azure AD. Individual user actions are not visible within this build.

A-3.3.a, A-3.4.a,

User request and action is recorded

N/A

Branch testing is not available for this build.

A-3.5.a, A-3.6.a

User request and action is recorded

User request is recorded

Partial Success: User activity and transaction flow is logged. Individual user actions are not visible.

A-3.1.b, A-3.2.b, A-3.3.b, A-3.4.b

API call is recorded

Activity and transaction flow is recorded

Partial Success: Service activity and transaction flow is logged by Forescout. Individual API calls are not visible.

B-1.1.a

Access Successful

Access Successful

Success: Users access RSS1 based on the EP and RSS compliance with Forescout and Azure AD policy.

B-1.1.b

Access Successful

Access Successful

Success: Users access RSS2 based on the EP and RSS compliance with Forescout and Azure AD policy.

B-1.1.c

Access Not Successful

Access Not Successful

Success: User authentication failure to Azure AD prevents access.

B-1.1.d

Access Not Successful

Access Not Successful

Success: E2 is not authorized to access RSS1 in accordance with Azure AD policy.

B-1.1.e

Access Successful

Access Successful

Success: Users access RSS2 based on the EP and RSS compliance with Forescout and Azure AD policy.

B-1.1.f, B-1.1.g,

Access Not Successful

Access Not Successful

Success: User authentication failure to Azure AD prevents access.

B-1.1.h

Access Successful

Access Successful

Success: Session timeout is set to one minute for demonstration purposes. After session timed out, user was reauthenticated to Azure AD.

B-1.1.i

Access Not Successful

Access Not Successful

Success: Users were prevented from accessing resources after reauthentication failure to Azure AD.

B-1.1.j

Access Not Successful

Access Not Successful

Success: Initial user authentication to Azure AD was successful and user was granted access to RSS1. After E1 became noncompliant, user access to RSS1 was blocked in accordance with Forescout policy, and the user was unable to reauthenticate to Azure AD.

B-1.1.k

Access Limited

Access Not Successful

Partial success: Initial user authentication to Azure AD was successful and user was granted access to RSS2. In this case, changing the user’s access level on RSS2 would require application-level control that is not available at this time. After E1 became noncompliant, user access to RSS2 was blocked in accordance with Forescout policy, and the user was unable to reauthenticate to Azure AD.

B-1.1.l

Access Not Successful

Access Not Successful

Success: After E1 became noncompliant, user access to RSS1 was blocked in accordance with Forescout policy, and the user was unable to authenticate to Azure AD.

B-1.1.m

Access Limited

Access Not Successful

Partial success: In this case, changing the user’s access level on RSS2 would require application-level control that is not available at this time. After E1 became noncompliant, user access to RSS2 was blocked in accordance with Forescout policy, and the user was unable to authenticate to Azure AD.

B-1.1.n-p

Access Not Successful

Access Not Successful

Success: After the RSS became noncompliant, user access to the RSS was blocked in accordance with Forescout policy, and the user was unable to authenticate to Azure AD.

B-1.2.a-p

N/A

N/A

Cannot test because there is no branch office in Ent. 3.

B-1.3.a-p

The results are the same as B-1.1, given that network policies allow the user/device to access the enterprise remotely using a VPN connection. See results from B-1.1.

B-1.4.a

Access Successful

Access Successful

Success: Users access RSS1 based on the EP compliance with Forescout and Azure AD policy.

B-1.4.b

Access Successful

Access Successful

Success: Users access RSS2 based on the EP compliance with Forescout and Azure AD policy.

B-1.4.c

Access Not Successful

Access Not Successful

Success: User authentication failure to Azure AD prevents access.

B-1.4.d

Access Not Successful

Access Not Successful

Success: E2 is not authorized to access RSS1 in accordance with Azure AD policy.

B-1.4.e

Access Successful

Access Successful

Success: Users access RSS2 based on the EP and RSS compliance with Forescout and Azure AD policy.

B-1.4.f, B-1.4.g

Access Not Successful

Access Not Successful

Success: User authentication failure to Azure AD prevents access.

B-1.4.h

Access Successful

Access Successful

Success: Session timeout is set to one minute for demonstration purposes. After session timed out, user was reauthenticated to Azure AD.

B-1.4.i

Access Not Successful

Access Not Successful

Success: Users were prevented from accessing resources after reauthentication failure to Azure AD.

B-1.4.j

Access Not Successful

Access Not Successful

Success: Initial user authentication to Azure AD was successful and user was granted access to RSS1. After E1 became noncompliant, user access to RSS1 was blocked in accordance with Forescout policy, and the user was unable to reauthenticate to Azure AD.

B-1.4.k

Access Limited

Access Not Successful

Partial success: Initial user authentication to Azure AD was successful and user was granted access to RSS2. In this case, changing the user’s access level on RSS2 would require application-level control that is not available at this time. After E1 became noncompliant, user access to RSS2 was blocked in accordance with Forescout policy, and the user was unable to reauthenticate to Azure AD.

B-1.4.l

Access Not Successful

Access Not Successful

Success: After E1 became noncompliant, user access to RSS1 was blocked in accordance with Forescout policy, and the user was unable to authenticate to Azure AD.

B-1.4.m

Access Limited

Access Not Successful

Partial success: In this case, changing the user’s access level on RSS2 would require application-level control that is not available at this time. After E1 became noncompliant, user access to RSS2 was blocked in accordance with Forescout policy, and the user was unable to authenticate to Azure AD.

B-1.4.n-p

N/A

N/A

Demonstration cannot be performed as verification of cloud resource compliance is not available at this time.

B-1.5.a-p

N/A

N/A

Demonstration cannot be performed as branch office is not available at this time.

B-1.6.a-p

In the current implementation, remote users are connected to a VPN that routes network traffic through the on-prem environment. All test results are similar to B-1.4.a-p.

B-2.1.a-d, g, n

Access Successful

Access Successful

Success: Access allowed in accordance with Forescout policy.

B2.1.e, f, l, m, o, p

Access Not Successful

Access Not Successful

Success: Access denied in accordance with Forescout policy.

B-2.2

N/A

N/A

Demonstration cannot be performed as branch office is not available at this time.

B-2.3

In the current implementation, remote users are connected to a VPN that routes network traffic through the on-prem environment. All test results are similar to B-2.1.a-p.

B-3.1.a, B-3.4.a, B-3.5.a

Real Req Success

Real Req Success

Success: Real Request successfully authenticated.

B-3.1.b, B-3.4.b, B-3.5.b

Real Req Fail

Real Req Fail

Success: Incorrect credentials were entered, and the Real Request failed as expected.

B-3.1.c, B-3.4.c, B-3.5.c

Limit Access for Real Request, Deny Access to Hostile Request

N/A

Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.d, B-3.4.d, B-3.5.d

Real Request Keep Access, Deny Access to Hostile Request

N/A

Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.e, B-3.4.e, B-3.5.e

Hostile Request Successful

Hostile Request Successful

Success: Hostile Request successfully authenticated.

B-3.1.f, B-3.4.f, B-3.5.f

Hostile Request Unsuccessful

Hostile Request Unsuccessful

Success: Incorrect credentials were entered, and the Hostile Request failed as expected.

B-3.1.g, B-3.4.g, B-3.5.g

Real Request Fail, Hostile Request Access Limited

N/A

Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.h, B-3.4.h, B-3.5.h

Real Request Fail, Hostile Request remains authenticated

N/A

Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.i, B-3.4.i, B-3.5.i

Real Req Success

Real Req Success

Success: Real Request successfully authenticated.

B-3.1.j, B-3.4.j, B-3.5.j

Real Request remains authenticated, Hostile Request Fail

N/A

Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.k, B-3.4.k, B-3.5.k

Hostile Request Fail

Hostile Request Fail

Success: Incorrect credentials were entered, and the Hostile Request failed as expected.

B-3.1.l, B-3.4.l, B-3.5.l

Real Request Access Successful

Real Request Access Successful

Success: Real Request successfully reauthenticated.

B-3.1.m, B-3.4.m, B-3.5.m

Hostile Request Access Denied

Hostile Request Access Denied

Success: Hostile Request reauthentication fails.

B-3.1.n, B-3.4.n, B-3.5.n

Hostile Request Session Terminated

Hostile Request Session Terminated

Success: Azure AD sessions terminated.

B-3.1.o, B-3.4.o, B-3.5.o

Real Request Session Terminated

Real Request Session Terminated

Success: Azure AD sessions terminated.

B-3.2, B-3.3

N/A

N/A

Branch office is not included in Build 3.

B-4

All demonstrations here are the same as B-1 since the device is both authenticated and compliant.

B-5

All demonstrations here are the same as B-2 since the device is both authenticated and compliant.

B-6

All demonstrations here are the same as B-3 since the device is both authenticated and compliant.

All C Use Cases

N/A

N/A

Demonstrations cannot be performed. Currently, no federation configuration has been set up between Ent1, Ent2, and Ent3.

All D Use Cases

All demonstrations here are the same as B since the device is both authenticated and compliant. Note that the user is a contractor.

E-1.1.a, b

Access Successful

Access Successful

Success: Guests can access public resources and internet in accordance with policy using Forescout.

E-1.2.a, b

N/A

N/A

Demonstration cannot be performed as branch office is not available at this time.

All F Use Cases

N/A

N/A

Confidence level use cases are considered out of scope for the EIG run phase.

Enterprise 4 Build 3 (E4B3) - EIG Run - IBM Security Verify as PE Detailed Demonstration Results#

Table 3 lists the full demonstration results for EIG run phase demonstrations in Enterprise 4 Build 3 (E4B3). The technology deployed in E4B3 was able to determine endpoint compliance for Windows and mobile devices and prevent noncompliant endpoints from accessing private resources.

Table 3 - Detailed Demonstration Results for E4B3

Demo ID

Expected Outcome

Observed Outcome

Comments

A-1.1.a-d, A-1.1.f, A-1.1.j

N/A

N/A

IBM considers RSS management and granting the endpoint limited access to the network out of scope for their products. Other technologies should be used to perform this function.

A-1.1.e, A-1.1.i

Access to Network

Access to Network

Success: MaaS360 configuration allowed iOS and Android devices to successfully authenticate to the Enterprise 4 wireless network.

A-1.1.g, A-1.1.k

No Access to Network

No Access to Network

Success: iOS and Android devices were denied access after failing network authentication.

A-1.1.h, A-1.1.l, A-1.1.m

Access to Public Network

Access to Public Network

Success: The devices are able to access the Public Network.

A-1.2.a-m, A-1.3.a-f, A-1.4.a-g

N/A

N/A

Not demonstrated in this build due to no branch in Ent 4.

A-1.3.a, A-1.3.d

Access to Network

Access to Network

Success: MaaS360 configuration allowed iOS and Android devices to successfully authenticate to the Enterprise 4 wireless network.

A-1.3.c, A-1.3.f

No Access to Network

No Access to Network

Success: iOS and Android devices were denied access after failing network authentication.

A-1.3.b, A-1.3.e

N/A

N/A

IBM considers limited network access out of scope for their products. Other technologies should be used to perform this function.

A-2

A-2 results match results from A-1.

A-3.1.a, A-3.3.a, A-3.5.a

User request and action is recorded

User login to an application is logged

Success: IBM Security Verify and QRadar record user application requests.

A-3.2.a, A-3.4.a, A-3.6.a

User request and action is recorded

User login to an application is logged

Success: IBM Security Verify and QRadar record user application logins.

A-3.1.b, A-3.3.b, A-3.2.b, A-3.4.b, A-3.6.a

N/A

N/A

IBM considers API call visibility out of scope for their products. Other technologies should be used to perform this function.

B-1.1.a, B-1.3.a, B-1.4.a, B-4.1.a, B-4.2.a, B-4.3.a, D-1.1.a, D-1.2.a, D-1.3.a, D-4.1.a, D-4.2.a, D-4.3.a

Access Successful

Access Successful

Partial Success: User is successfully authenticated and granted access to the resource. However, RSS compliance was not obtained.

B-1.1.b, B-1.3.b, B-1.4.b, B-4.1.b, B-4.2.b, B-4.3.b, D-1.1.b, D-1.2.b, D-1.3.b, D-4.1.b, D-4.2.b, D-4.3.b

Access Successful

Access Successful

Partial Success: User is successfully authenticated and granted access to the resource. However, RSS compliance was not obtained.

B-1.1.c, B-1.3.c, B-1.4.c, B-4.1.c, B-4.2.c, B-4.3.c, D-1.1.c, D-1.2.c, D-1.3.c, D-4.1.c, D-4.2.c, D-4.3.c

Access Not Successful

Access Not Successful

Success: Demonstration completed with user not able to log in to resource.

B-1.1.d, B-1.3.d, B-1.4.d, B-4.1.d, B-4.2.d, B-4.3.d, D-1.1.d, D-1.2.d, D-1.3.d, D-4.1.d, D-4.2.d, D-4.3.d

Access Not Successful

Access Not Successful

Success: User was denied access due to policy constraints.

B-1.1.e, B-1.3.e, B-1.4.e, B-4.1.e, B-4.2.e, B-4.3.e, D-1.1.e, D-1.2.e, D-1.3.e, D-4.1.e, D-4.2.e, D-4.3.e

Access Successful

Access Successful

Partial Success: User is successfully authenticated and granted access to the resource. However, RSS compliance was not obtained.

B-1.1.f, B-1.3.f, B-1.4.f, B-4.1.f, B-4.2.f, B-4.3.f, D-1.1.f, D-1.2.f, D-1.3.f, D-4.1.f, D-4.2.f, D-4.3.f

Access Not Successful

Access Not Successful

Success: Without user authentication for the resource the access attempt did not succeed.

B-1.1.g, B-1.3.g, B-1.4.g, B-4.1.g, B-4.2.g, B-4.3.g, D-1.1.g, D-1.2.g, D-1.3.g, D-4.1.g, D-4.2.g, D-4.3.g

Access Not Successful

Access Not Successful

Success: Without user authentication for the resource, the access attempt did not succeed.

B-1.1.h, B-1.3.h, B-1.4.h, B-4.1.h, B-4.2.h, B-4.3.h, D-1.1.h, D-1.2.h, D-1.3.h, D-4.1.h, D-4.2.h, D-4.3.h

Access Successful

Access Successful

Partial Success: GitLab session timeout is set to one minute for demonstration purposes. After session timed out, user was reauthenticated. However, RSS compliance was not obtained.

B-1.1.i, B-1.3.i, B-1.4.i, B-4.1.i, B-4.2.i, B-4.3.i, D-1.1.i, D-1.2.i, D-1.3.i, D-4.1.i, D-4.2.i, D-4.3.i

Access Not Successful

Access Not Successful

Success: After session timeout, user tried to login with incorrect credentials and access was denied.

B-1.1.j, B-1.3.j, B-1.4.j, B-4.1.j, B-4.2.j, B-4.3.j, D-1.1.j, D-1.2.j, D-1.3.j, D-4.1.j, D-4.2.j, D-4.3.j

Access Not Successful

Access Not Successful

Success: User was denied access due to endpoint noncompliance.

B-1.1.k, B-1.3.k, B-1.4.k, B-4.1.k, B-4.2.k, B-4.3.k, D-1.1.k, D-1.2.k, D-1.3.k, D-4.1.k, D-4.2.k, D-4.3.k

Access Limited

Access Limited

Partial Success: User access was downgraded due to having a noncompliant endpoint. However, RSS compliance was not obtained.

B-1.1.l-m, B-1.3.l-m, B-1.4.l-m, B-4.1.l-m, B-4.2.l-m, B-4.3.l-m, D-1.1.l-m, D-1.2.l-m, D-1.3.l-m, D-4.1.l-m, D-4.2.l-m, D-4.3.l-m

Access Denied

Access Denied

Partial Success: User access was downgraded due to having a noncompliant endpoint. However, RSS compliance was not obtained.

B-1.1.n-p, B-1.3.n-p, B-1.4.n-p, B-4.1.n-p, B-4.2.n-p, B-4.3.n-p, D-1.1.n-p, D-1.2.n-p, D-1.3.n-p, D-4.1.n-p, D-4.2.n-p, D-4.3.n-p

N/A

N/A

Not demonstrated in this build due to lack of resource compliance verification.

B-1.2.a-p

N/A

N/A

Branch not available in Enterprise 4

B-2.1.a-d, B-2.3.a-d

Access Successful

Access Successful

Success: When using the secure browser on iOS and Android, user was allowed access per policy.

B-2.1.e, B-2.3.e, B-5.1.e, B-5.3.e

Access Not Successful

Access Not Successful

Success: When using the secure browser on iOS and Android, user was allowed access per policy.

B-2.1.f, B-2.3.f, B-5.1.f, B-5.3.f

Access Not Successful

Access Not Successful

Success: When using the secure browser on iOS and Android, user was denied access per policy.

B-2.1.g, B-2.3.g, B-5.1.g, B-5.3.g

N/A

N/A

Not demonstrated in this build due to MaaS360 limitation, as all MaaS360 resources like the secure browser are unavailable outside of the policy hours.

B-2.1.h-i, B-2.3.h-i, B-5.1.h-i, B-5.3.h-i

Access Not Successful

Access Not Successful

Success: User was denied access due to policy constraints.

B-2.1.j-p, B-2.2.j-p, B-2.3.j-p, B-5.1.j-p, B-5.2.j-p, B-5.3.j-p

N/A

N/A

Not demonstrated in this build. Due to security of MaaS360 certificate storage, we were unable to invalidate the credentials and produce a unsuccessful authentication. Resource compliance is not available in Ent4.

B-3.1.a, B-3.4.a, B-3.5.a, B-6.1.a, B-6.4.a, B-6.5.a

Real Req Success

Real Req Success

Success: User is able to successfully authenticate and access the RSS.

B-3.1.b, B-3.4.b, B-3.5.b, B-6.1.b, B-6.4.b, B-6.5.b

Real Req Fail

Real Req Fail

Success: User is unable to successfully authenticate and access the RSS.

B-3.1.c, B-3.4.c, B-3.5.c, B-6.1.c, B-6.4.c, B-6.5.c

Limit Access for Real Request, Deny Access to Hostile Request

N/A

Due to security of MaaS360 certificate storage, we were unable to copy the credentials and produce a Hostile authentication. A stolen username/password is insufficient to successfully authenticate.

B-3.1.d, B-3.4.d, B-3.5.d, B-6.1.d, B-6.4.d, B-6.5.d

Real Request Keep Access, Deny Access to Hostile Request

N/A

Due to security of MaaS360 certificate storage, we were unable to copy the credentials and produce a successful Hostile authentication. A stolen username/password is insufficient to successfully authenticate.

B-3.1.e, B-3.4.e, B-3.5.e, B-6.1.e, B-6.4.e, B-6.5.e

Hostile Request Successful

N/A

Due to security of MaaS360 certificate storage, we were unable to copy the credentials and produce a successful Hostile authentication. A stolen username/password is insufficient to successfully authenticate.

B-3.1.f, B-3.4.f, B-3.5.f, B-6.1.f, B-6.4.f, B-6.5.f

Hostile Request Unsuccessful

Hostile Request Unsuccessful

Success: Hostile user fails to properly authenticate and is unable to access the RSS.

B-3.1.g, B-3.4.g, B-3.5.g, B-6.1.g, B-6.4.g, B-6.5.g

Real Request Fail, Hostile Request Access Limited

N/A

Due to security of MaaS360 certificate storage, we were unable to copy the credentials and produce a successful Hostile authentication. A stolen username/password is insufficient to successfully authenticate.

B-3.1.h, B-3.4.h, B-3.5.h, B-6.1.h, B-6.4.h, B-6.5.h

Real Request Fail, Hostile Request remains authenticated

N/A

Due to security of MaaS360 certificate storage, we were unable to copy the credentials and produce a successful Hostile authentication. A stolen username/password is insufficient to successfully authenticate.

B-3.1.i, B-3.4.i, B-3.5.i, B-6.1.i, B-6.4.i, B-6.5.i

Real Req Success

Real Req Success

Success: User is able to successfully authenticate after new credentials are provisioned.

B-3.1.j, B-3.4.j, B-3.5.j, B-6.1.j, B-6.4.j, B-6.5.j

Real Request remains authenticated, Hostile Request Fail

N/A

Due to security of MaaS360 certificate storage, we were unable to copy the credentials and produce a Hostile authentication. A stolen username/password is insufficient to successfully authenticate.

B-3.1.k, B-3.4.k, B-3.5.k, B-6.1.k, B-6.4.k, B-6.5.k

Hostile Request Fail

Hostile Request Fail

Success: Stolen credentials are wiped from device using stolen credentials due to administrative action.

B-3.1.l, B-3.4.l, B-3.5.l, B-6.1.l, B-6.4.l, B-6.5.l

Real Request Access Successful

Real Requet Access Successful

Success: User is able to successfully reauthenticate after new credentials are provisioned.

B-3.1.m, B-3.4.m, B-3.5.m, B-6.1.m, B-6.4.m, B-6.5.m

Hostile Request Access Denied

Hostile Request Access Denied

Success: Hostile User is unable to successfully reauthenticate after stolen credentials are wiped and new credentials are provisioned to the user.

B-3.1.n, B-3.4.n, B-3.5.n, B-6.1.n, B-6.4.n, B-6.5.n

All sessions terminated

All sessions terminated

Success: All user sessions for GitLab RSS were terminated.

B-3.1.o, B-3.4.o, B-3.5.o, B-6.1.o, B-6.4.o, B-6.5.o

All sessions terminated

All sessions terminated

Success: All user sessions for GitLab RSS were terminated.

B-7

Success

Partial Success

Partial Success: Just-in-time privileges can be manually completed to allow a user to access a resource. However, just-in-time access privileges with automation are not tested and require integration with other zero trust tools which have the capabilities to manage access for users.

B-8

N/A

N/A

Not demonstrated in this build, as the ability to prompt for reauthentication in the middle of an active session is not included in Ent 4.

All C Use Cases

N/A

N/A

Use Case C is out of scope for this phase.

All E Use Cases

N/A

N/A

IBM considers this out of scope for their products. Other technologies should be used to perform this function.

F-1.1.a, F-1.3.a, F-1.4.a, F-1.6.a

Access Remains

Access Remains

Success: User successfully reauthenticates a locked RDP session and retains access to RSS.

F-1.1.b, F-1.3.b, F-1.4.b, F-1.6.n

Access Denied

Access Denied

Success: User unsuccessfully reauthenticates a locked RDP session and access is denied to RSS.

F1.2.a-b, F-1.5.a-b

N/A

N/A

Demonstration cannot be performed as branch office is not available at this time.

F-2

N/A

N/A

Not demonstrated in this build. Due to security of MaaS360 certificate storage, we were unable to invalidate the credentials and produce an unsuccessful endpoint authentication.

F-3

N/A

N/A

IBM considers resource authentication out of scope for their product. Other technologies should be used for this use case.

F-4.1.a, F-4.3.a, F-4.4.a, F-4.6.a

Endpoint compliant, access to resource remains

Endpoint compliant, access to resource remains

Success: Access to the RSS remains as long as the endpoint maintains compliance.

F-4.1.b, F-4.3.b, F-4.4.b, F-4.6.b

Endpoint drops out of compliance, access revoked

Endpoint drops out of compliance, access revoked

Success: When the endpoint drops out of compliance, access to the RSS is revoked. Future access is prevented by Verify.

F-4.2.a-b, F-4.5.a-b

N/A

N/A

Demonstration cannot be performed as branch office is not available at this time.

F-5.1.a, F-5.3.a, F-5.4.a, F-5.6.a

Endpoint not compliant, No access to resource

Endpoint not compliant, No access to resource

Success: Access to the GitLab resource fails if the device is not in compliance.

F-5.1b, F-5.3.b, F-5.4.b, F-5.6.b

Endpoint compliant, Access granted to resource

Endpoint compliant, Access granted to resource

Success: Once the endpoint is brought back into compliance, access to the GitLab RSS is granted.

F-5.2a-b, F-5.5.a-b

N/A

N/A

Demonstration cannot be performed as branch office is not available at this time.

F-6.1.a, F-6.1.d, F-6.1.f, F-6.2.a, F-6.2.d, F-6.2.f

Access revoked from resource, account disabled

Access revoked from resource, account disabled

Success: Access to SQL database RSS is revoked when sensitive data is accessed and events are logged in QRadar. Offenses are created in QRadar and remediation is completed with CloudPak 4 Security to disable the offending account in Verify.

F-6.1.b-c, F-6.1.e, F6.1.g-l, F-6.2.b-c, F-6.2.e, F-6.2.g-l

N/A

N/A

PaaS and SaaS services were not available for this build.

F-7

Access revoked from resource

Violation logged, Access not revoked

All demonstrations here are the same as F-6.

F-8.1.a, F-8.1.c-d, F-8.1.f, F-8.2.a, F-8.2.c-d, F-8.2.f,

Access to resource revoked

Access to resource revoked

Success: On accessing a known bad URL with the MaaS360 Secure Browser on a mobile device, access to a GitLab resource is revoked via CloudPak for Security and Verify disabled the user’s account.

F-8.1.b, F-8.1.e, F-8.1.h, F-8.1.k, F-8.2.b, F-8.2.e, F-8.2.h, F-8.2.k

N/A

N/A

Demonstration cannot be performed as branch office is not available at this time.

F-8.1.g, F-8.1.i-j, F-8.1.l, F-8.2.g, F-8.2.i-j, F-8.2.l

N/A

N/A

PaaS and SaaS services were not available for this build.

F-8.3.a-l

N/A

N/A

IBM considers guest network access out of scope for their product. Other technologies should be used for this use case.

F-9 (all use cases)

All demonstrations here are the same as F-8 since the device is both authenticated and compliant.

F-10.1.a-b, F-10.1.i-j, F-10.1.m-n, F-10.1.u-v, F-10.2.a-b, F-10.2.i-j, F-10.2.m-n, F-10.2.u-v

Access not successful, access revoked to current resource, access revoked to all future resources

Access not successful, access revoked to current resource, access revoked to all future resources

Success: If the user attempts to access an unauthorized resource, their access to their current GitLab active session is revoked and their account is disabled in Verify.

F-10.1.c-h, F-10.1.k-l, F-10.1.o-t, F-10.1.w-av, F-10.2.c-h, F-10.2.k-l, F-10.2.o-t, F-10.2.w-av

N/A

N/A

Branch, PaaS, and SaaS services were not available for this build

F-10.3.a-av

N/A

N/A

IBM considers guest network access out of scope for their product. Other technologies should be used for this use case.

F-11.1.a-b, F-11.1.i-j, F-11.1.m-n, F-11.1.u-v, F-11.2.a-b, F-11.2.i-j, F-11.2.m-n, F-11.2.u-v

Bad URL detected, active session revoked, User account disabled in Verify

Bad URL detected, active session revoked, User account disabled in Verify

Success: Once the bad URL was detected, the user session from GitLab was revoked and the user’s account was disabled in Verify.

NOTE: This scenario was only tested with mobile devices running IBM MaaS360 Secure Browser to detect the bad URL.

F-11.1.c-h, F-11.1.k-l, F-11.1-t, F-11.1.w-av, F-11.2.c-h, F-11.2.k-l, F-11.2.o-t, F-11.2.w-av

N/A

N/A

Branch, PaaS, and SaaS services were not configured for this build

F-11.3.a-av

N/A

N/A

IBM considers guest network access out of scope for their product. Other technologies should be used for this use case.

F-12 (all use cases)

All demonstrations here are the same as F-10 since the device is both authenticated and compliant.

F-13 (all use cases)

All demonstrations here are the same as F-11 since the device is both authenticated and compliant.

F-14, F-15, F-16, F-17

IBM considers suspicious activity/network monitoring out of scope for their product. Other technologies should be used for these scenarios.

All G Use Cases

N/A

N/A

IBM considers service-to-service use cases out of scope for their product. Other technologies should be used for this use case.

H-1.1.a, H.1.1.b, H-1.2.c, H-1.5.i, H-1.5.j, H-1.6.k, H-1.9.q, H-1.9.r, H-1.10.s

Access Successful

Access Successful

Success: Access granted in accordance with applied policy.

H-1.2.d, H-1.6.l, H-1.10.t

Access Not Successful

Access Not Successful

Success: Access to sensitive data was blocked in accordance with applied policy.

H-1.3, H-1.4, H-1.7, H-1.8

N/A

N/A

Branch services were not configured for this build.

H-2, H-3, H-4, H-5, H-6, H-7

N/A

N/A

IBM considers these use cases to be out of scope for their product. Other technologies should be used for these use cases.