SDP, Microsegmentation, and SASE Phase Demonstration Results

Contents

SDP, Microsegmentation, and SASE Phase Demonstration Results#

Note

This page is supplementary material for the NIST SP 1800-35 publication.

This section lists the full demonstration results for each of the builds that was implemented as part of the SDP, Microsegmentation, and SASE phase.

Enterprise 1 Build 3 (E1B3) - SDP - Zscaler ZPA CA as PE Detailed Demonstration Results#

Table 1 lists the full demonstration results for SDP demonstrations run in Enterprise 1 Build 3 (E1B3). The technology deployed in E1B3 was able to determine endpoint compliance for Windows, Linux, macOS, and mobile devices and prevent noncompliant endpoints from accessing private resources.

Table 1 - Detailed Demonstration Results for E1B3

Demo ID

Expected Outcome

Observed Outcome

Comments

A-1.1.a-m

N/A

N/A

Demonstration cannot be completed. There is no network-level enforcement present in this build. Zscaler uses the client connector to allow a user on a device to access specific resources only, whether on-prem or remote. Users cannot readily access resources in the enterprise (or network) if they do not have permissions to access them. Resources are not authenticated or checked for compliance in this phase.

A-1.2.a-m, A-1.3.a-f, A-1.4.a-g

N/A

N/A

Same as in A-1. Demonstration cannot be completed. There is no network-level enforcement present in this build.

A-2.1.a-I, A-2.2.a-I, A-2.3.a-f, A-2.4.a-f

N/A

N/A

Same as in A-1. Demonstration cannot be completed. There is no network-level enforcement present in this build.

A-3.1.a, A-3.3.a, A-3.5.a

User request and action is recorded

User login to an application is logged

Success: Okta records the authentication logs. Administrators can log in to Okta and view logs of when a user logged onto an application and whether the authentication was successful or not. Zscaler Private Access (ZPA) records relevant information about the connection between the endpoint and resource.

A-3.1.b, A-3.3.b

API call is recorded

Logs contain relevant API information

Success: Okta records the authentication logs. Administrators can log in to Okta and view logs of when a user logged onto an application and whether the authentication was successful or not. Zscaler ZPA records relevant information about the connection between the endpoint and resource.

A-3.2.a, A-3.4.a, A-3.6.a

User request and action is recorded

User login to an application is logged

Success: Okta records the authentication logs. Administrators can log in to Okta and view logs of when a user logged onto an application and whether the authentication was successful or not. Zscaler ZPA records relevant information about the connection between the endpoint and resource.

A-3.2.b, A-3.4.b, A-3.6.a

API call is recorded

Logs contain relevant API information

Success: Okta records the authentication logs. Administrators can log in to Okta and view logs of when a user logged onto an application and whether the authentication was successful or not. Zscaler ZPA records relevant information about the connection between the endpoint and resource.

B-1.1.a, B-1.2.a, B-1.3.a, B-4.1.a, B-4.2.a, B-4.3.a, D-1.1.a, D-1.2.a, D-1.3.a, D-4.1.a, D-4.2.a, D-4.3.a

Access Successful

Access Successful

Partial success: User is authenticated via Okta when accessing the resource. User logs into Zscaler client connector as part of login process to the endpoint and policies are applied to the user/endpoint (including laptops, workstations, and mobile devices). User successfully connects to RSS1. However, we cannot validate compliance of RSS1.

B-1.1.b, B-1.2.b, B-1.3.b, B-4.1.b, B-4.2.b, B-4.3.b, D-1.1.b, D-1.2.b, D-1.3.b, D-4.1.b, D-4.2.b, D-4.3.b

Access Successful

Access Successful

Partial success: User is authenticated via Okta when accessing the resource. User logs into Zscaler client connector as part of login process to the endpoint and policies are applied to the user/endpoint (including laptops, workstations, and mobile devices). User successfully connects to RSS1. However, we cannot validate compliance of RSS1.

B-1.1.c, B-1.2.c, B-1.3.c, B-4.1.c, B-4.2.c, B-4.3.c, D-1.1.c, D-1.2.c, D-1.3.c, D-4.1.c, D-4.2.c, D-4.3.c

Access Not Successful

Access Not Successful

Success: Demonstration completed with user not able to log in to resource.

B-1.1.d, B-1.2.d, B-1.3.d, B-4.1.d, B-4.2.d, B-4.3.d, D-1.1.d, D-1.2.d, D-1.3.d, D-4.1.d, D-4.2.d, D-4.3.d

Access Not Successful

Access Not Successful

Partial success: Based on configuration in Ent1, the E2 is not authorized to access RSS1 based on enterprise governance policy. ZPA will deny access to the resource.

Also, RSS compliance cannot be demonstrated in this phase. In this case, user is not granted access to RSS1.

B-1.1.e, B-1.2.e, B-1.3.e, B-4.1.e, B-4.2.e, B-4.3.e, D-1.1.e, D-1.2.e, D-1.3.e, D-4.1.e, D-4.2.e, D-4.3.e

Access Successful

Access Successful

Partial success: User is authenticated via Okta when accessing the resource. User logs into Zscaler client connector as part of login process to the endpoint and policies are applied to the user/endpoint (including laptops, workstations, and mobile devices). User successfully connects to RSS2. However, we cannot validate compliance of RSS2.

B-1.1.f, B-1.2.f, B-1.3.f, B-4.1.f, B-4.2.f, B-4.3.f, D-1.1.f, D-1.2.f, D-1.3.f, D-4.1.f, D-4.2.f, D-4.3.f

Access Not Successful

Access Not Successful

Success: Without user authentication for the resource the access attempt did not succeed.

B-1.1.g, B-1.2.g, B-1.3.g, B-4.1.g, B-4.2.g, B-4.3.g, D-1.1.g, D-1.2.g, D-1.3.g, D-4.1.g, D-4.2.g, D-4.3.g

Access Not Successful

Access Not Successful

Success: Without user authentication for the resource, the access attempt did not succeed.

B-1.1.h, B-1.2.h, B-1.3.h, B-4.1.h, B-4.2.h, B-4.3.h, D-1.1.h, D-1.2.h, D-1.3.h, D-4.1.h, D-4.2.h, D-4.3.h

Access Successful

Access Successful

Success: GitLab session timeout is set to one minute for demonstration purposes. After session timed out, user was reauthenticated.

B-1.1.i, B-1.2.i, B-1.3.i, B-4.1.i, B-4.2.i, B-4.3.i, D-1.1.i, D-1.2.i, D-1.3.i, D-4.1.i, D-4.2.i, D-4.3.i

Access Not Successful

Access Not Successful

Success: After session timeout, user tried to log in with incorrect password and was denied.

B-1.1.j, B-1.2.j, B-1.3.j, B-4.1.j, B-4.2.j, B-4.3.j, D-1.1.j, D-1.2.j, D-1.3.j, D-4.1.j, D-4.2.j, D-4.3.j

Access Not Successful

Access Not Successful

Success: Device posture failure detected by ZPA, so access was denied.

B-1.1.k, B-1.2.k, B-1.3.k, B-4.1.k, B-4.2.k, B-4.3.k, D-1.1.k, D-1.2.k, D-1.3.k, D-4.1.k, D-4.2.k, D-4.3.k

Access Limited

N/A

Partial success: Access to RSS2 is blocked. Currently cannot perform limited access.

B-1.1.l-m, B-1.2.l-m, B-1.3.l-m, B-4.1.l-m, B-4.2.l-m, B-4.3.l-m, D-1.1.l-m, D-1.2.l-m, D-1.3.l-m, D-4.1.l-m, D-4.2.l-m, D-4.3.l-m

Access Denied

Access Denied

Success: User was denied access because the endpoint was noncompliant. Device posture failure detected by ZPA.

B-1.1.n-p, B-1.2.n-p, B-1.3.n-p, B-4.1.n-p, B-4.2.n-p, B-4.3.n-p, D-1.1.n-p, D-1.2.n-p, D-1.3.n-p, D-4.1.n-p, D-4.2.n-p, D-4.3.n-p

N/A

N/A

Demonstration cannot be run. Unable to perform compliance checks on RSS.

B-1.2.a-p

The results are the same as B-1.1 since network policies allow access from branch to Ent1. See results from B-1.1.

B-1.3.a-p

The results are the same as B-1.1, given that ZPA policies allow the user/device to access the enterprise remotely the same way that user/device would access a resource within the enterprise. See results from B-1.1.

B-1.4.a-p, B-1.5.a-p, B-1.6.a-p, B-4.4.a-p, B-4.5.a-q, and B-4.6.a-p

Results of access to cloud-based resources (RSS1 and RSS2) are the same as on-prem. See results from B-1.1.

B-2.1.a-d, B-2.2.a-d, B-2.3.a-d

Access Successful

Access Successful

Success: Employee is granted access to URL1 and URL2 regardless of hourly access time because employees have full access to both URLs at all times per ZScaler policy.

B-2.1.e, B-2.2.e, B-2.3.e

Access Not Successful

Access Not Successful

Success: The only way the user is not authenticated is if the user inputs the incorrect password or does not have a second factor during Zscaler Client Connector (ZCC) login. With incorrect 1st or 2nd factor, ZCC will fail to connect with ZIA and will not be able to access the internet.

B-2.1f, B-2.2f, B-2.3f

Access Not Successful

Access Not Successful

Success: Contractor is blocked from URL1 as expected per Zscaler policy.

B-2.1g, B-2.2g, B-2.3g

Access Successful

Access Successful

Success: Contractor is granted access to URL2 as expected per Zscaler policy.

B-2.1.h-I, B-2.2.h-I, B-2.3.h-i

Access Not Successful

Access Not Successful

Success: Contractor is blocked from accessing URL1 due to failed authentication.

B-2.1.j, B-2.2.j, B-2.3.j

Access Not Successful

Access Successful

The only way the user is not authenticated is if the user inputs the incorrect password or does not have a second factor during ZCC login. Access is successful because internet access is required for ZIA to function. If not authenticated to ZIA, internet access is unrestricted unless blocked by company firewall.

B-2.1.k, B-2.2.k, B-2.3.k

Access Successful

Access Successful

Success: Employee is granted access after successful reauthentication per Zscaler policy as expected.

B-2.1.l, B-2.2.l, B-2.3.l

Access Not Successful

Access Not Successful

Success: Employee cannot access URL1 or URL2 after reauthentication to Zscaler fails as expected.

B-2.1.m-p, B-2.2.m-p, B-2.3.m-p

N/A

N/A

Demonstration cannot be completed. ZIA does not perform device posture/compliance checks on endpoints without integration of a third-party EPP product, which we currently don’t have in the build.

B-3.1.a, B-3.4.a, B-3.5.a

Real Req Success

Real Req Success

Success: Real Request successfully authenticated.

B-3.1.b, B-3.4.b, B-3.5.b

Real Req Fail

Real Req Fail

Success: Incorrect credentials were entered, and the Real Request failed as expected.

B-3.1.c, B-3.4.c, B-3.5.c

Limit Access for Real Request, Deny Access to Hostile Request

N/A

Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.d, B-3.4.d, B-3.5.d

Real Request Keep Access, Deny Access to Hostile Request

N/A

Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.e, B-3.4.e, B-3.5.e

Hostile Request Successful

Hostile Request Successful

Success: Hostile Request successfully authenticated.

B-3.1.f, B-3.4.f, B-3.5.f

Hostile Request Unsuccessful

Hostile Request Unsuccessful

Success: Incorrect credentials were entered, and the Hostile Request failed as expected.

B-3.1.g, B-3.4.g, B-3.5.g

Real Request Fail, Hostile Request Access Limited

N/A

Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.h, B-3.4.h, B-3.5.h

Real Request Fail, Hostile Request remains authenticated

N/A

Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.i, B-3.4.i, B-3.5.i

Real Req Success

Real Req Success

Success: Real Request successfully authenticated.

B-3.1.j, B-3.4.j, B-3.5.j

Real Request remains authenticated, Hostile Request Fail

N/A

Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.k, B-3.4.k, B-3.5.k

Hostile Request Fail

Hostile Request Fail

Success: Incorrect credentials were entered, and the Hostile Request failed as expected.

B-3.1.l, B-3.4.l, B-3.5.l

Real Request Access Successful

Real Requet Access Successful

Success: Real Request successfully reauthenticated.

B-3.1.m, B-3.4.m, B-3.5.m

Hostile Request Access Denied

Hostile Request Access Denied

Success: Hostile Request reauthentication failed.

B-3.1.n, B-3.4.n, B-3.5.n

N/A

N/A

Demonstration could not be completed due to build not supporting session termination at this level.

B-3.1.o, B-3.4.o, B-3.5.o

N/A

N/A

Demonstration could not be completed due to build not supporting session termination at this level.

B-4

As documented in the rows above, the results of all B-4 use case demonstrations are the same as the results of the B-1 use cases because the device is both authenticated and compliant. In this case, a BYOD device will have to install the ZCC client. See results from B-1.1 for B-4.1, B-4.2, and B-4.3.

B-5

As documented in the rows above, the results of all B-5 use case demonstrations are the same as the results of the B-2 use cases because the device is both authenticated and compliant. In this case, a BYOD device will have to install ZCC client. See results from B-1.1 for B-5.1, B-5.2, and B-5.3.

B-6

As documented in the rows above, the results of all B-6 use case demonstrations are the same as the results of the B-3 use cases because the device functions the same. In this case, a BYOD device will have to install ZCC client. See results from B-3.

B-7

Success

Partial Success

Partial Success: Just-in-time privileges can be manually completed to allow a user to access a resource. However, just-in-time access privileges with automation are not tested and require integration with other zero trust tools which have the capabilities to manage access for users.

B-8

N/A

N/A

Step-up authentication is available through an enhancement request to upgrade ZPA. However, this enhancement was not available during the time of this build. Tests cannot be completed.

All C Use Cases

N/A

N/A

Federation will be performed during the next phase by Okta. Once Okta can verify users from Enterprise 2, for example, this will be tested. Users from Enterprise 2 will perform the exact same process of installing ZCC to get access to on-prem resources via ZPA or leverage ZIA to access the internet.

All D Use Cases

As documented in the rows above, the results of all D use case demonstrations are the same as the results of the B use cases. Note that the user is a contractor and will have access to resources based on need. The ZCC client will have to be installed on the contractor’s device, whether it’s provided by the enterprise or BYOD.

E-1.1.a, E-1.2.a

Success

Success

Success: User/device is recognized by Zscaler Internet Access (ZIA) as unmanaged and given access to the internet. Per ZIA enterprise policies, resources on the internet that are deemed safe for access are reachable by the user with No-ID, which includes a public resource from Enterprise 1.

E-1.1.b, E-1.2.b

Success

Success

Success: User/device is recognized by ZIA as unmanaged and given access to the internet. Per ZIA enterprise policies, resources on the internet that are deemed safe for access are reachable by the user with No-ID.

F-1.1.a, F-1.2.a, F-1.3.a, F-1.4.a, F-1.5.a, F-1.6.a

Success

Success

Success: Zscaler timeout set to 10 minutes for testing purposes. Once timed out, user has to reauthenticate to Zscaler again before being able to access any resources. For these test cases, successful authentication allows the user to get access to the resource again.

F-1.1.b, F-1.2.b, F-1.3.b, F-1.4.b, F-1.5.b, F-1.6.b

Success

Success

Success: Zscaler timeout set to 10 minutes for testing purposes. Once timed out, user has to reauthenticate to Zscaler again before being able to access any resources. For these test cases, unsuccessful authentication means that the user does not have access to the resource again. In these use cases, access to GitLab is denied as the web browser will show that connection is unsuccessful.

F-2

N/A

N/A

Authentication and authorization to a resource by Zscaler is based on the policies that are applied to the user and the device that the user logged onto via VCC. ZPA does not check for device authentication. This use case cannot be tested.

F-3

N/A

N/A

For this build, Zscaler considers resource authentication out of scope for their products.

F-4

N/A

N/A

Authentication and authorization to a resource by Zscaler is based on the policies that are applied to the user and the device that the user logged onto via ZCC. The device posture is checked when user tries to access the resource. There is a timeout period that is set in which the user will have to reauthenticate again. At that point, the device posture is checked again. Based on the functions of ZPA, this use case cannot be tested.

F-5.1-6

Success

Success

Success: In this build, device posture is checked when a user attempts to access a resource. If posture check fails, user is denied access. User remediates the issue and tries to access the resource again. Posture check is successful, and user is allowed access to resource.

F-6

N/A

N/A

Cloud Browser Isolation (CBI) can provide this capability. However, this product was not available during the time of this build. Tests cannot be completed.

F-7

N/A

N/A

CBI can provide this capability. However, this product was not available during the time of this build. Tests cannot be completed.

F-8

N/A

N/A

While connected to a resource, the Enterprise-ID tries to connect to a known bad URL. Zscaler denies the connection and displays the denied message on the browser. No other action is taken. There is no mechanism to disconnect the active connection to the resource. ZPA controls access to enterprise resources and ZIA controls access to the internet.

F-9

N/A

N/A

While connected to a resource, the Enterprise-ID tries to connect to a known bad URL. Zscaler denies the connection and displays the denied message on the browser. No other action is taken. There is no mechanism to disconnect the active connection to the resource. ZPA controls access to enterprise resources and ZIA controls access to the internet. Test cannot be completed.

F-10

N/A

N/A

Zscaler does not revoke access based on attempts. Policies allow or deny the Enterprise-ID access. Revoking access would be applied to the policy. Test cannot be completed.

F-11

N/A

N/A

While connected to a resource, the Enterprise-ID tries to connect to a known bad URL. Zscaler denies the HTTP connection. No other action is taken. There is no mechanism to disconnect the active connection to the resource. ZPA controls access to enterprise resources and ZIA controls access to the internet. Test cannot be completed.

F-12

N/A

N/A

While connected to a resource, the Enterprise-ID tries to connect to a known bad URL. Zscaler denies the HTTP connection. No other action is taken. There is no mechanism to disconnect the active connection to the resource. ZPA controls access to enterprise resources and ZIA controls access to the internet. Test cannot be completed.

F-13

N/A

N/A

While connected to a resource, the Enterprise-ID tries to connect to a known bad URL. Zscaler denies the HTTP connection. No other action is taken. There is no mechanism to disconnect the active connection to the resource. ZPA controls access to enterprise resources and ZIA controls access to the internet. Test cannot be completed.

F-14, F-15, F-16, F-17

N/A

N/A

Zscaler “Deception” is a tool that can provide capabilities to successfully test this. However, this product was not available during the time of this build. Tests cannot be completed.

G-1, G-2, G-3, G-4, G-5

N/A

N/A

Zscaler for Workloads is a tool that can provide capabilities to successfully test this. However, this product was not available during the time of this build. Tests cannot be completed.

Enterprise 2 Build 3 (E2B3) — Microsegmentation - Cisco ISE, Cisco Secure Workload, and Ping Identity Ping Federate as PEs Detailed Demonstration Results#

Table 2 lists the full demonstration results for Microsegmentation (network) demonstrations run in Enterprise 2 Build 3 (E2B3). The technology deployed in E2B3 was able to determine endpoint compliance for Windows, Linux, macOS, and mobile devices and prevent noncompliant endpoints from accessing private resources.

Table 2 - Detailed Demonstration Results for E2B3

Demo ID

Expected Outcome

Observed Outcome

Comments

A-1.1.a

Success

Partial Success

Partial Success: Using Cisco Secure Workload, an agent is installed on the resource. Policies are applied to the resource to allow or deny traffic to and from this resource. CSW does not verify resource compliance.

A-1.1.b

N/A

N/A

CSW does not perform compliance verifications.

A-1.1.c

N/A

N/A

Once onboarded, CSW manages the resource using the client. The onboarding process can be considered the authentication mechanism. Otherwise, there is not additional authentication needed.

A-1.1.d

Success

Success

Success: Without onboarding, resource will not receive an IP address. Therefore, it will not have access to the network.

A-1.1.e, I, A-1.3.a, d

Success

Success

Success: EP has access to network and all resources once onboarded, authenticated, and in compliance.

A-1.1.f, j, A-1.3.b, e

Success

Success

Success: EP has access to a specific network so that it has the ability to remediate issues in order to become compliant.

A-1.1.g, k, A-1.3.c, f

Success

Success

Success: Cisco ISE validates credentials prior to allowing the device onto the network. If authentication fails, the endpoint will not have access to the network.

A-1.1.h, l

Success

Success

Success: If not onboarded, the endpoint will have access to a network that allows it to have internet access.

A-1.1.i

Success

Success

Success: EP has access to network and all resources once onboarded, authenticated, and in compliance.

A-1.1.m

Success

Success

Success: All guests will have access to internet only.

A-1.2

N/A

N/A

Enterprise 2 does not have a branch office. However, if resources and endpoints are deployed at a branch office, configuration would be similar to that of the on-prem setup.

A-1.4

N/A

N/A

Currently, Enterprise 2 does not have a cloud component. These use cases cannot be performed.

A-2

Success

Success

Success: All A-2 scenario results are the same as A-1 scenario results. Per policy, Cisco ISE will perform re-authentication periodically.

A-3.1.a, A-3.5.a

User request and action is recorded

User login to an application is logged

Success: Cisco ISE logs user login information. This information is also sent to a SIEM.

A-3.1.b

API call is recorded

Logs contain relevant API information

Success: CSW logs all communications from resources.

A-3.3

N/A

N/A

Enterprise 2 does not have a branch location. However, logs would be recorded since the same zero trust would be used to manage the user and resource at the branch office.

A-3.2, A-3.4, A-3.6

N/A

N/A

Enterprise 2 currently does not have cloud components. These use cases are out of scope.

B-1.1.a, B-4.1.a, B-4.2.a, B-4.3.a, D-1.1.a, D-1.2.a, D-1.3.a, D-4.1.a, D-4.3.a

Access Successful

Access Successful

Partial Success: User and endpoint are authenticated and compliant. Access to RSS1 was successful.

Note: RSS1 authentication and compliance are independent of the endpoint. In our current build, CSW does not relay this information to ISE.

B-1.1.b, B-4.1.b, B-4.2.b, B-4.3.b, D-1.1.b, D-4.1.b, D-4.3.b

Access Successful

Access Successful

Partial Success: User and endpoint are authenticated and compliant. Access to RSS2 was successful.

Note: RSS1 authentication and compliance are independent of the endpoint. In our current build, CSW does not relay this information to ISE.

B-1.1.c, B-4.1.c, B-4.2.c, B-4.3.c, D-1.1.c, D-1.2.c, D-1.3.c, D-4.1.c, D-4.3.c

Access Not Successful

Access Not Successful

Success: When user logs onto device, incorrect login denies user from accessing the device and network access is denied.

B-1.1.d, B-4.1.d, B-4.2.d, B-4.3.d, D-1.1.d, D-1.2.d, D-1.3.d, D-4.1.d, D-4.3.d

Access Not Successful

Access Not Successful

Success: User 2 does not have access to RSS1 based on policy. Therefore, access is denied.

B-1.1.e, B-4.1.e, B-4.2.e, B-4.3.e, D-1.1.e, D-1.2.e, D-1.3.e, D-4.1.e, D-4.3.e

Access Successful

Access Successful

Partial Success: User and endpoint are authenticated and compliant. Access to RSS2 was successful.

Note: RSS2 authentication and compliance are independent of the endpoint. In our current build, CSW does not relay this information to ISE.

B-1.1.f, B-4.1.f, B-4.2.f, B-4.3.f, D-1.1.f, D-1.2.f, D-1.3.f, D-4.1.f, D-4.3.f

Access Not Successful

Access Not Successful

Success: When user logs onto device, incorrect login denies user from accessing the device and network access is denied.

B-1.1.g, B-4.1.g, B-4.2.g, B-4.3.g, D-1.1.g, D-1.2.g, D-1.3.g, D-4.1.g, D-4.3.g

Access Not Successful

Access Not Successful

Success: When user logs onto device, incorrect login denies user from accessing the device and network access is denied.

B-1.1.h, B-4.1.h, B-4.2.h, B-4.3.h, D-1.1.h, D-1.2.h, D-1.3.h, D-4.1.h, D-4.3.h

Access Successful

Access Successful

Success: Initial authentication allow user access. Reauthentication is set to 1800 seconds by ISE, and ISE will check that the device has not changed state. No user interaction is needed. Authentication will fail if device becomes noncompliant or if AD or ISE is unavailable.

B-1.1.i, B-4.1.i, B-4.2.i, B-4.3.i, D-1.1.i, D-1.2.i, D-1.3.i, D-4.1.i, D-4.3.i

Access Not Successful

Access Not Successful

Success: Authentication will fail if device becomes noncompliant or if AD or ISE is unavailable.

B-1.1.j, B-4.1.j, B-4.2.j, B-4.3.j, D-1.1.j, D-1.2.j, D-1.3.j, D-4.1.j, D-4.3.j

Access Not Successful

Access Not Successful

Success: Device posture failure detected, so access was denied.

B-1.1.k, B-4.1.k, B-4.2.k, B-4.3.k, D-1.1.k, D-1.2.k, D-1.3.k, D-4.1.k, D-4.3.k

Access Limited

Access Not Successful

Partial success: Access to RSS2 is blocked. Currently cannot perform limited access.

B-1.1.l-m, B-4.1.l-m, B-4.2.l-m, B-4.3.l-m, D-1.1.l-m, D-1.2.l-m, D-1.3.l-m, D-4.1.l-m, D-4.3.l-m

Access Denied

Access Denied

Success: User was denied access because the endpoint was noncompliant. Device posture failure detected.

B-1.1.n-p, B-1.2.n-p, B-1.3.n-p, B-4.1.n-p, B-4.2.n-p, B-4.3.n-p, D-1.1.n-p, D-1.2.n-p, D-4.1.n-p,

N/A

N/A

CSW’s policies will allow or deny based on the resources posture. If resource is not compliant, the firewall on the resource will deny traffic to and from the resource. CSW does not provide input to ISE at this time. Will demonstrate during the next phase.

B-1.2.a-p, B-4.2, D-1.2.a-p, D-4.2

N/A

N/A

Enterprise 2 does not have a branch office. Therefore, these use cases were not performed. However, the results would be the same as B-1.1 since network policies allow access from branch to Ent2. See results from B-1.1.

B-1.3.a-p, B-4.3a-p, D-1.3.a-p, D-4.3a-p

N/A

N/A

These use cases will be performed in the future.

B-1.4.a-p, B-1.5.a-p, B-1.6.a-p, B-4.4.a-p, B-4.5.a-q, and B-4.6.a-p

N/A

N/A

Currently, we do not have a cloud component for Enterprise 2 Build 3. Tests were not completed.

B-2, B-5, D-2, D-5

Access Successful

N/A

While each individual URL can be inputted into ISE to manage a user’s access, Cisco does not recommend this solution. A solution specifically built for web filtering is recommended for this.

B-3.1, B-6.1, D-3.1, D-6.1

Real Req Success

N/A

The current Cisco solution authenticates both the user and device for access to the resource. Ping Identity authorizes the user to login into the resource. Credentials must be reported stolen in order for ISE or Ping Identity to make updates. Note: ISE has a feature that automates the process of revoking user access on a credential that is reported stolen. Once reported, new credentials are issued and the real user must log in again.

B-3.2, B-3.3, B-3.4, B-3.5, B-6.2, B-5.3, B-6.4, B-6.5, D-3.2, D-3.3, D-3.4, D-3.5, D-6.2, D-5.3, D-6.4, D-6.5

Real Req Fail

N/A

Enterprise 2 does not have a branch office. However, if a branch office is available, the outcome would be the same as B-3.1. For remote/on-prem or on-prem/remote use cases, the results would be the same as B-3.1.

B-7.1.a, y

Access not successful

Access not success

Success: Since user was not provisioned to have access to this resource, access was not successful.

B-7.1.b, z

Access successful

Access successful

Success: Once a policy was provisioned for the user, access was successful.

B-7.1.c-x, aa-aj

N/A

N/A

Enterprise 2 currently does not have a branch office or cloud resources. Use cases involving these locations were not performed.

B-8.1.a-c, m-o

Access successful

N/A

Partial success: Cisco ISE does not provide an authentication mechanism to authenticate to the resource. However, a policy must be updated to allow the user and endpoint to reach the resource via the specific protocol that the resource is using. Therefore, ISE updated a policy and reauthenticated the endpoint to allow access.

B-8.1.d-f, p-r

Access not successful

N/A

While each individual URL can be input into ISE to manage a user’s access, Cisco does not recommend this solution. A solution specifically built for web filtering is recommended for this.

B-8.1.g-l, B-8.2, B-8.3, B-8.4, B-8.5

N/A

N/A

Enterprise 2 currently does not have a branch office or cloud resources. Use cases involving these locations were not performed.

All C Use Cases

N/A

N/A

Federation will be performed in the future.

E

Success

Success

Access to internet is allowed though the guest network.

F-1.1.a, F-1.3.a

Success

Success

Success: Session will stay alive after a successful reauthentication.

F-1.1.b, F-1.3.b

Success

Success

Success: Session will be terminated upon unsuccessful reauthentication. ISE will revoke all access to resources upon unsuccessful authentication.

F-1.2, F-2.2, F-4.2, F-5.2

N/A

N/A

Enterprise 2 does not have a branch location. However, policies can be applied the same way to users if they are on-premises.

F-1.4, F-1.5, F-1.6, F-2.4, F-2.5, F-2.6, F-4.4, F-4.5, F-4.6, F-5.4, F-5.5, F-5.6

N/A

N/A

Enterprise does not currently have a cloud component. Use cases cannot be performed.

F-2.1.a, F-2.3.a

Success

Success

Success: Session will stay alive after a successful reauthentication.

F-2.1.b, F-2.3.b

Success

Success

Success: Session will be terminated upon unsuccessful reauthentication. ISE will revoke all access to resources upon unsuccessful authentication.

F-3

N/A

N/A

CSW does not provide information to Cisco ISE at this time. This use case cannot be performed.

F-4.1.a, F-4.3.a

Success

Success

Success: When Cisco ISE detects that compliance is succcessful, ISE does not revoke access.

F-4.1.b, F-4.3.b

Access Stopped

Access Stopped

Success: When Cisco ISE detects that compliance fails, access is revoked.

F-5-1.a, F-5-3.a

Access Denied

Access Denied

If compliance is not met, user will continue to not have access to resources.

F-5-1.b, F-5-3.b

Access Successful

Access Successful

Once compliance is met and reauthentication succeeds, ISE will allow user to access resources again.

F-6.1.a, F-6.1.c, F-6.2.a, F-6.2.c, F-7.1.a, F-7.1.c, F-7.2.a, F-7.2.c

Access Stopped

Access Stopped

Success: Leveraging Cisco SNA to identify the violation of data use, SNA informs ISE of the violation. ISE then removes the user’s access.

F-6.1.b, F-6.2.b, F-7.1.b, F-7.2.b

N/A

N/A

Enterprise 2 does not have a branch location. However, policies can be applied the same way to users if they are on-premises.

F-6.1.d-k, F-6.2.d-k, F-7.1.d-k, F-7.2.d-k

N/A

N/A

Enterprise does not currently have a cloud component. Use cases cannot be performed.

F-8, F-9

N/A

N/A

The current solutions deployed in Enterprise cannot perform this based on URLs. However, SNA has the capability to act based on specific events such Command and Control, bot-infected hosts, brute force login, and connections to Tor or Bogon addresses, amongst other malicious connections. Once SNA detects these malicious interactions, it informs Cisco ISE. Cisco Secure Endpoint also detects threats and informs ISE. ISE will then deny user any access based on policy.

F-10.1.a, F-10.1.i, F-10.2.a, F-10.2.i, F-10.3.a, F-10.3.i, F-12.1.a, F-12.1.i, F-12.2.a, F-12.2.i, F-12.3.a, F-12.3.i

Access not successful

Access not successful

Success: Leveraging policies deployed in SNA and ISE, a user attempting to access a resource that they are not authorized to access will be denied.

F-10.1.b, c, d, f, g, h, j-av, F-10.2.b, c, d, f, g, h, j-av, F-10.3.b, c, d, f, g, h, j-av, F-12.1.b, c, d, f, g, h, j-av, F-12.2.b, c, d, f, g, h, j-av, F-12.3.b, c, d, f, g, h, j-av

N/A

N/A

Enterprise does not currently have a cloud component. Use cases cannot be performed.

F-10.1.e, F-10.2.e, F-10.3.e, F-12.1.e, F-12.2.e, F-12.3.e

N/A

N/A

Enterprise 2 does not have a branch location. However, policies can be applied the same way to users if they are on-premises.

F-11, F-13

N/A

N/A

The current solutions deployed in Enterprise 2 cannot perform this based on URLs. However, SNA has the capability to act based on specific events such Command and Control, bot infected hosts, brute force login, and connections to Tor or bogon addresses, amongst other malicious connections. ISE can have a session changed based on information from another tool that can manage URL access.

F-14.1.a, F-14.1.c, F-15.1.a, F-15.1.c, F-16.1.a, F-16.1.c, F-17.1.a, F-17.1.c

Access not successful

Access not successful

SNA can detect if a user is performing suspicious activity based on various types of policies. Some of these may fall into compliance. If that’s the case, ISE will quarantine the device until it is remediated. Once SNA sees these malicious interactions, it informs Cisco ISE. Also, Cisco Secure Endpoint detects threats and passes this to ISE. ISE will then deny user any access based on policy.

F-14.1.d-l, F-15.1.d-l, F-16.1.d-l, F-17.1.d-l

N/A

N/A

Enterprise does not currently have a cloud component. Use cases cannot be performed.

G-1.1.a

Access successful

Access successful

Success: CSW policy allows subject to communicate with the resource. Note: CSW continuously monitors the communications in and out of a subject and develops policies based on that information. The policies are then deployed and enforced on the subject.

G-1.1.b

Access not successful

Access not successful

Success: Based on CSW policy, subject was denied from communicating with the resource by the resource’s local firewall.

G-1.1.c-d

N/A

N/A

Enterprise 2 does not have a branch location. Tests are not performed. However, CSW would deploy policies the same way as on-prem resources to protect resources at a branch location.

G-1.1.e

N/A

N/A

Enterprise does not currently have a cloud component. Use cases cannot be performed.

G-1.1.f

N/A

N/A

Enterprise does not currently have a cloud component. Use cases cannot be performed.

G-1.1.g

N/A

N/A

Enterprise does not currently have a cloud component. Use cases cannot be performed.

G-1.1.h

N/A

N/A

Enterprise does not currently have a cloud component. Use cases cannot be performed.

G-1.1.i

Access successful

Access Successful

Success: CSW allows the communication between a SaaS and on-prem resource based on policies that are created to allow legitimate communications between them.

G-1.1.j

N/A

N/A

Unable to perform this as we are unable modify a SaaS subject.

G-1.2.a-i

N/A

N/A

Enterprise 2 does not have a branch location. Tests are not performed. However, CSW would deploy policies the same way as on-prem resources to protect resources at a branch location. An agent would be installed on these resources.

G-2.1.a

N/A

N/A

Enterprise does not currently have a cloud component. Use cases cannot be performed.

G-2.1.b

N/A

N/A

Enterprise does not currently have a cloud component. Use cases cannot be performed.

G-2.1.c-d

N/A

N/A

Enterprise 2 does not have a branch location. Tests are not performed. However, CSW would deploy policies the same way as on-prem resources to protect resources at a branch location.

G-2.1.e

N/A

N/A

Enterprise does not currently have a cloud component. Use cases cannot be performed.

G-2.1.f

N/A

N/A

Enterprise does not currently have a cloud component. Use cases cannot be performed.

G-2.2.a

N/A

N/A

Enterprise does not currently have a cloud component. Use cases cannot be performed.

G-2.2.b

N/A

N/A

Enterprise does not currently have a cloud component. Use cases cannot be performed.

G-2.2.c-d

N/A

N/A

Enterprise 2 does not have a branch location. Tests are not performed. However, CSW would deploy policies the same way as on-prem resources to protect resources at a branch location. An agent would be installed on these resources.

G-2.2.e

N/A

N/A

Enterprise does not currently have a cloud component. Use cases cannot be performed.

G-2.2.f

N/A

N/A

Enterprise does not currently have a cloud component. Use cases cannot be performed.

G-2.3.a

Success

Success

Success: CSW allows the communication between an on-prem resource and SaaS based on policies that are created to allow legitimate communications between them from the on-prem resource.

G-2.3.b

Access not successful

Access not successful

Success: CSW only allows the communication between an on-prem resource and SaaS based on policies that are created to allow legitimate communications between them from the on-prem resource. If there is no policy to allow the communication, there is an implicit deny for this use case.

G-2.3.c-d

N/A

N/A

Enterprise 2 does not have a branch location. Tests are not performed. However, CSW would deploy policies the same way as on-prem resources to protect resources at a branch location.

G-2.3.e

N/A

N/A

Enterprise does not currently have a cloud component. Use cases cannot be performed.

G-2.3.f

N/A

N/A

Enterprise does not currently have a cloud component. Use cases cannot be performed.

G-3.1.a, c, e

N/A

N/A

Enterprise does not currently have a cloud component. Use cases cannot be performed.

G-3.1.b, d, f

N/A

N/A

Enterprise does not currently have a cloud component. Use cases cannot be performed.

G-3.2.a, c, e

N/A

N/A

Enterprise does not currently have a cloud component. Use cases cannot be performed.

G-3.2.b, d, f

N/A

N/A

Enterprise does not currently have a cloud component. Use cases cannot be performed.

G-3.3.a, c, e

N/A

N/A

Enterprise does not currently have a cloud component. Use cases cannot be performed.

G-3.3.b, d, f

N/A

N/A

Enterprise does not currently have a cloud component. Use cases cannot be performed.

G-4

N/A

N/A

Enterprise does not currently have a cloud component. Use cases cannot be performed.

G-5.1

Access Successful

Access Successful

Policies are applied to the resource for both inbound and outbound communication. In this case, secure communications are between the application and the endpoint. CSW can allow or deny communication with the endpoint by enforcing policies on the resource itself. CSW does not push policies or perform administrative actions to the endpoint.

Enterprise 3 Build 3 (E3B3) — SDP and Microsegmentation - Microsoft Azure AD Conditional Access (later renamed Entra Conditional Access), Microsoft Intune, Microsoft Sentinel, Forescout eyeControl, and Forescout eyeExtend as PEs Detailed Demonstration Results#

Table 3 lists the full demonstration results for all SDP and Microsegmentation demonstrations run in Enterprise 3 Build 3 (E3B3). The technology deployed in E3B3 was able to determine endpoint compliance for Windows, macOS, and mobile devices and prevent noncompliant endpoints from accessing private resources.

Table 3 - Detailed Demonstration Results for E3B3

Demo ID

Expected Outcome

Observed Outcome

Comments

A-1.1.a-d

Access to Network

Access to Network

Success: Resource has access to network in accordance with Forescout policy.

A-1.1.b, A-1.1.c, A-1.1.g

No Access to Network

No Access to Network

Partial success: In the current configuration, the endpoint has access limited to the local subnet in accordance with Forescout policy.

A-1.1.d

No Access to Network

N/A

Demonstration cannot be completed. By Scenario A-1 definition, a resource has already undergone onboarding.

A-1.1.e

Access to Network

Access to Network

Success: Endpoint has access to network in accordance with Forescout policy.

A-1.1.f

Max. Limited Access to Network

Max. Limited Access to Network

Success: Endpoint has access limited in accordance with Forescout policy.

A-1.1.h

Access to Public Network

N/A

Demonstration cannot be completed. By Scenario A-1 definition, an endpoint has already undergone onboarding.

A-1.1.i

Access to Network

Access to Network

Success: BYOD has access to network in accordance with Forescout policy.

A-1.1.j

Limited Access to Network

Limited Access to Network

Success: Endpoint has access limited to the local subnet in accordance with Forescout policy.

A-1.1.k

No Access to Network

No Access to Network

Partial success: In the current configuration, the endpoint has access limited to the local subnet in accordance with Forescout policy.

A-1.1.l

Access to Public Network

N/A

Demonstration cannot be completed. By Scenario A-1 definition, the BYOD has already undergone onboarding.

A-1.1.m

Access to Public Network

Access to Public Network

Success: BYOD has access to network in accordance with Forescout policy.

A-1.2.a-m

Access to Network

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

A-1.3.a

Access to Network

Access to Network

Success: Endpoint has access to network in accordance with Forescout policy.

A-1.3.b

Max. Limited Access to Network

Max. Limited Access to Network

Success: Endpoint has access limited in accordance with Forescout policy.

A-1.3.c

No Access to Network

No Access to Network

Success: Endpoint is denied access to the network after failing to authenticate to the GlobalProtect VPN.

A-1.3.d

Access to Network

Access to Network

Success: BYOD has access to network in accordance with Forescout policy.

A-1.3.e

Max. Limited Access to Network

Max. Limited Access to Network

Success: Endpoint has access limited in accordance with Forescout policy.

A-1.3.f

No Access to Network

No Access to Network

Success: BYOD is denied access to the network after failing to authenticate to the GlobalProtect VPN.

A-1.4.a-g

N/A

N/A

Partial Success: Using Azure roles, a user could be allowed, denied, or provided with limited access to cloud resources. With Azure AD Conditional Access and Microsoft Intune, a device can be given access to a cloud application.

A-2.1.a

Keep Access to Network

Keep Access to Network

Success: Resource has access to network in accordance with Forescout policy.

A-2.1.b

Terminate Access to Network

Limit Access to Network

Partial Success: Resource has access limited to the local subnet in accordance with Forescout policy.

A-2.1.c

Terminate Access to Network

Limit Access to Network

Partial Success: Resource has access limited to the local subnet in accordance with Forescout policy.

A-2.1.d

Keep Access to Network

Keep Access to Network

Success: Endpoint has access to network in accordance with Forescout policy.

A-2.1.e

Max. Limited Access to Network

Max. Limited Access to Network

Success: Endpoint has access limited in accordance with Forescout policy.

A-2.1.f

Terminate Access to Network

Limit Access to Network

Partial Success: Resource has access limited to the local subnet in accordance with Forescout policy.

A-2.1.g

Keep Access to Network

Keep Access to Network

Success: BYOD has access to network in accordance with Forescout policy.

A-2.1.h

Max. Limited Access to Network

Max. Limited Access to Network

Success: Endpoint has access limited in accordance with Forescout policy.

A-2.1.i

Terminate Access to Network

Limit Access to Network

Partial success: BYOD has access limited to the local subnet in accordance with Forescout policy.

A-2.2.a-i

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

A-2.3.a

Keep Access to Network

Keep Access to Network

Success: Endpoint has access to network in accordance with Forescout policy.

A-2.3.b

Max. Limited Access to Network

Max. Limited Access to Network

Success: Endpoint has access limited in accordance with Forescout policy.

A-2.3.c

Terminate Access to Network

Terminate Access to Network

Success: Endpoint has access terminated after failing to reauthenticate to the GlobalProtect VPN.

A-2.3.d

Keep Access to Network

Keep Access to Network

Success: BYOD has access to network in accordance with Forescout policy.

A-2.3.e

Max. Limited Access to Network

Max. Limited Access to Network

Success: BYOD has access limited in accordance with Forescout policy.

A-2.3.f

Terminate Access to Network

Terminate Access to Network

Success: BYOD has access terminated after failing to reauthenticate to the GlobalProtect VPN.

A-2.4.a,d

Keep Access to Network

Keep Access to Network

Success: Azure is able to allow access to cloud endpoints and resources.

A-2.4.b,c,f

Terminate Access to Network

Terminate Access to Network

Success: Azure is able to limit access to cloud endpoints and resources.

A-2.4.e

Max. Limited Access to Network

Max. Limited Access to Network

Success: Azure is able to limit access to cloud endpoints and resources.

A-3.1.a

User request and action is recorded

User request is recorded

Partial Success: User activity and transaction flow is logged using Forescout. Individual user actions are not visible within this build.

A-3.2.a

User request and action is recorded

User request is recorded

Partial Success: User activity and transaction flow is logged using Forescout and Azure AD. Individual user actions are not visible within this build.

A-3.3.a, A-3.4.a

User request and action is recorded

N/A

Branch testing is not available for this build.

A-3.5.a, A-3.6.a

User request and action is recorded

User request is recorded

Partial Success: User activity and transaction flow is logged. Individual user actions are not visible.

A-3.1.b, A-3.2.b, A-3.3.b, A-3.4.b

API call is recorded

Activity and transaction flow is recorded

Partial Success: Service activity and transaction flow is logged by Forescout. Individual API calls are not visible.

B-1.1.a

Access Successful

Access Successful

Success: Users access RSS1 based on the EP and RSS compliance with Forescout and Azure AD policy.

B-1.1.b

Access Successful

Access Successful

Success: Users access RSS2 based on the EP and RSS compliance with Forescout and Azure AD policy.

B-1.1.c

Access Not Successful

Access Not Successful

Success: User authentication failure to Azure AD prevents access.

B-1.1.d

Access Not Successful

Access Not Successful

Success: E2 is not authorized to access RSS1 in accordance with Azure AD policy.

B-1.1.e

Access Successful

Access Successful

Success: Users access RSS2 based on the EP and RSS compliance with Forescout and Azure AD policy.

B-1.1.f, B-1.1.g

Access Not Successful

Access Not Successful

Success: User authentication failure to Azure AD prevents access.

B-1.1.h

Access Successful

Access Successful

Success: Session timeout is set to one minute for demonstration purposes. After session timed out, user was reauthenticated to Azure AD.

B-1.1.i

Access Not Successful

Access Not Successful

Success: Users were prevented from accessing resources after reauthentication failure to Azure AD.

B-1.1.j

Access Not Successful

Access Not Successful

Success: Initial user authentication to Azure AD was successful and user was granted access to RSS1. After E1 became noncompliant, user access to RSS1 was blocked in accordance with Forescout policy, and the user was unable to re-authenticate to Azure AD.

B-1.1.k

Access Limited

Access Not Successful

Partial success: Initial user authentication to Azure AD was successful and user was granted access to RSS2. In this case, changing the user’s access level on RSS2 would require application-level control that is not available at this time. After E1 became noncompliant, user access to RSS2 was blocked in accordance with Forescout policy, and the user was unable to reauthenticate to Azure AD.

B-1.1.l

Access Not Successful

Access Not Successful

Success: After E1 became noncompliant, user access to RSS1 was blocked in accordance with Forescout policy, and the user was unable to authenticate to Azure AD.

B-1.1.m

Access Limited

Access Not Successful

Partial success: In this case, changing the user’s access level on RSS2 would require application-level control that is not available at this time. After E1 became noncompliant, user access to RSS2 was blocked in accordance with Forescout policy, and the user was unable to authenticate to Azure AD.

B-1.1.n-p

Access Not Successful

Access Not Successful

Success: After the RSS became noncompliant, user access to the RSS was blocked in accordance with Forescout policy, and the user was unable to authenticate to Azure AD.

B-1.2.a-p

N/A

N/A

Cannot test because there is no branch office in Ent. 3.

B-1.3.a-p

The results are the same as B-1.1, given that network policies allow the user/device to access the enterprise remotely using a VPN connection. See results from B-1.1.

B-1.4.a

Access Successful

Access Successful

Success: Users access RSS1 based on the EP compliance with Forescout and Azure AD policy.

B-1.4.b

Access Successful

Access Successful

Success: Users access RSS2 based on the EP compliance with Forescout and Azure AD policy.

B-1.4.c

Access Not Successful

Access Not Successful

Success: User authentication failure to Azure AD prevents access.

B-1.4.d

Access Not Successful

Access Not Successful

Success: E2 is not authorized to access RSS1 in accordance with Azure AD policy.

B-1.4.e

Access Successful

Access Successful

Success: Users access RSS2 based on the EP and RSS compliance with Forescout and Azure AD policy.

B-1.4.f, B-1.4.g

Access Not Successful

Access Not Successful

Success: User authentication failure to Azure AD prevents access.

B-1.4.h

Access Successful

Access Successful

Success: Session timeout is set to one minute for demonstration purposes. After session timed out, user was reauthenticated to Azure AD.

B-1.4.i

Access Not Successful

Access Not Successful

Success: Users were prevented from accessing resources after reauthentication failure to Azure AD.

B-1.4.j

Access Not Successful

Access Not Successful

Success: Initial user authentication to Azure AD was successful and user was granted access to RSS1. After E1 became noncompliant, user access to RSS1 was blocked in accordance with Forescout policy, and the user was unable to reauthenticate to Azure AD.

B-1.4.k

Access Limited

Access Not Successful

Partial success: Initial user authentication to Azure AD was successful and user was granted access to RSS2. In this case, changing the user’s access level on RSS2 would require application-level control that is not available at this time. After E1 became noncompliant, user access to RSS2 was blocked in accordance with Forescout policy, and the user was unable to reauthenticate to Azure AD.

B-1.4.l

Access Not Successful

Access Not Successful

Success: After E1 became noncompliant, user access to RSS1 was blocked in accordance with Forescout policy, and the user was unable to authenticate to Azure AD.

B-1.4.m

Access Limited

Access Not Successful

Partial success: In this case, changing the user’s access level on RSS2 would require application-level control that is not available at this time. After E1 became noncompliant, user access to RSS2 was blocked in accordance with Forescout policy, and the user was unable to authenticate to Azure AD.

B-1.4.n-p

N/A

N/A

Demonstration cannot be performed as verification of cloud resource compliance is not available at this time.

B-1.5.a-p

N/A

N/A

Demonstration cannot be performed as branch office is not available at this time.

B-1.6.a-p

In the current implementation, remote users are connected to a VPN that routes network traffic through the on-prem environment. All test results are similar to B-1.4.a-p.

B-2.1.a-d,g,n

Access Successful

Access Successful

Success: Access allowed in accordance with Forescout policy.

B-2.1.e, f, l, m, o, p

Access Not Successful

Access Not Successful

Success: Access denied in accordance with Forescout policy.

B-2.2

N/A

N/A

Demonstration cannot be performed as branch office is not available at this time.

B-2.3

In the current implementation, remote users are connected to a VPN that routes network traffic through the on-prem environment. All test results are similar to B-2.1.a-p.

B-3.1.a, B-3.4.a, B-3.5.a

Real Req Success

Real Req Success

Success: Real Request successfully authenticated.

B-3.1.b, B-3.4.b, B-3.5.b

Real Req Fail

Real Req Fail

Success: Incorrect credentials were entered, and the Real Request failed as expected.

B-3.1.c, B-3.4.c, B-3.5.c

Limit Access for Real Request, Deny Access to Hostile Request

N/A

Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.d, B-3.4.d, B-3.5.d

Real Request Keep Access, Deny Access to Hostile Request

N/A

Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.e, B-3.4.e, B-3.5.e

Hostile Request Successful

Hostile Request Successful

Success: Hostile Request successfully authenticated.

B-3.1.f, B-3.4.f, B-3.5.f

Hostile Request Unsuccessful

Hostile Request Unsuccessful

Success: Incorrect credentials were entered, and the Hostile Request failed as expected.

B-3.1.g, B-3.4.g, B-3.5.g

Real Request Fail, Hostile Request Access Limited

N/A

Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.h, B-3.4.h, B-3.5.h

Real Request Fail, Hostile Request remains authenticated

N/A

Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.i, B-3.4.i, B-3.5.i

Real Req Success

Real Req Success

Success: Real Request successfully authenticated.

B-3.1.j, B-3.4.j, B-3.5.j

Real Request remains authenticated, Hostile Request Fail

N/A

Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.k, B-3.4.k, B-3.5.k

Hostile Request Fail

Hostile Request Fail

Success: Incorrect credentials were entered, and the Hostile Request failed as expected.

B-3.1.l, B-3.4.l, B-3.5.l

Real Request Access Successful

Real Request Access Successful

Success: Real Request successfully reauthenticated.

B-3.1.m, B-3.4.m, B-3.5.m

Hostile Request Access Denied

Hostile Request Access Denied

Success: Hostile Request reauthentication fails.

B-3.1.n, B-3.4.n, B-3.5.n

Hostile Request Session Terminated

Hostile Request Session Terminated

Success: Azure AD sessions terminated.

B-3.1.o, B-3.4.o, B-3.5.o

Real Request Session Terminated

Real Request Session Terminated

Success: Azure AD sessions terminated.

B-3.2, B-3.3

N/A

N/A

Branch office is not included in Build 3.

B-4

All demonstrations here are the same as B-1 since the device is both authenticated and compliant.

B-5

All demonstrations here are the same as B-2 since the device is both authenticated and compliant.

B-6

All demonstrations here are the same as B-3 since the device is both authenticated and compliant.

B-7

Success

Partial Success

Partial Success: Just-in-time privileges were demonstrated. The enterprise was configured to allow a subset of users to gain privileges necessary to perform specific tasks within the Azure cloud environment. This build does not have the capabilities that allow just-in-time access to extend beyond the cloud to the on-premises environment.

B-7.1.h, j, l, af, ah, aj

Access Successful

Access Successful

Success: Demonstration successful to IaaS, PaaS, and SaaS services.

B-7.1.g, i, k, ae, ag, ai

Access Not Successful

Access Not successful

Success: Demonstration successful to IaaS, PaaS, and SaaS services.

B-7.1.a-b, B-7.1.e-f, B-7.1.y-z, B-7.1.ac-ad

N/A

N/A

Unable to complete demonstration. Current build does not have the capability to extend just-in-time privileges beyond cloud environment.

B-7.1.c, d, m, n, o, p, q, r, s, t, u, v, w, x, aa, ab

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

B-8.1.a-r

N/A

N/A

Unable to complete demonstration. Current build could not extend step-up authentication capability to third-party on-prem applications or services.

B-8.2.a-r

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

B-8.3.a-r

N/A

N/A

Unable to complete demonstration. Current build could not extend step-up authentication capability to third-party IaaS services.

B-8.4.a-c

Session Continues

Session Continues

Success: Demonstration successful for connections to PaaS service.

B-8.4.d-f

Session Terminates

Session Terminates

Success: Demonstration successful for connections to PaaS service.

B-8.4.g-l

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

B-8.4.m-o

Session Continues

Session Continues

Success: Demonstration successful for connections to PaaS service.

B-8.4.p-r

Session Terminated

Session Terminated

Success: Demonstration successful for connections to PaaS service.

B-8.5.a-c

Session Continues

Session Continues

Success: Demonstration successful for connections to SaaS service.

B-8.5.d-f

Session Terminated

Session Terminated

Success: Demonstration successful for connections to SaaS service.

B-8.5.g-l

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

B-8.5.m-o

Session Continues

Session Continues

Success: Demonstration successful for connections to SaaS service.

B-8.5.p-r

Session Terminated

Session Terminated

Success: Demonstration successful for connections to SaaS service.

C-1.1.a, C-1.2.a, C-1.3.a, C-1.4.a, C-1.5.a, C-1.6.a

Access Successful

Access Successful

Success: Access to resource is granted.

C-1.1.b, C-1.2.b, C-1.3.b, C-1.4.b, C-1.5.b, C-1.6.b, C-6.1.b, C-6.2.b, C-6.3.b, C-6.4.b, C-6.5.b, C-6.6.b

Access Not Successful

Access Not Successful

Success: Endpoint was non-compliant and was denied access to the resource.

C-1.1.c, C-1.4.c, C-2.1.c, C-2.4.c, C-6.1.c, C-6.4.c

N/A

N/A

Use cases were not performed. RSS compliance not available in Ent1.

C-1.1.d, C-1.4.d, C-2.1.d, C-2.4.d, C-6.1.d, C-6.4.d

Access Not Successful

Partial Success

Partial Success: Policy is enforced and denied a non-compliant endpoint. However, RSS compliance not available in Ent1.

C-2.1.a, C-2.2.a, C-2.3.a, C-2.4.a, C-2.5.a, C-2.6.a, C-6.1.a, C-6.2.a, C-6.3.a, C-6.4.a, C-6.5.a, C-6.6.a

Limited Access Successful

Limited Access Successful

Success: Federated-ID user has access to certain resources only based on policy.

C-2.1.b, C-2.2.b, C-2.3.b, C-2.4.b, C-2.5.b, C-2.6.b

Access Not Successful

Access Not Successful

Access Denied: Policy is enforced and denied a non-compliant endpoint.

C-3.1.a, C-3.2.a, C-3.3.a, C-5.1.a, C-5.2.a

Access Successful

Access Successful

Success: Compliant endpoint and user are allowed access to this website.

C-3.1.b, C-3.2.b, C-3.3.b, C-5.1.b, C-5.2.b

Access Not Successful

Access Not Successful

Success: Non-compliant endpoint is denied access.

C-3.1.c, C-3.2.c, C-3.3.c, C-5.1.c, C-5.2.c

Access Not Successful

Access Not Successful

Success: Compliant endpoint is denied access due to policy.

C-3.1.d, C-3.2.d, C-3.3.d, C-5.1.d, C-5.2.d

Access Not Successful

Access Not Successful

Success: Endpoint is non-compliant, and policy does not allow access to this website.

C-4

Access Not Successful

Access Not Successful

Success: Access to internet resources is denied due to policy.

C-5.3.a, C-5.3.b, C-5.3.c, C-5.3.d

N/A

N/A

When user is remote, results match Ent3 results, as a BYOD device in a remote location does not have Ent1 policies applied.

C-7.1.a, C-7.2.a, C-7.3.a, C-7.4.a, C-7.5.a, C-7.6.a, C-8.1.a, C-8.2.a, C-8.3.a, C-8.4.a, C-8.5.a, C-8.6.a

Access Successful

Access Successful

Success: Compliant endpoint and user are allowed access.

C-7.1.b, C-7.2.b, C-7.3.b, C-7.4.b, C-7.5.b, C-7.6.b

Access Not Successful

Access Not Successful

Success: An endpoint that is flagged as stolen is denied access by policy.

C-7.1.c, C-7.2.c, C-7.3.c, C-7.4.c, C-7.5.c, C-7.6.c, C-8.1.b, C-8.2.b, C-8.3.b, C-8.4.b, C-8.5.b, C-8.6.b

Access Not Successful

Access Not Successful

Success: User credential that is flagged as stolen is denied access by policy.

C-7.1.d, C-7.2.d, C-7.3.d, C-7.4.d, C-7.5.d, C-7.6.d

Access Not Successful

Access Not Successful

Success: User credential and endpoint that are flagged as stolen are denied access by policy.

C-8.1.a, C-8.2.a, C-8.3.a, C-8.4.a, C-8.5.a, C-8.6.a

Access Successful

Access Successful

Success: Compliant endpoint and user are allowed access.

C-8.1.b, C-8.2.b, C-8.3.b, C-8.4.b, C-8.5.b, C-8.6.b

Access Not Successful

Access Not Successful

Success: User credential that is flagged as stolen is denied access by policy.

All D Use Cases

All demonstrations here are the same as B since the device is both authenticated and compliant. Note that the user is a contractor.

E-1.1.a,b

Access Successful

Access Successful

Success: Guests can access public resources and internet in accordance with policy using Forescout.

E-1.2.a,b

N/A

N/A

Demonstration cannot be performed as branch office is not available at this time.

F-1.1.a, F-1.3.a

Session stays active

Session stays active

Success: If a user successfully reauthenticates when prompted, session remains active. If reauthentication fails, user will lose access to resources. Note: Default reauthentication period is 1 hour and is configurable to a shorter duration. However, Microsoft does not endorse short reauthentication periods. An alternative is to prompt for reauthentication to specific resources that are of higher sensitivity.

F-1.1.b, F-1.3.b

Session Terminated

Session Terminated

Success: If a user fails reauthentication, the user will lose access to resources.

F-1.2, F-1.5

N/A

N/A

Demonstration cannot be performed as branch office is not available at this time.

F-1.4.a, F-1.6.a

Session stays active

Session stays active

Success: If a user successfully reauthenticates when prompted, session remains active. If reauthentication fails, user will lose access to resources. Note: Default reauthentication period is 1 hour and is configurable to a shorter duration. However, Microsoft does not endorse short reauthentication periods. An alternative is to prompt for reauthentication to specific resources that are of higher sensitivity.

F-1.4.b, F-1.6.b

Session Terminated

Session Terminated

Success: If a user fails reauthentication, the user will lose access to resources.

F-2.1.a, F-2.3.1a, F-2.4.a, F-2.6.a

Session stays active

Session stays active

Success: Session stayed active with device reauthentication.

F-2.1.b, F-2.3.1b, F-2.4.b, F-2.6.b

Session Terminated

Session Terminated

Success: Once device reauthentication fails, access to resources from the endpoint is lost.

F-2.2, F-2.5

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-3

N/A

N/A

For this build, resource authentication was not tested; if time permits we can test in the future.

F-4.1.a, F-4.3.a, F-4.4.a, F-4.6.a

Session stays active

Session stays active

Success: Requestor can continue with already established sessions with devices that remain compliant.

F-4.1.b, F-4.3.b, F-4.4.b, F-4.6.b

Session Terminated

N/A

Partial Success: While session may not be immediately terminated, continued access to resource was blocked once compliance determination performed at intervals was made.

F-4.2.a-b, F-4.5.a-b,

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-5.1.a, F-5.3.a, F-5.4.a, F-5.6.a

Access Not Successful

Access Not Successful

Success: Access was denied with requestor’s noncompliant endpoints.

F-5.1.b, F-5.3.b, F-5.4.b, F-5.6.b

Access Successful

Access Successful

Success: Requestors were allowed access to resource with positive compliance determination.

F-5.2, F-5.5

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-6

N/A

N/A

For this build, this use case was not tested; if time permits we can test in the future.

F-7

N/A

N/A

For this build, this use case was not tested; if time permits we can test in the future.

F-8.1.a, c, d, f, g, i, j, l

Access Stopped

Access Stopped

Success: Demonstration successful. Resource access blocked.

F-8.1.b, e, h, k

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-8.2.a, c, d, f, g, i, j, l

Access Stopped

Access Stopped

Success: Demonstration successful. Resource access blocked.

F-8.2.b, e, h, k

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-8.3.a-l

Access Stopped

N/A

Unable to stop resource access on an unmanaged endpoint since the endpoint is guest and doesn’t have any management software.

F-9.1.a, c, d, f, g, i, j, l,

Access Stopped

Access Stopped

Success: Demonstration successful. Resource access blocked.

F-9.1.b, e, h, k

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-9.2.a, c, d, f, g, i, j, l

Access Stopped

Access Stopped

Success: Demonstration successful. Resource access blocked.

F-9.2.b, e, h, k

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-9.3

N/A

N/A

Unable to stop resource access on an unmanaged endpoint since the endpoint is guest and doesn’t have any managemt software.

F-10.1.a-d, i-p, u-z, aa, ab, ag-an, as-av

Access Not Successful

Access Not Successful

Success: Demonstration successful. Enterprise user’s access disabled.

F-10.1.e-h, q-t, ac-af, ao-ar

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-10.2.a-d, i-p, u-z, aa, ab, ag-an, as-av

Access Not Successful

Access Not Successful

Success: Demonstration successful. Enterprise user’s access disabled.

F-10.2.e-h, q-t, ac-af, ao-ar

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-10.3.a-d, i-p, u-z, aa, ab, ag-an, as-av

Access Not Successful

Access Not Successful

Success: Demonstration successful. Enterprise user’s access disabled.

F-10.3.e-h, q-t, ac-af, ao-ar

N/A

N/A

Success: Demonstration successful. Enterprise user’s access disabled.

F-11.1.a-d, i-p, u-z, aa, ab, ag-an, as-av

Active Session Terminated

Active Session Terminated

Success: Demonstration successful. Enterprise user’s active session terminated.

F-11.1.e-h, q-t, ac-af, ao-ar

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-11.2.a-d, i-p, u-z, aa, ab, ag-an, as-av

Active Session Terminated

Active Session Terminated

Success: Demonstration successful. Enterprise user’s active session terminated.

F-11.2.e-h, q-t, ac-af, ao-ar

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-11.3.a-d, i-p, u-z, aa, ab, ag-an, as-av

Active Session Terminated

Active Session Terminated

Success: Demonstration successful. Enterprise user’s active session terminated.

F-11.3.e-h, q-t, ac-af, ao-ar

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-12.1.a-d, i-p, u-z, aa, ab, ag-an, as-av

Access not Successful

Access not Successful

Success: Demonstration successful. User’s access disabled.

F-12.1.e-h, q-t, ac-af, ao-ar

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-12.2.a-d, i-p, u-z, aa, ab, ag-an, as-av

Access not successful

Access not successful

Success: Demonstration successful. User’s access disabled.

F-12.2.e-h, q-t, ac-af, ao-ar

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-12.3.a-d, i-p, u-z, aa, ab, ag-an, as-av

Access not successful

Access not successful

Success: Demonstration successful. User’s access disabled.

F-12.3.e-h, q-t, ac-af, ao-ar

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-13.1.a-d, i-p, u-z, aa, ab, ag-an, as-av

Active Session Terminated

Active Session Terminated

Success: Demonstration successful. User’s active session terminated.

F-13.2.e-h, q-t, ac-af, ao-ar

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-13.3.a-d, i-p, u-z, aa, ab, ag-an, as-av

Active Session Terminated

Active Session Terminated

Success: Demonstration successful. User’s active session terminated.

F-14.1.a, c, d, f, g, i, j, l

Access Not Successful

Access Not Successful

Success: Access to resource was denied from endpoints identified as high risk.

F-14.1.b, e, h, k

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-14.2.a, c, d, f, g, i, j, l

Access Not Successful

Access Not Successful

Success: Access to resource was denied from endpoints identified as high risk.

F-14.2.b, e, h, k

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-14.3

N/A

N/A

Unable to classify an unmanaged endpoint as high risk based on detected suspicious activity, since the endpoint is guest and doesn’t have any management software.

F-15.1.a, c, d, f, g, i, j, l

Access Not Successful

Access Not Successful

Success: Access to resource was denied from endpoints identified as high risk.

F-15.1.b, e, h, k

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-15.2.a, c, d, f, g, i, j, l

Access Not Successful

Access Not Successful

Success: Access to resource was denied from endpoints identified as high risk.

F-15.2.b, e, h, k

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-15.3

N/A

N/A

Unable to classify an unmanaged endpoint as high risk based on detected suspicious activity, since the endpoint is guest and doesn’t have any management software.

F-16.1.a, c, d, f, g, i, j, l

Access Stopped

Access Stopped

Success: Session was terminated from an endpoint with suspicious activity.

F-16.1.b, e, h, k

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-16.2.a, c, d, f, g, i, j

Access Stopped

Access Stopped

Success: Session was terminated from an endpoint with suspicious activity.

F-16.2.b, e, h, k

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-16.3

N/A

N/A

Unable to classify an unmanaged endpoint as high risk based on detected suspicious activity, since the endpoint is guest and doesn’t have any management software.

F-17.1.a, c, d, f, g, i, j, l

Access Stopped

Access Stopped

Success: Session was terminated from an endpoint with suspicious activity.

F-17.1.b, e, h, k

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-17.2.a, c, d, f, g, i, j, l

Access Stopped

Access Stopped

Success: Session was terminated from an endpoint with suspicious activity.

F-17.2.b, e, h, k

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-17.3

N/A

N/A

Unable to classify an unmanaged endpoint as high risk based on detected suspicious activity, since the endpoint is guest and doesn’t have any management software.

G-1.1

N/A

N/A

Demonstration could not be completed. Chosen on-premises application in the lab does not provide authenticated API access to client applications using access tokens issued by an external authorization server.

G-1.2

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

G-2.1.a, e

Access successful

Access successful

Success: API calls made using the appropriate Azure roles were successfully made to Azure IaaS.

G-2.1.b, f

Access not successful

Access not successful

Success: API calls from client apps without the right Azure roles were denied

G-2.1.c, d

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

G-2.2.a, e

Access successful

Access successful

Success: API calls from client apps leveraging Azure AD as authorization server were successfully made to read Azure AD user profiles.

G-2.2.b, f

Access not successful

Access not successful

Success: API calls to update Azure AD user profiles from client apps without the right permissions were denied.

G-2.2.c, d

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

G-2.3.a, e

Access successful

Access successful

Success: API calls from client apps leveraging Azure AD as authorization server were successfully made to Outlook Online.

G-2.3.b, f

Access not successful

Access not successful

Success: API calls to Outlook Online from client apps without the correct permissions were denied.

G-2.3.c, d

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

G-3.1.a, c

Access successful

Access successful

Success: API calls from client apps leveraging Azure AD as authorization server and hosted on Azure VMs or Azure Functions were successfully made to manage Azure AD users and VMs.

G-3.1.b, d

Access not successful

Access not successful

Success: API calls from client apps hosted on Azure VMs or Azure Functions attempting to manage Azure AD users or Azure VMs without authorization were denied access.

G-3.1.e, f

N/A

N/A

For this build, this use case was not tested; if time permits we can test in the future.

G-3.2.a, c

Access successful

Access successful

Success: API calls from client apps leveraging Azure AD as authorization server and hosted on Azure VMs or Azure Functions were successfully made to manage Azure AD users and VMs.

G-3.2.b, d

Access not successful

Access not successful

Success: API calls from client apps hosted on Azure VMs or Azure Functions attempting to manage Azure AD users or Azure VMs without authorization were denied access.

G-3.2.e

Access successful

Access successful

Success: Microsoft Sentinel playbooks were used to make successful API calls to Azure AD.

G-3.2.f

N/A

N/A

For this build, this use case was not tested; if time permits we can test in the future.

G-3.3.a, c

Access successful

Access successful

Success: API calls from client apps leveraging Azure AD as authorization server and hosted on Azure VMs or Azure Functions were successfully made to manage Outlook online mail.

G-3.3.b, d

Access not successful

Access not successful

Success: API calls from client apps hosted on Azure VMs or Azure Functions attempting to manage mailboxes in Outlook Online without authorization were denied access.

G-3.3.e

Access Successful

Access Successful

Success: Microsoft 365 Defender Portal forwards alerts and incidents to Microsoft Sentinel.

G-3.3.f

N/A

N/A

For this build, this use case was not tested; if time permits we can test in the future.

G-5.1.a, c, d, f, m, o, p, r

Access Successful

Access Successful

Success: Microsoft Intune initiates various actions to endpoints.

G-5.1.b, e, n, q

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

G-5.1.g-l

N/A

N/A

In this build, services used to communicate with endpoints are SaaS and not PaaS.

H-1.1.a, H-1.2.c

Access Successful

N/A

Demonstration could not be completed as relevant access controls implemented were applicable only for SaaS apps and cloud resources.

H-1.1.b, H-1.2.d

Access Not Successful

N/A

Demonstration could not be completed as relevant access controls implemented were applicable only for SaaS apps and cloud resources.

H-1.3, H-1.4, H-1.7, H-1.8

N/A

N/A

Demonstration could not be completed as the build does not have a branch office.

H-1.5, H-1.6.a, H-1.9, H-1.10.a

Access Successful

Access Successful

Success: Access controls that allowed or blocked users were placed on data resources in the cloud. Access decisions were made based on level of data classification as well as the groups the users belonged to.

H-1.6.b, H-1.10.b

Access Not Successful

Access Not Successful

Success: Access controls were placed on data resources in the cloud that allowed or blocked users from accessing resources based on level of data classification as well as the groups the users belonged to.

H-2.1.a

N/A

N/A

Demonstration could not be completed. Required access controls applied to cloud resources only.

H-2.1.b

N/A

N/A

Demonstration could not be completed. Required access controls applied to cloud resources only.

H-2.2.a, H-2.3.a, H-2.4.a

Access Successful

Access Successful

Success: Access controls were applied to data in the cloud that allowed or blocked user access based on endpoint compliance. The data was differentiated by using separate directories to store data with differing classifications. Using an out of compliance endpoint would prevent access to data of high classification but not data with low classification.

H-2.2.b, H-2.3.b, H-2.4.b

Access Restricted

Access Restricted

Success: Access controls were applied to data in the cloud that allowed or blocked user access based on endpoint compliance. The data was differentiated by using separate directories to store data with differing classifications. Using an out of compliance endpoint would prevent access to data of high classification but not data with low classification.

H-3.1-3, H-3.7-9

N/A

N/A

Access controls could only be applied to data resources residing in the cloud and not to data resources on-premises.

H-3.4.g, H-3.6.k, H-3.10.s, H-3.12.w

Internet Access Not Successful

Internet Access Not Successful

Success: The trusted locations feature in Azure AD Conditional Access was used to define from which locations a user could access data based on its classification. Data was differentiated based on which folder object it resided in.

H-3.4.h, H-3.6.l, H-3.10.t, H-3.12.x

Internet Access Successful

Internet Access Successful

Success: The trusted locations feature in Azure AD Conditional Access was used to define from which locations a user could access data based on its classification. Data was differentiated based on which folder object it resided in.

H-3.5, H-3.8, H-3.11

N/A

N/A

Demonstration could not be completed as there is no branch office in this build.

H-4.1-3

N/A

N/A

Access controls could only be applied to data resources residing in the cloud and not to data resources on-premises.

H-4.4.g, H-4.6.k, H-4.10.s, H-4.12.w

Access Not Successful

Access Not Successful

Success: The authentication context feature along with Azure AD Conditional Access was implemented to classify data residing in the cloud and trigger MFA for a user seeking to access a folder object designated as sensitive.

H-4.4.h, H-4.6.l, H-4.10.t

Access Successful

Access Successful

Success: The authentication context feature along with Azure AD Conditional Access was implemented to classify data residing in the cloud and trigger MFA for a user seeking to access a folder object designated as sensitive.

H-4.5, H-4.8, H-4.11, H-4.12.x

N/A

N/A

Branch offices were not implemented in this build.

H-5.1

N/A

N/A

Build uses Microsoft Azure AD Privileged Management feature, which only applies to cloud resources.

H-5.2, H-5.3, H-5.4

Access Successful

Access Successful

Success: Microsoft Azure AD Privileged Access Management was used to define which users could request and be temporarily elevated to a privileged role or group allowing them to have JIT access to sensitive data and resources.

H-6.1.a, H-6.4.g, H-6.6.k

Operation Successful

Operation Successful

Success: Access controls were applied in SharePoint that gave the ability to view and download data based on user’s group membership.

H-6.1.b, H-6.4.h, H-6.6.l

Operation Denied

Operation Denied

Success: Access controls were applied in SharePoint that prevented modification and downloading of files based on the user’s group membership.

H-6.2, H-6.5

N/A

N/A

Demonstration could not be completed as there is no branch office in the build.

H-7.1-4

Download Successful

Download Successful

Success: Encryption was applied to data that was downloaded. The data required a password for decryption.

Enterprise 1 Build 4 (E1B4) - SDP - Appgate SDP Controller as PE Detailed Demonstration Results#

Table 4 lists the full demonstration results for SDP demonstrations run in Enterprise 1 Build 4 (E1B4). The technology deployed in E1B4 was able to determine endpoint compliance for Windows, Linux, macOS, and mobile devices and prevent noncompliant endpoints from accessing private resources.

Table 4 - Detailed Demonstration Results for E1B4

Demo ID

Expected Outcome

Observed Outcome

Comments

A-1.1.a, A-1.4.a

Access to Network

Access to specific resources

Success: Once a headless client is installed on a resource and policies are applied to it, Appgate can control communications to and from that resource. “Ring fencing,” which denies access to the resource via the resource’s firewall, can be configured.

Note: headless clients are leveraged to control outbound traffic, although inbound control is possible via “ring fencing.” Also note that headless clients are revalidated every five minutes for compliance.

A-1.1.b-d, A-1.4.b-d

No Access to Network

No Access to Network

Success: If onboarding is not completed, authentication failed, or compliance failed, resource will not have access. Note: while policies can be applied to the resource to deny access to the network or other resources, Appgate recommends using server management technology to perform server health and security. This technology can then feed information about the resource to Appgate to make policy decision about a user and endpoint access to that resource.

A-1.1.e, i, A-1.2.e, i, A-1.3.a, d, A-1.4.e

Access to Network

Access to Network

Success: EP logs on to Appgate agent. User is given access to specific resources that it is allowed to access, not the entire corporate network. Note: EP and BYOD are onboarded the same way by installing and logging onto an Appgate client.

A-1.1.f, j, A-1.2.f, j, A-1.3.b, e, A-1.4.f

Max. Limited Access to Network

Max. Limited Access to Network

Success: If compliance is not met, user will have access to limited resources. Once compliance is met, user will have access to all resources that are assigned based on policy. Note: EP and BYOD are onboarded the same way by installing and logging onto an Appgate client.

A-1.1.g, k, A-1.2.g, k, A-1.3.c, f, A-1.4.g

No Access to Network

No Access to Network

Success: If user does not successfully authenticate to Appgate, there is no access to network resources. Note: EP and BYOD are onboarded the same way by installing and logging onto an Appgate client.

A-1.1.h, l, m, A-1.2.h, l, m

Access to Public Network

Access to Public Network

Success: User who is not onboarded will have access to the guest Wi-Fi, which allows public network access. All devices that are not onboarded are treated as guests. These devices will have access to the public network.

A-1.2.a-d

N/A

N/A

Currently, there are no resources in the branch office. However, configuration would be identical to resources that are on-prem.

A-2.1.a-c, A-2.2.a-c, A-2.4.a-c

N/A

N/A

Note: Once a headless client is authenticated, it reauthenticates automatically using PKI or stored credentials. Headless clients are re-evaluated every five minutes for compliance.

A-2.1.d, g, A-2.2.d, g, A-2.3.a, d, A-2.4.d

Access to Network

Access to Network

Success: EP logs on to Appgate agent again after it expires. User is given access to resources that it is allowed once reauthentication is successful.

A-2.1.e, h, A-2.2.f, j, A-2.3.b, e, A-2.4.e

Max. Limited Access to Network

Max. Limited Access to Network

Success: After reauthentication, if compliance is not met, user will have access to limited resources only. Once compliance is met, user will have access to all resources that are assigned based on policy. Note: compliance validation is performed when user reauthenticates and it is set to five minutes. If compliance fails, EP will have limited access.

A-2.1.f, i, A-2.2.f, i, A-2.3.c, f, A-2.4.f

Terminate Access to Network

No Access to Network

Success: If user does not successfully reauthenticate to Appgate, there is no access to network resources.

A-2.1.h, A-2.2.h

Access to Public Network

Access to Public Network

Success: User who is not onboarded will have access to the guest Wi-Fi, which allows public network access.

All of A-3

API call is recorded

Logs contain relevant API information

Success: Appgate sends all logs to IBM QRadar.

B-1.1-6.a, B-4.1.a, B-4.2.a, B-4.3.a, D-1.1.a, D-1.2.a, D-1.3.a, D-4.1.a, D-4.2.a, D-4.3.a

Access Successful

Access Successful

Success: For both laptop and mobile endpoints, user access to resource RSS1 was successful, with user and endpoint passing authN/authZ and compliance. RSS1 is compliant. A policy is set to check RSS1’s compliance prior to allowing access for E1. If RSS1 is not compliant, E1 is denied access to RSS1.

Note: For all B-1 use cases, it does not matter where the user’s device resides; Appgate policies dictate what resources a user can access. In our use cases, user devices will function the same way on-prem, at a branch office, or a remote site.

B-1.1-6.b, B-4.1.b, B-4.2.b, B-4.3.b, D-1.1.b, D-1.2.b, D-1.3.b, D-4.1.b, D-4.2.b, D-4.3.b

Access Successful

Access Successful

Success: For both laptop and mobile endpoints, user access to resource RSS1 was successful, with user and endpoint passing authN/authZ and compliance. RSS2 is compliant. A policy is set to check RSS2’s compliance prior to allowing access for E1. If RSS2 is not compliant, E1 is denied access to RSS2. For E1 access to RSS1, there is no route to RSS1 from E1. A user would not have access out of its device to RSS2.

B-1.1-6.c, B-4.1.c, B-4.2.c, B-4.3.c, D-1.1.c, D-1.2.c, D-1.3.c, D-4.1.c, D-4.2.c, D-4.3.c

Access Not Successful

Access Not Successful

Success: Demonstration completed with user not able to log in to Appgate due to a failed authentication.

B-1.1-6.d, B-4.1.d, B-4.2.d, B-4.3.d, D-1.1.d, D-1.2.d, D-1.3.d, D-4.1.d, D-4.2.d, D-4.3.d

Access Not Successful

Access Not Successful

Success: For both laptop and mobile endpoints, user access for E2 to resource RSS1 was not successful. Since there is no policy for E2 to access resource RSS1, there is no route out of E2. If E2 tries to reach RSS1, browser will show “This site cannot be reached” because browser traffic was not able to leave E2.

B-1.1-6.e, B-4.1.e, B-4.2.e, B-4.3.e, D-1.1.e, D-1.2.e, D-1.3.e, D-4.1.e, D-4.2.e, D-4.3.e

Access Successful

Access Successful

Success: For both laptop and mobile endpoints, user access to resource RSS1 was successful, with user and endpoint passing authN/authZ and compliance. Policies applied to RSS2 allow access from the user.

B-1.1-6.f, B-4.1.f, B-4.2.f, B-4.3.f, D-1.1.f, D-1.2.f, D-1.3.f, D-4.1.f, D-4.2.f, D-4.3.f

Access Not Successful

Access Not Successful

Success: Demonstration completed with user not able to log in to resource with a failed authentication.

B-1.1-6.g, B-4.1.g, B-4.2.g, B-4.3.g, D-1.1.g, D-1.2.g, D-1.3.g, D-4.1.g, D-4.2.g, D-4.3.g

Access Not Successful

Access Not Successful

Success: Demonstration completed with user not able to log in to resource with a failed authentication.

B-1.1-6.h, B-4.1.h, B-4.2.h, B-4.3.h, D-1.1.h, D-1.2.h, D-1.3.h, D-4.1.h, D-4.2.h, D-4.3.h

Access Successful

Access Successful

Success: Resource session timeout is set to one minute for demonstration purposes. After session timed out, user was reauthenticated.

B-1.1-6.i, B-4.1.i, B-4.2.i, B-4.3.i, D-1.1.i, D-1.2.i, D-1.3.i, D-4.1.i, D-4.2.i, D-4.3.i

Access Not Successful

Access Not Successful

Success: After session timeout, user tried to login with incorrect password and was denied.

B-1.1-6.j, B-4.1.j, B-4.2.j, B-4.3.j, D-1.1.j, D-1.2.j, D-1.3.j, D-4.1.j, D-4.2.j, D-4.3.j

Access Not Successful

Access Not Successful

Success: Device posture failure detected, so access was denied.

B-1.1-6.k, B-4.1.k, B-4.2.k, B-4.3.k, D-1.1.k, D-1.2.k, D-1.3.k, D-4.1.k, D-4.2.k, D-4.3.k

Access Limited

Access Not Successful

Partial success: Access to RSS2 is blocked. Currently cannot perform limited access.

B-1.1-6.l-m, B-4.1.l-m, B-4.2.l-m, B-4.3.l-m, D-1.1.l-m, D-1.2.l-m, D-1.3.l-m, D-4.1.l-m, D-4.2.l-m, D-4.3.l-m

Access Denied

Access Denied

Success: User was denied access because the endpoint was noncompliant. Device posture failure detected. Currently cannot perform limited access.

B-1.1-6.n-p, B-4.1.n-p, B-4.2.n-p, B-4.3.n-p, D-1.1.n-p, D-1.2.n-p, D-1.3.n-p, D-4.1.n-p, D-4.2.n-p, D-4.3.n-p

N/A

N/A

When accessing a resource, resource compliance is checked. If resource is not compliant, Appgate client will deny endpoint access to resource. However, if user does not have a policy to access the resource, the endpoint will be denied access regardless of the resource’s compliance state.

B-2

N/A

N/A

For this build, Appgate does not manage access to internet sites. Appgate does not provide SWG/CASB functionality, but can control access to public internet sites at the network level.

Enterprises that require this capability normally use Appgate Always-On to control/route all egress traffic through Appgate and onsite proxies/inspection tools.

B-3.1.a, B-3.4.a, B-3.5.a

Real Req Success

Real Req Success

Success: Real Request successfully authenticated.

B-3.1.b, B-3.4.b, B-3.5.b

Real Req Fail

Real Req Fail

Success: Incorrect credentials were entered, and the Real Request failed as expected.

B-3.1.c, B-3.4.c, B-3.5.c

Limit Access for Real Request, Deny Access to Hostile Request

N/A

Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context.

Note: Appgate can limit the number of concurrent logins from a single user, limit the number of allowed devices per user, and limit connections using IP-based geolocation. GeoIP accuracy may be reduced on WiFi and mobile networks.

B-3.1.d, B-3.4.d, B-3.5.d

Real Request Keep Access, Deny Access to Hostile Request

Real Request Keep Access, Deny Access to Hostile Request

Success: Existing access is maintained. The hostile user failed authentication; there is no access.

B-3.1.e, B-3.4.e, B-3.5.e

Hostile Request Successful

Hostile Request Successful

Success: Hostile Request successfully authenticated.

B-3.1.f, B-3.4.f, B-3.5.f

Hostile Request Unsuccessful

Hostile Request Unsuccessful

Success: Incorrect credentials were entered, and the Hostile Request failed as expected.

B-3.1.g, B-3.4.g, B-3.5.g

Real Request Fail, Hostile Request Access Limited

N/A

Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context. Please see B-3.1.c for capabilities.

B-3.1.h, B-3.4.h, B-3.5.h

Real Request Fail, Hostile Request remains authenticated

Real Request Fail, Hostile Request remains authenticated

Success: Existing access is maintained, unsuccessful authentication is blocked. Please see B-3.1.c for capabilities.

B-3.1.i, B-3.4.i, B-3.5.i

Real Req Success

Real Req Success

Success: Real Request successfully authenticated. In cases where stolen credentials are reported, updates to configuration to change user credentials will deny hostile users.

B-3.1.j, B-3.4.j, B-3.5.j

Real Request remains authenticated, Hostile Request Fail

Real Request remains authenticated, Hostile Request Fail

Success: In cases where stolen credentials are reported, updates to configuration to change user credentials will deny hostile users. Please see B-3.1.c for capabilities.

B-3.1.k, B-3.4.k, B-3.5.k

Hostile Request Fail

Hostile Request Fail

Success: Incorrect credentials were entered, and the Hostile Request failed as expected. In cases where stolen credentials are reported, updates to configuration to change user credentials will deny hostile users.

B-3.1.l, B-3.4.l, B-3.5.l

Real Request Access Successful

Real Requet Access Successful

Success: Real Request successfully reauthenticated. In cases where stolen credentials are reported, updates to configuration to change user credentials will deny hostile users.

B-3.1.m, B-3.4.m, B-3.5.m

Hostile Request Access Denied

Hostile Request Access Denied

Success: Incorrect credentials were entered for reauthentication, and the Hostile Request failed as expected. In cases where stolen credentials are reported, updates to configuration to change user credentials will deny hostile users.

B-3.1.n, B-3.4.n, B-3.5.n

N/A

N/A

In cases where stolen credentials are reported, updates to configuration to change user credentials will deny hostile users.

B-3.1.o, B-3.4.o, B-3.5.o

N/A

N/A

In cases where stolen credentials are reported, updates to configuration to change user credentials will deny hostile users. Real user should receive new credentials.

B-4

All results for B-4 are the same as B-1.

B-5

N/A

N/A

Appgate does not manage access to internet sites. Other tools are needed to manage access to the internet.

B-6

All results for B-6 are the same as B-3.

B-7

Success

Partial Success

Partial Success: Just-in-time privileges can be manually completed in Appgate to allow a user to access a resource. However, just-in-time access privileges with automation are not tested and require integration with other zero trust tools which have the capabilities to manage user attributes and notify the Appgate system.

B-8

N/A

N/A

Appgate does not have the ability to control a resource’s privileges. If a resource is considered sensitive, Appgate can create a policy to prompt the user to provide an extra authentication method prior to accessing the resource.

All C Use Cases

N/A

N/A

No Federated-ID setup yet; will be part of future phase.

All D Use Cases

All D use cases are the same as B use cases.

All E Use Cases

N/A

N/A

Appgate SDP considers this out of scope for their products. Other technologies should be used to perform this.

F-1.1.a, F-1.2.a, F-1.3.a, F-1.4.a, F-1.5.a, F-1.6.a

Success

Success

Success: When Appgate prompts for reauthentication, if user successfully authenticates, session remains active. If authentication fails, user will lose access to resources. Note: Default reauthentication period is 24 hours and is configurable to a shorter duration. However, Appgate does not endorse short reauthentication periods due to user experience. An alternative is to prompt for reauthentication to specific resources that are of higher criticality.

F-1.1.b, F-1.2.b, F-1.3.b, F-1.4.b, F-1.5.b, F-1.6.b

Success

Success

Success: When Appgate prompts for reauthentication, if authentication fails, user will lose access to resources. Appgate client will show the failed authentication and no resources will show up in the client.

F-2

Success

Success

Success: Results are the same as F-1. Appgate authenticates user and validates device when user logs onto Appgate agent, and periodically revalidates device and user authentication and/or MFA based on configuration.

F-3

Success

Partial Success

Partial Success: Once a headless client is authenticated, it reauthenticates automatically using PKI or stored credentials. However, compliance checks are performed periodically. If compliance fails, user will lose access within five minutes.

F-4

Success

Success

Success: Device compliance is checked periodically (set to every five minutes). If compliance fails, Appgate policies deny access to resources.

F-5

Success

Success

Success: Device compliance is checked periodically. If compliance fails, Appgate policies deny access to resources. Once the endpoint is compliant again, Appgate will allow access. Note: compliance is checked every five minutes, so access may take up to five minutes after the device becomes compliant again.

F-6, F-7, F-8, F-9

N/A

N/A

Appgate does not have this capability.

F-10, F-12

N/A

N/A

Appgate policies dictate whether a user has access to that resource or not. If there is no policy to allow a user to access a resource and the user attempts to reach that resource, the attempt will not be able to leave the end device or it will be denied by the Appgate Gateway. If there is no route to that resource, the request never leaves the endpoint. For example, if a user types in a URL to a resource on a browser, it will return “This site cannot be reached” because browser traffic was not able to leave the device. If there’s a policy to access a resource via HTTPS only and the user tries to SSH to that resource, the gateway will deny the SSH connection.

F-11, F-13

N/A

N/A

Appgate does not manage access to internet sites. Other tools are needed to manage access to the internet.

F-14, F-15, F-16, F-17

N/A

N/A

Appgate does not allow any traffic past the Appgate Gateway if there is no policy to allow that specific access from the user. Logs of these attempts are provided to the SIEM. Note: The SIEM can trigger a security event, which Appgate can consume to further restrict that user’s access by deeming them more risky.

G-1.1.a, e

Access Successful

Access Successful

Success: For all service-to-service use cases, headless clients are installed on resources to check compliance and risk score and to control communication in and out of that resource. Headless client uniquely identifies both the credentials and the workload. Policy on the subject location will allow the subject to reach the resource. Policies on the resource will allow access by the subject.

G-1.1.b, f

Access Not Successful

Access Not Successful

Success: Based on policy, subject was denied from communicating with the resource.

G-1.1.c-d

N/A

N/A

There are no resources currently deployed at a branch location. Tests are not performed. However, the results of a subject at a branch location attempting to reach an on-prem resource would be the same as use case G-1.1.a because installation and policies are applied the same way.

G-1.1.g

Access Successful

Access Successful

Success: A PaaS solution was deployed and policies applied. Access was successful.

G-1.1.h

Access Not Successful

Access Not Successful

Success: A PaaS solution was deployed and policies applied. Access to the resource was denied based on policy.

G-1.1.i-j

N/A

N/A

SaaS solutions that allow for Conditional Access can be restricted to Appgate-enabled clients. SaaS that has no option for IP whitelisting cannot be protected by Appgate. Enterprise 1 does not have such a SaaS solution. Optionally, “ring fencing” can be applied to the on-prem resource to allow or deny communications from the SaaS solution.

G-1.2.a-j

N/A

N/A

There are no resources at a branch location. Tests are not performed. However, Appgate would deploy policies the same way as on-prem resources to protect resources at a branch location. An Appgate client would be installed on these resources.

G-2.1.a

Access Successful

Access Successful

Success: Policy on the subject location will allow the subject to reach the resource in IaaS.

G-2.1.b

Access Not Successful

Access Not Successful

Success: Based on policy, subject was denied from communicating with the resource.

G-2.1.c-f, G-2.2.c-f, G-2.3.c-f

N/A

N/A

There are no resources currently deployed at a branch or remote location. Tests are not performed. However, the results of a subject at a branch or remote location attempting to reach a cloud resource would be the same as use case G-1.1.a because installation and policies are applied the same way.

G-2.2

N/A

N/A

A PaaS resource was created within AWS to show communication from PaaS to an on-prem protected resource. Connections to the PaaS workload from outside the cluster can be protected by the PEP located in AWS. Therefore, G-2.2 results would be the same as G-2.1.

G-2.3

N/A

N/A

These use cases depend on the SaaS provider’s ability to enforce IP-based conditional access. If this option is used, SaaS-bound traffic would flow through an Appgate PEP for policy enforcement. In this build we don’t currently have a SaaS application to demonstrate.

G-3

Access Successful

Partial Success

Partial Success: Successful for IaaS and PaaS. These use cases depend on the cloud provider’s ability to enforce IP-based conditional access. If this option is used, cloud-bound traffic would flow through an Appgate PEP for policy enforcement. In this build we don’t currently have a SaaS application to demonstrate.

G-4.1.a, b, e, f

N/A

N/A

Although this can be done, Appgate does not recommend deploying this solution, as it can add significant latency to intra-cluster communication.

G-4.1.c

Access Successful

Access Successful

Success: A Kubernetes cluster was deployed and an Appgate sidecar enforced policies applied to the cluster. Access was successful.

G-4.1.d

Access Not Successful

Access Not Successful

Success: A Kubernetes cluster was deployed and an Appgate sidecar enforced policies applied to the cluster. Access was denied due to policy.

G-5.1.a-f

Access Successful

Access Successful

Success: Access was successful by applying policy to allow access from service to the endpoint.

G-5.1.g

Access Successful

Access Successful

Success: Access was successful by applying policy to allow access from service to the endpoint.

G-5.1.h-l

Access Successful

Access Successful

Success: The results are same as G-5.1.g since the policy is applied to the resource only.

G-5.1.m-r

N/A

N/A

These use cases cannot be performed. Appgate does not have the capability to protect SaaS-initiated connections to resources.

Enterprise 2 Build 4 (E2B4) - SDP and SASE - Symantec Cloud Secure Web Gateway, Symantec ZTNA, and Symantec Cloud Access Security Broker as PEs Detailed Demonstration Results#

Table 5 lists the full results for SDP and SASE demonstrations run in Enterprise 2 Build 4 (E2B4). The technology deployed in E2B4 was able to determine endpoint compliance for Windows, Linux, macOS, and mobile devices and prevent noncompliant endpoints from accessing private resources.

Table 5 - Detailed Demonstration Results for E2B4

Demo ID

Expected Outcome

Observed Outcome

Comments

A-1.1.a-d, A-1.4.a-d, A-2.1.a-c, A-2.4.a-c, A-3.1.b, A-3.2.b, A-3.3.b, A-3.4.b

N/A

N/A

RSS management and compliance capabilities were not included in this build.

A-1.1.e, A-1.1.i, A-1.4.e

Access to Network

Access to Network

Success: Endpoint successfully authenticated and was granted access to the network.

A-1.1.f, A-1.1.j, A-1.4.f

Max. Limited Access to Network

Max. Limited Access to Network

Success: Endpoint successfully authenticated but was non-compliant. Endpoint was granted limited access to the network.

A-1.1.g, A-1.1.k, A-1.4.g

No Access to Network

No Access to Network

Success: Endpoint failed to authenticate and was blocked from accessing the network.

A-1.1.h, A-1.1.l, A-1.1-m

N/A

N/A

Unmanaged/guest device management capabilities are not included in this build. To control network access for unmanaged/guest devices, network traffic can be forwarded to the Symantec Cloud Secure Web Gateway for policy enforcement.

A-1.2, A-2.2

N/A

N/A

Branch office is not available for Enterprise 2.

A-1.3.a, A-1.3.d

Access to Network

Access to Network

Success: Remote endpoint successfully authenticated and was granted access to network.

A-1.3.b, A-1.3.e

Max. Limited Access to Network

Max. Limited Access to Network

Success: Remote endpoint successfully authenticated and was granted limited access to network.

A-1.3.c, A-1.3.f

No Access to Network

No Access to Network

Success: Endpoint failed to authenticate and was blocked from accessing the network.

A-2.1.d, A-2.1.g, A-2.3.a, A-2.3.d, A-2.4.d

Keep Access to Network

Keep Access to Network

Success: Endpoint successfully reauthenticated and retained access to the network.

A-2.1.e, A-2.1.h, A-2.3.b, A-2.3.e, A-2.4.e

Max. Limited Access to Network

Max. Limited Access to Network

Success: Endpoint successfully reauthenticated but noncompliant. Endpoint received limited access to the network.

A-2.1.f, A-2.1.i, A-2.3.c, A-2.3.f, A-2.4.f

Terminate Access to Network

Terminate Access to Network

Success: Endpoint failed authentication and was blocked from accessing network.

A-3.1.a, A-3.2.a, A-3.5.a, A-3.6.a

User request and action is recorded

User request and action is recorded

Success: Symantec ZTNA logged each individual action that the user performed.

A-3.3, A-3.4

N/A

N/A

Branch office was not available in Enterprise 2.

B-1.1.a, B-1.3.a, B-1.4.a, B-1.6.a, B-4.1.a, B-4.3.a, B-4.4.a, B-4.6.a, D-1.1.a, D-1.3.a, D-1.4.a, D-1.6.a, D-4.1.a, D-4.3.a, D-4.4.a, D-4.6.a

Access Successful

Access Successful

Success: User successfully authenticated and was granted access to RSS1.

B-1.1.b, B-1.3.b, B-1.4.b, B-1.6.b, B-4.1.b, B-4.3.b, B-4.4.b, B-4.6.b, D-1.1.b, D-1.3.b, D-1.4.b, D-1.6.b, D-4.1.b, D-4.3.b, D-4.4.b, D-4.6.b

Access Successful

Access Successful

Success: User successfully authenticated and was granted access to RSS2.

B-1.1.c, B-1.3.c, B-1.4.c, B-1.6.c, B-4.1.c, B-4.3.c, B-4.4.c, B-4.6.c, D-1.1.c, D-1.3.c, D-1.4.c, D-1.6.c, D-4.1.c, D-4.3.c, D-4.4.c, D-4.6.c

Access Not Successful

Access Not Successful

Success: User failed authentication and was denied access.

B-1.1.d, B-1.3.d, B-1.4.d, B-1.6.d, B-4.1.d, B-4.3.d, B-4.4.d, B-4.6.d, D-1.1.d, D-1.3.d, D-1.4.d, D-1.6.d, D-4.1.d, D-4.3.d, D-4.4.d, D-4.6.d

Access Not Successful

Access Not Successful

Success: User successfully authenticated but was denied access to RSS1 due to policy.

B-1.1.e, B-1.3.e, B-1.4.e, B-1.6.e, B-4.1.e, B-4.3.e, B-4.4.e, B-4.6.e, D-1.1.e, D-1.3.e, D-1.4.e, D-1.6.e, D-4.1.e, D-4.3.e, D-4.4.e, D-4.6.e

Access Successful

Access Successful

Success: User successfully authenticated and was granted access to RSS2.

B-1.1.f, B-1.3.f, B-1.4.f, B-1.6.f, B-4.1.f, B-4.3.f, B-4.4.f, B-4.6.f, D-1.1.f, D-1.3.f, D-1.4.f, D-1.6.f, D-4.1.f, D-4.3.f, D-4.4.f, D-4.6.f

Access Not Successful

Access Not Successful

Success: User failed authentication and was denied access.

B-1.1.g, B-1.3.g, B-1.4.g, B-1.6.g, B-4.1.g, B-4.3.g, B-4.4.g, B-4.6.g, D-1.1.g, D-1.3.g, D-1.4.g, D-1.6.g, D-4.1.g, D-4.3.g, D-4.4.g, D-4.6.g

Access Not Successful

Access Not Successful

Success: User failed authentication and was denied access.

B-1.1.h, B-1.3.h, B-1.4.h, B-1.6.h, B-4.1.h, B-4.3.h, B-4.4.h, B-4.6.h, D-1.1.h, D-1.3.h, D-1.4.h, D-1.6.h, D-4.1.h, D-4.3.h, D-4.4.h, D-4.6.h

Access Successful

Access Successful

Success: User successfully reauthenticated and was granted access to RSS1.

B-1.1.i, B-1.3.i, B-1.4.i, B-1.6.i, B-4.1.i, B-4.3.i, B-4.4.i, B-4.6.i, D-1.1.i, D-1.3.i, D-1.4.i, D-1.6.i, D-4.1.i, D-4.3.i, D-4.4.i, D-4.6.i

Access Not Successful

Access Not Successful

Success: User failed reauthentication and was denied access.

B-1.1.j, B-1.3.j, B-1.4.j, B-1.6.j, B-4.1.j, B-4.3.j, B-4.4.j, B-4.6.j, D-1.1.j, D-1.3.j, D-1.4.j, D-1.6.j, D-4.1.j, D-4.3.j, D-4.4.j, D-4.6.j

Access Not Successful

Access Not Successful

Success: User successfully reauthenticated, but endpoint was noncompliant. User was denied access to RSS1.

B-1.1.k, B-1.3.k, B-1.4.k, B-1.6.k, B-4.1.k, B-4.3.k, B-4.4.k, B-4.6.k, D-1.1.k, D-1.3.k, D-1.4.k, D-1.6.k, D-4.1.k, D-4.3.k, D-4.4.k, D-4.6.k

Access Limited

Access Not Successful

Partial Success: User successfully reauthenticated, but endpoint was noncompliant. User was denied access to RSS2. Limited access would require a level of integration with RSS2 that is not available in this build.

B-1.1.l-m, B-1.3.l-m, B-1.4.l-m, B-1.6.l-m, B-4.1.l-m, B-4.3.l-m, B-4.4.l-m, B-4.6.l-m, D-1.1.l-m, D-1.3.l-m, D-1.4.l-m, D-1.6.l-m, D-4.1.l-m, D-4.3.l-m, D-4.4.l-m, D-4.6.l-m

Access Not Successful

Access Not Successful

Success: User successfully reauthenticated, but endpoint was noncompliant. User was denied access to resource.

B-1.1.n-p, B-1.3.n-p, B-1.4.n-p, B-1.6.n-p, B-4.1.n-p, B-4.3.n-p, B-4.4.n-p, B-4.6.n-p, D-1.1.n-p, D-1.3.n-p, D-1.4.n-p, D-1.6.n-p, D-4.1.n-p, D-4.3.n-p, D-4.4.n-p, D-4.6.n-p

N/A

N/A

RSS management and compliance capabilities are not included in this build.

B-1.2, B-1.5, B-2.2, B-3.2, B-3.3, B-4.2, B-4.5, B-5.2, B-6.2, B-6.3, D-1.2, D-1.5, D-2.2, D-3.2, D-3.3, D-4.2, D-4.5, D-5.2, D-6.2, D-6.3

N/A

N/A

Branch office was not available in Enterprise 2.

B-2.1.a-d, B-2.1.g, B-2.1.k, B-2.1.n, B-2.3.a-d, B-2.3.g, B-2.3.k, B-2.3.n, B-5.1.a-d, B-5.1.g, B-5.1.k, B-5.1.n, B-5.3.a-d, B-5.3.g, B-5.3.k, B-5.3.n, D-2.1.a-d, D-2.1.g, D-2.1.k, D-2.1.n, D-2.3.a-d, D-2.3.g, D-2.3.k, D-2.3.n, D-5.1.a-d, D-5.1.g, D-5.1.k, D-5.1.n, D-5.3.a-d, D-5.3.g, D-5.3.k, D-5.3.n

Access Successful

Access Successful

Success: User successfully authenticated/reauthenticated and was allowed access to URL based on policy.

B-2.1.e, B-2.1.j, B-2.1.l, B-2.3.e, B-2.3.j, B-2.3.l, B-5.1.e, B-5.1.j, B-5.1.l, B-5.3.e, B-5.3.j, B-5.3.l, D-2.1.e, D-2.1.j, D-2.1.l, D-2.3.e, D-2.3.j, D-2.3.l, D-5.1.e, D-5.1.j, D-5.1.l, D-5.3.e, D-5.3.j, D-5.3.l

Access Not Successful

Access Not Successful

Success: User failed authentication/reauthentication and was denied access to URL.

B-2.1.f, B-2.3.f, B-5.1.f, B-5.3.f, D-2.1.f, D-2.3.f, D-5.1.f, D-5.3.f

Access Not Successful

Access Not Successful

Success: User successfully authenticated, but was denied access to URL due to policy.

B-2.1.h-i, B-2.3.h-i, B-5.1.h-i, B-5.3.h-i, D-2.1.h-i, D-2.3.h-i, D-5.1.h-I, D-5.3.h-i

Access Not Successful

Access Not Successful

Success: User successfully authenticated, but was denied access to URL due to being outside of access hours.

B-2.1.m, B-2.1.o-p, B-2.3.m, B-2.3.o-p, B-5.1.m, B-5.1.o-p, B-5.3.m, B-5.3.o-p, D-2.1.m, D-2.1.o-p, D-2.3.m, D-2.3.o-p, D-5.1.m, D-5.1.o-p, D-5.3.m, D-5.3.o-p

Access Not Successful

Access Not Successful

Success: User successfully authenticated, but was denied access to URL due to endpoint noncompliance.

B-3.1.a, B-3.1.i, B-3.1.l, B-3.4.a, B-3.4.i, B-3.4.l, B-3.5.a, B-3.5.i, B-3.5.l, B-6.1.a, B-6.1.i, B-6.1.l, B-6.4.a, B-6.4.i, B-6.4.l, B-6.5.a, B-6.5.i, B-6.5.l, D-3.1.a, D-3.1.i, D-3.1.l, D-3.4.a, D-3.4.i, D-3.4.l, D-3.5.a, D-3.5.i, D-3.5.l, D-6.1.a, D-6.1.i, D-6.1.l, D-6.4.a, D-6.4.i, D-6.4.l, D-6.5.a, D-6.5.i, D-6.5.l

Real Req Success

Real Req Success

Success: Real User successfully authenticated/reauthenticated and was granted access to the resource.

B-3.1.b, B-3.4.b, B-3.5.b, B-6.1.b, B-6.4.b, B-6.5.b, D-3.1.b, D-3.4.b, D-3.5.b, D-6.1.b, D-6.4.b, D-6.5.b

Real Req Not Sucessful

Real Req Not Sucessful

Success: Real User failed authentication and was not granted access to the resource.

B-3.1.c, B-3.1.g, B-3.4.c, B-3.4.g, B-3.5.c, B-3.5.g, B-6.1.c, B-6.1.g, B-6.4.c, B-6.4.g, B-6.5.c, B-6.5.g, D-3.1.c, D-3.1.g, D-3.4.c, D-3.4.g, D-3.5.c, D-3.5.g, D-6.1.c, D-6.1.g, D-6.4.c, D-6.4.g, D-6.5.c, D-6.5.g

N/A

N/A

Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context. Changing access level mid-session and blocking new sessions is not in scope for this build.

B-3.1.d, B-3.4.d, B-3.5.d, B-6.1.d, B-6.4.d, B-6.5.d, D-3.1.d, D-3.4.d, D-3.5.d, D-6.1.d, D-6.4.d, D-6.5.d

Real Req Keep Access, Hostile Req Not Successful

Real Req Keep Access, Hostile Req Not Successful

Success: Real User retained access, Hostile User failed authentication, and access was denied.

B-3.1.e, B-3.4.e, B-3.5.e, B-6.1.e, B-6.4.e, B-6.5.e, D-3.1.e, D-3.4.e, D-3.5.e, D-6.1.e, D-6.4.e, D-6.5.e

Hostile Req Access Successful

Hostile Req Access Successful

Success: Hostile User successfully authenticated and was granted access to the resource.

B-3.1.f, B-3.4.f, B-3.5.f, B-6.1.f, B-6.4.f, B-6.5.f, D-3.1.f, D-3.4.f, D-3.5.f, D-6.1.f, D-6.4.f, D-6.5.f

Hostile Req Not Successful

Hostile Req Not Successful

Success: Hostile User failed authentication and access was denied.

B-3.1.h, B-3.4.h, B-3.5.h, B-6.1.h, B-6.4.h, B-6.5.h, D-3.1.h, D-3.4.h, D-3.5.h, D-6.1.h, D-6.4.h, D-6.5.h

Real Req Not Succesful, Hostile Req Keep Access

Real Req Not Succesful, Hostile Req Keep Access

Success: Real User failed authentication and was denied access to the resource. Hostile User retained access.

B-3.1.j, B-3.4.j, B-3.5.j, B-6.1.j, B-6.4.j, B-6.5.j, D-3.1.j, D-3.4.j, D-3.5.j, D-6.1.j, D-6.4.j, D-6.5.j

Real Req Keep Access, Hostile Req Not Successful

Real Req Keep Access, Hostile Req Not Successful

Success: User credentials were reported stolen and new credentials were issued to Real User. Real User retained access, Hostile User failed authentication, and access was denied.

B-3.1.k, B-3.1.m, B-3.4.k, B-3.4.m, B-3.5.k, B-3.5.m, B-6.1.k, B-6.1.m, B-6.4.k, B-6.4.m, B-6.5.k, B-6.5.m, D-3.1.k, D-3.1.m, D-3.4.k, D-3.4.m, D-3.5.k, D-3.5.m, D-6.1.k, D-6.1.m, D-6.4.k, D-6.4.m, D-6.5.k, D-6.5.m

Hostile Req Not Successful

Hostile Req Not Successful

Success: User credentials were reported stolen. Hostile User failed authentication/reauthentication, and access was denied.

B-3.1.n-o, B-3.4.n-o, B-3.5.n-o, B-6.1.n-o, B-6.4.n-o, B-6.5.n-o, D-3.1.n-o, D-3.4.n-o, D-3.5.n-o, D-6.1.n-o, D-6.4.n-o, D-6.5.n-o

All Sessions Terminated

All Sessions Terminated

Success: User credentials were reported stolen. All exisiting access sessions were terminated.

B-7, D-7

Success

Partial Success

Partial Success: Just-in-time privileges can be manually completed to allow a user to access a resource. Symantec ZTNA provides an API to allow automated just-in-time provisioning, which can be integrated with other zero trust tools.

B-8, D-8

N/A

N/A

Step-up authentication is not available for this build. However, Symantec CloudSOC can provide step-up authentication when users access SaaS applications.

All C Use Cases

N/A

N/A

Federation will be performed in future builds.

All E Use Cases

N/A

N/A

Unmanaged/guest device internet traffic capabilities are not included in this build. To control network access for unmanaged/guest devices, network traffic can be forwarded to the Symantec Cloud Secure Web Gateway for policy enforcement.

F-1.1.a, F-1.3.a, F-1.4.a, F-1.6.a

Session stays active

Session stays active

Success: User successfully reauthenticated, and access was retained.

F-1.1.b, F-1.3.b, F-1.4.b, F-1.6.b

Session will be terminated

Session will be terminated

Success: User failed reauthentication, and access to RSS was denied.

F-2

Success

Success

In this build, user and endpoint authentication are linked. Therefore, results are the same as F-1.

F-3

N/A

N/A

RSS management and compliance capabilities are not included in this build.

F-4.1.a, F-4.3.a, F-4.4.a, F-4.6.a

Session stays active

Session stays active

Success: Endpoint remained in compliance, and session stayed active.

F-4.1.b, F-4.3.b, F-4.4.b, F-4.6.b

Session will be terminated

Session will be terminated

Success: Endpoint became noncompliant, and access session was terminated.

F-5.1.a, F-5.3.a, F-5.4.a, F-5.6.a

Access Not Successful

Access Not Successful

Success: Endpoint remained noncompliant, and access was not successful.

F-5.1.b, F-5.3.b, F-5.4.b, F-5.6.b

Access Successful

Access Successful

Success: Endpoint became compliant, and access was successful.

F-1.2, F-2.2, F-4.2, F-5.2

N/A

N/A

Enterprise 2 does not have a branch location. However, policies can be applied the same way to users if they are on-premises, or to resources based in the cloud.

F-6, F-7, F-8, F-9, F-10, F-11, F-12, F-13, F-14, F-15, F-16, F-17

N/A

N/A

The capabilities to demonstrate these scenarios are not included in this build. The individual actions described can be detected and blocked, but an additional SOAR capability would need to be integrated to complete the scenarios.

All G Use Cases

N/A

N/A

Service-Service communication capabilities are not included in this build.

H-1.1.a-b, H-1.2.c, H-1.5.i-j, H-1.6.k, H-1.9.q-r, H-10.s

Access Successful

Access Successful

Success: User was granted access to data based on policy.

H-1.2.d, H-1.6.l, H-1.10.t

Access Not Successful

Access Not Successful

Success: User was denied access to data based on policy.

H-1.3, H-1.4, H-1.7, H-1.8

N/A

N/A

Enterprise 2 does not have a branch location. However, policies can be applied the same way to users if they are on-premises, or to resources based in the cloud.

H-2.1.a, H-2.2.c

Access Successful

Access Successful

Success: User was successfully granted access to data based on policy.

H-2.1.b, H-2.2.d

Access Restricted

Access Restricted

Success: User access to data was successfully restricted based on policy.

H-2.3, H-2.4

N/A

N/A

PaaS and SaaS services were not available for testing with Enterprise 2.

H-3.1.a, H-3.3.e, H-3.4.g, H-3.6.k, H-3.7.m, H-3.9.q, H-3.10.s, H-3.12.w

Internet Access Not Successful

File Upload/Data Transfer Blocked

Partial Success: While internet access was not restricted, Symantec DLP successfully blocked data with a high level of classification from being uploaded or transferred to the internet.

H-3.1.b, H-3.3.f, H-3.4.h, H-3.6.l, H-3.7.n, H-3.9.r, H-3.10.t, H-3.12.x

Internet Access Successful

Internet Access Successful

Success: Internet access was successful when accessing/transferring data with a low level of classification.

H-3.2, H-3.5, H-3.8, H-3.11

N/A

N/A

Enterprise 2 does not have a branch location. However, policies can be applied the same way to users if they are on-premises, or to resources based in the cloud.

H-6.1.a-b, H-6.3.e, H-6.4.g, H-6.6.k

Operation Successful

Operation Successful

Success: User successfully performed data operation.

H-6.3.f, H-6.5.j, H-6.6.l

Operation Denied

Operation Denied

Success: Data operation was denied based on endpoint type or subject location.

H-6.2, H-6.5

N/A

N/A

Enterprise 2 does not have a branch location. However, policies can be applied the same way to users if they are on-premises, or to resources based in the cloud.

H-4, H-5, H-7

N/A

N/A

Capabilities to demonstrate this scenario are not included in this build.

Enterprise 3 Build 4 (E3B4) - SDP - F5 BIG-IP, F5 NGINX Plus, Forescout eyeControl, and Forescout eyeExtend as PEs Detailed Demonstration Results#

Table 6 lists the full demonstration results for SDP demonstrations run in Enterprise 3 Build 4 (E3B4). The technology deployed in E3B4 was able to determine endpoint compliance for Windows, macOS, and mobile devices and prevent noncompliant endpoints from accessing private resources.

Table 6 - Detailed Demonstration Results for E3B4

Demo ID

Expected Outcome

Observed Outcome

Comments

A-1.1.a-d

Access to Network

Access to Network

Success: Resource had access to network in accordance with Forescout policy.

A-1.1.b, A-1.1.c, A-1.1.g

No Access to Network

No Access to Network

Partial success: In the current configuration, the endpoint had access limited to the local subnet in accordance with Forescout policy.

A-1.1.d

No Access to Network

N/A

Demonstration could not be completed. By Scenario A-1 definition, a resource has already undergone onboarding.

A-1.1.e

Access to Network

Access to Network

Success: Endpoint had access to network in accordance with Forescout policy.

A-1.1.f

Max. Limited Access to Network

Max. Limited Access to Network

Success: Endpoint had access limited in accordance with Forescout policy.

A-1.1.h

Access to Public Network

N/A

Demonstration could not be completed. By Scenario A-1 definition, an endpoint has already undergone onboarding.

A-1.1.i

Access to Network

Access to Network

Success: BYOD had access to network in accordance with Forescout policy.

A-1.1.j

Limited Access to Network

Limited Access to Network

Success: Endpoint had access limited to the local subnet in accordance with Forescout policy.

A-1.1.k

No Access to Network

No Access to Network

Partial success: In the current configuration, the endpoint had access limited to the local subnet in accordance with Forescout policy.

A-1.1.l

Access to Public Network

N/A

Demonstration cannot be completed. By Scenario A-1 definition, the BYOD had already undergone onboarding.

A-1.1.m

Access to Public Network

Access to Public Network

Success: BYOD had access to network in accordance with Forescout policy.

A-1.2.a-m

Access to Network

N/A

Demonstration could not be completed. There was no branch office configured for Enterprise 3.

A-1.3.a

Access to Network

Access to Network

Success: Endpoint had access to network in accordance with Forescout policy.

A-1.3.b

Max. Limited Access to Network

Max. Limited Access to Network

Success: Endpoint had access limited in accordance with Forescout policy.

A-1.3.c

No Access to Network

No Access to Network

Success: Endpoint was denied access to the network after failing to authenticate to the GlobalProtect VPN.

A-1.3.d

Access to Network

Access to Network

Success: BYOD had access to network in accordance with Forescout policy.

A-1.3.e

Max. Limited Access to Network

Max. Limited Access to Network

Success: Endpoint had access limited in accordance with Forescout policy.

A-1.3.f

No Access to Network

No Access to Network

Success: BYOD was denied access to the network after failing to authenticate to the GlobalProtect VPN.

A-1.4.a-g

N/A

N/A

Partial Success: Not able to determine or make decisions based on resource compliance. Using policy engine rules, a user or endpoint could be allowed, denied, or provided with broad or limited access to a set of IaaS applications.

A-2.1.a

Keep Access to Network

Keep Access to Network

Success: Resource had access to network in accordance with Forescout policy.

A-2.1.b

Terminate Access to Network

Limit Access to Network

Partial Success: Resource had access limited to the local subnet in accordance with Forescout policy.

A-2.1.c

Terminate Access to Network

Limit Access to Network

Partial Success: Resource had access limited to the local subnet in accordance with Forescout policy.

A-2.1.d

Keep Access to Network

Keep Access to Network

Success: Endpoint had access to network in accordance with Forescout policy.

A-2.1.e

Max. Limited Access to Network

Max. Limited Access to Network

Success: Endpoint had access limited in accordance with Forescout policy.

A-2.1.f

Terminate Access to Network

Limit Access to Network

Partial Success: Resource had access limited to the local subnet in accordance with Forescout policy.

A-2.1.g

Keep Access to Network

Keep Access to Network

Success: BYOD had access to network in accordance with Forescout policy.

A-2.1.h

Max. Limited Access to Network

Max. Limited Access to Network

Success: Endpoint had access limited in accordance with Forescout policy.

A-2.1.i

Terminate Access to Network

Limit Access to Network

Partial success: BYOD had access limited to the local subnet in accordance with Forescout policy.

A-2.2.a-i

N/A

N/A

Demonstration could not be completed. There was no branch office configured for Enterprise 3.

A-2.3.a

Keep Access to Network

Keep Access to Network

Success: Endpoint had access to network in accordance with Forescout policy.

A-2.3.b

Max. Limited Access to Network

Max. Limited Access to Network

Success: Endpoint had access limited in accordance with Forescout policy.

A-2.3.c

Terminate Access to Network

Terminate Access to Network

Success: Endpoint had access terminated after failing to reauthenticate to the GlobalProtect VPN.

A-2.3.d

Keep Access to Network

Keep Access to Network

Success: BYOD had access to network in accordance with Forescout policy.

A-2.3.e

Max. Limited Access to Network

Max. Limited Access to Network

Success: BYOD had access limited in accordance with Forescout policy.

A-2.3.f

Terminate Access to Network

Terminate Access to Network

Success: BYOD had access terminated after failing to reauthenticate to the GlobalProtect VPN.

A-2.4.a-c

N/A

N/A

Demonstration could not be completed. Build was not able to determine resource compliance

A-2.4.d

Keep Access to Network

Keep Access to Network

Success: BIG-IP was able to allow and keep access to IaaS applications.

A-2.4.e

Max. Limited Access to Network

Max. Limited Access to Network

Success: BIG-IP was able to limit access to IaaS applications.

A-2.4.f

Terminate Access to Network

Terminate Access to Network

Success: Azure was able to terminate access to IaaS applications.

A-3.1.a

User request and action is recorded

User request is recorded

Partial Success: User activity and transaction flow was logged using Forescout. Individual user actions were not visible within this build.

A-3.2.a

User request and action is recorded

User request is recorded

Partial Success: User activity and transaction flow was logged using Forescout and Azure AD. Individual user actions were not visible within this build.

A-3.3.a, A-3.4.a

User request and action is recorded

N/A

Branch office testing was not available for this build.

A-3.5.a, A-3.6.a

User request and action is recorded

User request is recorded

Partial Success: User activity and transaction flow was logged. Individual user actions are not visible.

A-3.1.b, A-3.2.b, A-3.3.b, A-3.4.b

API call is recorded

Activity and transaction flow is recorded

Partial Success: Service activity and transaction flow was logged by Forescout. Individual API calls were not visible.

B-1.1.a

Access Successful

Access Successful

Success: Users accessed RSS1 based on the EP and RSS compliance with Forescout and BIG-IP policy.

B-1.1.b

Access Successful

Access Successful

Success: Users accessed RSS2 based on the EP and RSS compliance with Forescout and BIG-IP policy.

B-1.1.c

Access Not Successful

Access Not Successful

Success: User authentication failure to BIG-IP prevented access.

B-1.1.d

Access Not Successful

Access Not Successful

Success: E2 was not authorized to access RSS1 in accordance with BIG-IP policy.

B-1.1.e

Access Successful

Access Successful

Success: Users accessed RSS2 based on the EP and RSS compliance with Forescout and BIG-IP policy.

B-1.1.f, B-1.1.g

Access Not Successful

Access Not Successful

Success: User authentication failure to BIG-IP prevented access.

B-1.1.h

Access Successful

Access Successful

Success: Users with successful reauthentication were able to access backend applications.

B-1.1.i

Access Not Successful

Access Not Successful

Partial Success: Users that failed reauthentication were able to open new sessions to resources but had continued access to resources with existing sessions.

B-1.1.j

Access Not Successful

Access Not Successful

Success: Initial user authentication to BIG-IP was successful and user was granted access to RSS1. After E1 became noncompliant, user access to RSS1 was blocked in accordance with BIG-IP policy, and the user was unable to reauthenticate.

B-1.1.k

Access Limited

Access Not Successful

Partial success: Initial user authentication to BIG-IP was successful and user was granted access to RSS2. After E1 became noncompliant, user access to RSS2 was blocked in accordance with BIG-IP policy.

B-1.1.l

Access Not Successful

Access Not Successful

Success: After E1 became noncompliant, user access to RSS1 was blocked in accordance with BIG-IP policy.

B-1.1.m

Access Limited

Access Not Successful

Partial success: Initial user authentication to BIG-IP was successful and user was granted access to RSS2. After E1 became noncompliant, user access to RSS2 was blocked in accordance with BIG-IP policy.

B-1.1.n-p

Access Not Successful

N/A

Unable to determine RSS noncompliance in this build.

B-1.2.a-p

N/A

N/A

Could not test because there was no branch office in Ent. 3.

B-1.3.a-p

The results were the same as B-1.1, given that network policies allowed the user/device to access the enterprise remotely using a VPN connection. See results from B-1.1.

B-1.4.a

Access Successful

Access Successful

Success: Users accessed RSS1 based on the EP compliance with BIG-IP policy.

B-1.4.b

Access Successful

Access Successful

Success: Users accessed RSS2 based on the EP compliance with BIG-IP policy.

B-1.4.c

Access Not Successful

Access Not Successful

Success: User authentication failure to BIG-IP prevented access.

B-1.4.d

Access Not Successful

Access Not Successful

Success: E2 was not authorized to access RSS1 in accordance with BIG-IP policy.

B-1.4.e

Access Successful

Access Successful

Partial Success: Users accessed RSS2 based on the EP compliance with BIG-IP Policy. Build was unable to determine RSS compliance.

B-1.4.f, B-1.4.g

Access Not Successful

Access Not Successful

Success: User authentication failure to BIG-IP prevented access.

B-1.4.h

Access Successful

Access Successful

Success: Users with successful reauthentication were able to access backend applications

B-1.4.i

Access Not Successful

Access Not Successful

Partial Success: Users that failed reauthentication were able to open new sessions to resources but had continued access to resources with existing sessions.

B-1.4.j

Access Not Successful

Access Not Successful

Success: Initial user authentication to BIG-IP was successful and user was granted access to RSS1. After E1 became noncompliant, user access to RSS1 was blocked in accordance with BIG-IP policy.

B-1.4.k

Access Limited

Access Not Successful

Partial success: Initial user authentication to BIG-IP was successful and user was granted access to RSS2. After E1 became noncompliant, user access to RSS2 was blocked in accordance with BIG-IP policy.

B-1.4.l

Access Not Successful

Access Not Successful

Success: After E1 became noncompliant, user access to RSS1 was blocked in accordance with BIG-IP policy, and the user was unable to authenticate.

B-1.4.m

Access Limited

Access Not Successful

Partial success: After E1 became noncompliant, user access to RSS2 was blocked in accordance with BIG-IP policy, and the user was unable to authenticate.

B-1.4.n-p

N/A

N/A

Demonstration could not be performed as verification of cloud resource compliance was not available at the time.

B-1.5.a-p

N/A

N/A

Demonstration could not be performed as branch office was not available at the time.

B-1.6.a-p

In the demonstrated implementation, remote users were connected to a VPN that routeed network traffic through the on-prem environment. All demonstration results were similar to B-1.4.a-p.

B-2.1.a-d, g, n

Access Successful

Access Successful

Success: Access was allowed in accordance with Forescout policy.

B-2.1.e, f, l, m, o, p

Access Not Successful

Access Not Successful

Success: Access was denied in accordance with Forescout policy.

B-2.2

N/A

N/A

Demonstration could be performed as branch office was not available at the time.

B-2.3

In the demonstrated implementation, remote users were connected to a VPN that routed network traffic through the on-prem environment. All test results were similar to B-2.1.a-p.

B-3.1.a, B-3.4.a, B-3.5.a

Real Req Success

Real Req Success

Success: Real Request was successfully authenticated.

B-3.1.b, B-3.4.b, B-3.5.b

Real Req Fail

Real Req Fail

Success: Incorrect credentials were entered, and the Real Request failed as expected.

B-3.1.c, B-3.4.c, B-3.5.c

Limit Access for Real Request, Deny Access to Hostile Request

N/A

Unable to complete demonstration. Build did not have the capability to differentiate between the Real Request and the Hostile Request in this context.

B-3.1.d, B-3.4.d, B-3.5.d

Real Request Keep Access, Deny Access to Hostile Request

N/A

Unable to complete demonstration. Current build did not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.e, B-3.4.e, B-3.5.e

Hostile Request Successful

Hostile Request Successful

Success: Hostile Request was successfully authenticated.

B-3.1.f, B-3.4.f, B-3.5.f

Hostile Request Unsuccessful

Hostile Request Unsuccessful

Success: Incorrect credentials were entered, and the Hostile Request failed as expected.

B-3.1.g, B-3.4.g, B-3.5.g

Real Request Fail, Hostile Request Access Limited

N/A

Unable to complete demonstration. Build did not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.h, B-3.4.h, B-3.5.h

Real Request Fail, Hostile Request remains authenticated

N/A

Unable to complete demonstration. Current build did not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.i, B-3.4.i, B-3.5.i

Real Req Success

Real Req Success

Success: Real Request was successfully authenticated.

B-3.1.j, B-3.4.j, B-3.5.j

Real Request remains authenticated, Hostile Request Fail

N/A

Unable to complete demonstration. Current build did not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.k, B-3.4.k, B-3.5.k

Hostile Request Fail

Hostile Request Fail

Success: Incorrect credentials were entered, and the Hostile Request failed as expected.

B-3.1.l, B-3.4.l, B-3.5.l

Real Request Access Successful

Real Request Access Successful

Success: Real Request was successfully reauthenticated.

B-3.1.m, B-3.4.m, B-3.5.m

Hostile Request Access Denied

Hostile Request Access Denied

Success: Hostile Request reauthentication failed because incorrect credentials were entered.

B-3.1.n, B-3.4.n, B-3.5.n

Hostile Request Session Terminated

Hostile Request Session Terminated

Success: BIG-IP sessions were terminated.

B-3.1.o, B-3.4.o, B-3.5.o

Real Request Session Terminated

Real Request Session Terminated

Success: BIG-IP sessions were terminated.

B-3.2, B-3.3

N/A

N/A

Branch office was not included in Build 3.

B-4

All demonstrations here are the same as B-1 since the device is both authenticated and compliant.

B-5

All demonstrations here are the same as B-2 since the device is both authenticated and compliant.

B-6

All demonstrations here are the same as B-3 since the device is both authenticated and compliant.

B-7

N/A

N/A

Demonstration could not be completed. Build did not have the capabilities to demonstrate Just-In-Time access.

B-8

N/A

N/A

Demonstration could not be completed. This capability was not implemented in this build.

All C Use Cases

N/A

N/A

No Federated-ID was set up in this build yet; will be part of a future phase.

All D Use Cases

All demonstrations here are the same as B since the device is both authenticated and compliant. Note that the user is a contractor.

E-1.1.a, b

Access Successful

Access Successful

Success: Guests could access public resources and internet in accordance with policy using Forescout.

E-1.2.a, b

N/A

N/A

Demonstration could not be performed because the branch office was not available at the time.

F-1.1.a, F-1.3.a

Session Stays Active

Session Stays Active

Partial Success: A user was logged out after a period of inactivity, triggering a reauthentication prompt for the user. Session was only re-established if user reauthentication was successful.

F-1.1.b, F-1.3.b

Session Terminated

Session Terminated

Partial Success: A user was logged out after a period of inactivity, triggering a reauthentication prompt for the user. Session was not re-established if user reauthentication was unsuccessful.

F-1.2, F-1.5

N/A

N/A

Demonstration could not be performed because the branch office was not available at the time.

F-1.4.a, F-1.6.a

Session Stays Active

Session Stays Active

Partial Success: A user was logged out after a period of inactivity, triggering a re-authentication prompt for the user. Session was only re-established if user reauthentication was unsuccessful.

F-1.4.b, F-1.6.b

Session Terminated

Session Terminated

Partial Success: A user was logged out after a period of inactivity, triggering a re-authentication prompt for the user. Session was not re-established if user reauthentication was unsuccessful.

F-2.1.a, F-2.3.a, F-2.4.a, F-2.6.a

N/A

N/A

Demonstration could not be completed. Device reauthentication was not implemented in this build.

F-2.2, F-2.5

N/A

N/A

Demonstration could be completed. There was no branch office configured for Enterprise 3.

F-2.1.b, F-2.3.b, F-2.4.b, F-2.6.b

N/A

N/A

Demonstration could not be completed. Device re-authentication was implemented in this build.

F-3

N/A

N/A

For this build, resource authentication was not tested.

F-4.1.a, F-4.3.a, F-4.4.a, F-4.6.a

Session Stays Active

Session Stays Active

Success: Requestor was able to continue with already established sessions with devices that remain compliant.

F-4.1.b, F-4.3.b, F-4.4.b, F-4.6.b

Session Terminated

Session Terminated

Success: While session was not immediately terminated due to compliance checks being done at intervals, continued access to resource was blocked and session was terminated once negative compliance determination was made.

F-4.2.a-b, F-4.5.a-b

N/A

N/A

Demonstration could not be completed. There was no branch office configured for Enterprise 3.

F-5.1.a, F-5.3.a, F-5.4.a, F-5.6.a

Access Not Successful

Access Not Successful

Success: Access was denied with requestor’s noncompliant endpoints.

F-5.1.b, F-5.3.b, F-5.4.b, F-5.6.b

Access Successful

Access Successful

Success: Requestors with compliant endpoints were allowed access to resources.

F-5.2, F-5.5

N/A

N/A

Demonstration could not be completed. There was no branch office configured for Enterprise 3.

F-6, F-7

N/A

N/A

For this build, this use case was not tested.

F-8, F-9, F-10, F-12, F-14, F-15. F-16, F-17

N/A

N/A

Demonstration could not be completed. Current build did not implement this capability.

F-11

N/A

N/A

User was only able to view or see resources for which they had authorization via a portal. There was no opportunity to access anything other than those resources.

F-13

N/A

N/A

User was only able to view or see resources for which they had authorization via an access portal. There was no opportunity to access anything other than those resources.

G-1-3; G-5

N/A

N/A

Demonstration could not be completed. Build only had the setup to demonstrate G-4, service-to-service container use cases.

G-4.1.a

Access Successful

Access Successful

Success: Service on bare runtime platform made successful API call to another service.

G-4.1.b

Access Not Successful

Access Not Successful

Success: Service on a bare runtime platform was blocked from making successful API calls to another service.

G-4.1.c

Access Successful

Access Successful

Success: Service from a pod made a successful API call to another service in a separate pod within the same orchestration platform.

G-4.1.d

Access Not Successful

Access Not Successful

Success: Service from a pod was blocked from making successful API calls to another service in a separate pod within the same orchestration platform.

G-4.1.e-f

N/A

N/A

Demonstration could not be completed. Build did not have capacity to demonstrate security controls between services running in the same pod.

H-1-7

N/A

N/A

Demonstration could not be completed. Build did not have capability to demonstrate data level security use cases.

Enterprise 4 Build 4 (E4B4) - SDP, Microsegmentation, and EIG - VMware Workspace ONE Access, VMware Unified Access Gateway, and VMware NSX-T as PEs Detailed Demonstration Results#

Table 7 lists the full demonstration results for SDP, and Microsegmentation demonstrations run in Enterprise 4 Build 4 (E4B4). The technology deployed in E4B4 was able to determine endpoint compliance for Windows, macOS, Linux and mobile devices and prevent noncompliant endpoints from accessing private resources. Note that after this build was completed, VMware was acquired by Broadcom.

Table 7 - Detailed Demonstration Results for E4B4

Demo ID

Expected Outcome

Observed Outcome

Comments

A-1.1.a-d, A-1.1.f, A-1.1.j

N/A

N/A

VMware considers granting the endpoint limited access to the network out of scope for their products. Other technologies should be used to perform this function.

A-1.1.e, A-1.1.i

Access to Network

Access to Network

Success: Device authenticated with UEM and was granted access to corporate resources on the corporate network.

A-1.1.g, A-1.1.k

No Access to Network

No Access to Network

Success: Device was not authenticated with UEM and could not access the Enterprise 4 network.

A-1.1.h, A-1.1.l, A-1.1.m

Access to Public Network

Access to Public Network

Success: Device was not registered and can connect to the public internet.

A-1.2.a-m, A-1.3.a-f, A-1.4.a-g

N/A

N/A

Not demonstrated in this build due to no branch in Ent 4.

A-1.3.a, A-1.3.d

Access to Network

Access to Network

Success: Device authenticated with UEM and was granted access to corporate resources on the corporate network.

A-1.3.c, A-1.3.f

No Access to Network

No Access to Network

Success: Device was not authenticated with UEM and could not access the Enterprise 4 network.

A-1.3.b, A-1.3.e

N/A

N/A

VMware considers granting the endpoint limited access to the network out of scope for their products. Other technologies should be used to perform this function.

A-1.4.a-g

N/A

N/A

Not demonstrated in this build, as the demonstration capabilities were considered to be outside the scope of technologies utilized for this build.

A-2

A-2 results match results from A-1.

A-3.1.a, A-3.3.a, A-3.5.a

User request and action is recorded

User login to an application is logged

Success: VMware UEM and Workspace One Access recorded user application requests.

A-3.2.a, A-3.4.a, A-3.6.a

User request and action is recorded

User login to an application is logged

Success: VMware UEM and Workspace One Access recorded user login requests.

A-3.1.b, A-3.2.b, A-3.3.b, A-3.4.b, A-3.6.a

N/A

N/A

VMware considers API call visibility out of scope for their products. Other technologies should be used to perform this function.

B-1.1.a, B-1.3.a, B-1.4.a, B-1.6.a, B-4.1.a, B-4.3.a, B-4.4.a, B-4.6.a, D-1.1.a, D-1.3.a, D-1.4.a, D-1.6.a, D-4.1.a, D-4.3.a, D-4.4.a, D-4.6.a

Access Successful

Access Successful

Partial Success: User was successfully authenticated and granted access to the resource. However, RSS compliance was not obtained.

B-1.1.b, B-1.3.b, B-1.4.b, B-1.6.b, B-4.1.b, B-4.3.b, B-4.4.b, B-4.6.b, D-1.1.b, D-1.3.b, D-1.4.b, D-1.6.b, D-4.1.b, D-4.3.b, D-4.4.b, D-4.6.b

Access Successful

Access Successful

Partial Success: User was successfully authenticated and granted access to the resource. However, RSS compliance was not obtained.

B-1.1.c, B-1.3.c, B-1.4.c, B-1.6.c, B-4.1.c, B-4.3.c, B-4.4.c, B-4.6.c, D-1.1.c, D-1.3.c, D-1.4.c, D-1.6.c, D-4.1.c, D-4.3.c, D-4.4.c, D-4.6.c

Access Not Successful

Access Not Successful

Success: Demonstration completed with user not able to log in to resource.

B-1.1.d, B-1.3.d, B-1.4.d, B-1.6.d, B-4.1.d, B-4.3.d, B-4.4.d, B-4.6.d, D-1.1.d, D-1.3.d, D-1.4.d, D-1.6.d, D-4.1.d, D-4.3.d, D-4.4.d, D-4.6.d

Access Not Successful

Access Not Successful

Success: User was denied access due to policy constraints.

B-1.1.e, B-1.3.e, B-1.4.e, B-1.6.e, B-4.1.e, B-4.3.e, B-4.4.e, B-4.6.e, D-1.1.e, D-1.3.e, D-1.4.e, D-1.6.e, D-4.1.e, D-4.3.e, D-4.4.e, D-4.6.e

Access Successful

Access Successful

Partial Success: User was successfully authenticated and granted access to the resource. However, RSS compliance was not obtained.

B-1.1.f, B-1.3.f, B-1.4.f, B-1.6.f, B-4.1.f, B-4.3.f, B-4.4.f, B-4.6.f, D-1.1.f, D-1.3.f, D-1.4.f, D-1.6.f, D-4.1.f, D-4.3.f, D-4.4.f, D-4.6.f

Access Not Successful

Access Not Successful

Success: Without user authentication for the resource, the access attempt did not succeed.

B-1.1.g, B-1.3.g, B-1.4.g, B-1.6.g, B-4.1.g, B-4.3.g, B-4.4.g, B-4.6.g, D-1.1.g, D-1.3.g, D-1.4.g, D-1.6.g, D-4.1.g, D-4.3.g, D-4.4.g, D-4.6.g

Access Not Successful

Access Not Successful

Success: Without user authentication for the resource, the access attempt did not succeed.

B-1.1.h, B-1.3.h, B-1.4.h, B-1.6.h, B-4.1.h, B-4.3.h, B-4.4.h, B-4.6.h, D-1.1.h, D-1.3.h, D-1.4.h, D-1.6.h, D-4.1.h, D-4.3.h, D-4.4.h, D-4.6.h

Access Successful

Access Successful

Partial Success: GitLab session timeout is set to one minute for demonstration purposes. After session timed out, user was reauthenticated. However, RSS compliance was not obtained.

B-1.1.i, B-1.3.i, B-1.4.i, B-1.6.i, B-4.1.i, B-4.3.i, B-4.4.i, B-4.6.i, D-1.1.i, D-1.3.i, D-1.4.i, D-1.6.i, D-4.1.i, D-4.3.i, D-4.4.i, D-4.6.i

Access Not Successful

Access Not Successful

Success: After session timeout, user tried to login with incorrect credentials and access was denied.

B-1.1.j, B-1.3.j, B-1.4.j, B-1.6.j, B-4.1.j, B-4.3.j, B-4.4.j, B-4.6.j, D-1.1.j, D-1.3.j, D-1.4.j, D-1.6.j, D-4.1.j, D-4.3.j, D-4.4.j, D-4.6.j

Access Not Successful

Access Not Successful

Success: User was denied access due to endpoint noncompliance.

B-1.1.k, B-1.3.k, B-1.4.k, B-1.6.k, B-4.1.k, B-4.3.k, B-4.4.k, B-4.6.k, D-1.1.k, D-1.3.k, D-1.4.k, D-1.6.k, D-4.1.k, D-4.3.k, D-4.4.k, D-4.6.k

Access Limited

Access Limited

Partial Success: User access was downgraded due to having a noncompliant endpoint. However, RSS compliance was not obtained.

B-1.1.l, B-1.3.l, B-1.4.l, B-1.6.l, B-4.1.l, B-4.3.l, B-4.4.l, B-4.6.l, D-1.1.l, D-1.3.l, D-1.4.l, D-1.6.l, D-4.1.l, D-4.3.l, D-4.4.l, D-4.6.l

Access Denied

Access Denied

Success: User was denied access due to endpoint noncompliance.

B-1.1.m, B-1.3.m, B-1.4.m, B-1.6.m, B-4.1.m, B-4.3.m, B-4.4.m, B-4.6.m, D-1.1.m, D-1.3.m, D-1.4.m, D-1.6.m, D-4.1.m, D-4.3.m, D-4.4.m, D-4.6.m

Access Limited

Access Limited

Partial Success: User access was downgraded to one resource due to having a noncompliant endpoint. However, RSS compliance was not obtained, and limited access within a given resource was not possible.

B-1.1.n-p, B-1.3.n-p, B-1.4.n-p, B-1.6.n-p, B-4.1.n-p, B-4.3.n-p, B-4.4.n-p, B-4.6.n-p, D-1.1.n-p, D-1.3.n-p, D-1.4.n-p, D-1.6.n-p, D-4.1.n-p, D-4.3.n-p, D-4.4.n-p, D-4.6.n-p

N/A

N/A

Not demonstrated in this build due to lack of resource compliance verification.

B-1.2.a-p, B-1.5.a-p B-4.2.a-p, B-4.5.a-p, D-1.2.a-p, D-4.2.a-p

N/A

N/A

Not demonstrated in this build due to no branch in Ent 4.

B-2.1.a-d, B-2.3.a-d, B-5.1.a-d, B-5.3.a-d

Access Successful

Access Successful

Success: When using the MTD denylist, user was able to access approved URLs.

B-2.1.e, B-2.3.e, B-5.1.e, B-5.3.e

Access Not Successful

Access Not Successful

Success: When using the MTD denylist, URL blocking was done on the endpoint, not via user authentication status.

B-2.1.f, B-2.3.f, B-5.1.f, B-5.3.f

Access Not Successful

Access Not Successful

Success: When using the MTD denylist, user was not able to access unapproved URLs.

B-2.1.g, B-2.3.g, B-5.1.g, B-5.3.g

Access Successful

Access Successful

Partial Success: When using the MTD denylist, user were able to access approved URLs, but there was no time control for the policy.

B-2.1.h-i, B-2.3.h-i B-5.1.h-i, B-5.3.h-i

Access Not Successful

Access Not Successful

Partial Success: When using the MTD denylist, user could not access unapproved URLs, but there was no time control for the policy.

B-2.1.j, B-2.3.j, B-5.1.j, B-5.3.j

N/A

N/A

Not tested in this build because if a user was not authenticated, MTD had no control over the device.

B-2.1.k, B-2.3.k, B-5.1.k, B-5.3.k

Access Successful

Access Successful

Success: When using the MTD denylist, user was able to access approved URLs.

B-2.1.l, B-2.3.l, B-5.1.l, B-5.3.l

N/A

N/A

Not tested in this build because if a user was not authenticated, MTD had no control over the device.

B-2.1.m-p, B-2.3.m-p, B-5.1.m-p, B-5.3.m-p

N/A

N/A

Not tested in this build because MTD did not offer a compliance test for denylist URLs.

B-3.1.a, B-3.4.a, B-3.5.a, B-6.1.a, B-6.4.a, B-6.5.a

Real Req Success

Real Req Success

Success: User was able to successfully authenticate and access the RSS.

B-3.1.b, B-3.4.b, B-3.5.b, B-6.1.b, B-6.4.b, B-6.5.b

Real Req Fail

Real Req Fail

Success: User was unable to successfully authenticate and access the RSS.

B-3.1.c, B-3.4.c, B-3.5.c, B-6.1.c, B-6.4.c, B-6.5.c

N/A

N/A

Due to security of VMware’s certificate storage, we were unable to copy the credentials and produce a Hostile authentication. A stolen username/password was insufficient to successfully authenticate.

B-3.1.d, B-3.4.d, B-3.5.d, B-6.1.d, B-6.4.d, B-6.5.d

N/A

N/A

Due to security of VMware’s certificate storage, we were unable to copy the credentials and produce a Hostile authentication. A stolen username/password was insufficient to successfully authenticate.

B-3.1.e, B-3.4.e, B-3.5.e, B-6.1.e, B-6.4.e, B-6.5.e

N/A

N/A

Due to security of VMware’s certificate storage, we were unable to copy the credentials and produce a Hostile authentication. A stolen username/password was insufficient to successfully authenticate.

B-3.1.f, B-3.4.f, B-3.5.f, B-6.1.f, B-6.4.f, B-6.5.f

Hostile Request Unsuccessful

Hostile Request Unsuccessful

Success: Hostile user failed to properly authenticate and was unable to access the RSS.

B-3.1.g, B-3.4.g, B-3.5.g, B-6.1.g, B-6.4.g, B-6.5.g

N/A

N/A

Due to security of VMware’s certificate storage, we were unable to copy the credentials and produce a Hostile authentication. A stolen username/password was insufficient to successfully authenticate.

B-3.1.h, B-3.4.h, B-3.5.h, B-6.1.h, B-6.4.h, B-6.5.h

N/A

N/A

Due to security of VMware’s certificate storage, we were unable to copy the credentials and produce a Hostile authentication. A stolen username/password was insufficient to successfully authenticate.

B-3.1.i, B-3.4.i, B-3.5.i, B-6.1.i, B-6.4.i, B-6.5.i

Real Req Success

Real Req Success

Success: User was able to successfully authenticate after new credentials are provisioned.

B-3.1.j, B-3.4.j, B-3.5.j, B-6.1.j, B-6.4.j, B-6.5.j

N/A

N/A

Due to security of VMware’s certificate storage, we were unable to copy the credentials and produce a Hostile authentication. A stolen username/password was insufficient to successfully authenticate.

B-3.1.k, B-3.4.k, B-3.5.k, B-6.1.k, B-6.4.k, B-6.5.k

Hostile Request Fail

Hostile Request Fail

Success: Stolen credentials were wiped from device using stolen credentials due to administrative action.

B-3.1.l, B-3.4.l, B-3.5.l, B-6.1.l, B-6.4.l, B-6.5.l

Real Request Access Successful

Real Request Access Successful

Success: User was able to successfully reauthenticate after new credentials were provisioned.

B-3.1.m, B-3.4.m, B-3.5.m, B-6.1.m, B-6.4.m, B-6.5.m

Hostile Request Access Denied

Hostile Request Access Denied

Success: Hostile User was unable to successfully reauthenticate after stolen credentials were wiped and new credentials were provisioned to the user.

B-3.1.n, B-3.4.n, B-3.5.n, B-6.1.n, B-6.4.n, B-6.5.n

All Sessions Terminated

All Sessions Terminated

Success: All user sessions for GitLab RSS were terminated.

B-3.1.o, B-3.4.o, B-3.5.o, B-6.1.o, B-6.4.o, B-6.5.o

All Sessions Terminated

All Sessions Terminated

Success: All user sessions for GitLab RSS were terminated.

B-7

N/A

N/A

Just in Time privileges were not offered in this build.

B-8

N/A

N/A

Not demonstrated in this build, as the ability to prompt for reauthentication in the middle of an active session was not included in Ent 4.

All C Use Cases

N/A

N/A

Use Case C was out of scope for this phase.

E-1.1.a-b

Access Successful

Access Successful

Success: NSX provided access to public resources while preventing access to resources that required authentication

E-2.1.a-b

N/A

N/A

Not demonstrated in this build due to no branch in Ent 4.

F-1.1.a, F-1.3.a, F-1.4.a, F-1.6.a

Access Remains

Access Remains

Success: Certificate reauthentication kept user’s session to GitLab open via UAG tunnel.

F-1.1.b, F-1.3.b, F-1.4.b, F-1.6.b

Access Denied

Access Denied

Success: After the authentication certificate was removed from the device, reauthentication failed and user’s session to GitLab was terminated via UAG tunnel.

F-1.2.a-b, F-1.5.a-b

N/A

N/A

No branch to test.

F-2.1.a-b, F-2.3.a-b

Access Terminated

Access Terminated

Success: After the authentication certificate was removed from the device, reauthentication failed and user’s session to GitLab was terminated via UAG tunnel.

F-2.2, F-2.5

N/A

N/A

No branch to test.

F-2.4, F-2.6

N/A

N/A

No branch to test.

F-3

N/A

N/A

VMware considered resource authentication out of scope in this build for their participating product. Other technologies or products should be used for this use case.

F-4.1.a, F-4.3.a, F-4.4.a, F-4.6.a

Endpoint compliant, access to resource remains

Endpoint compliant, access to resource remains

Success: Access to the RSS remained as long as the endpoint maintained compliance.

F-4.1.b, F-4.3.b, F-4.4.b, F-4.6.b

Endpoint drops out of compliance, access revoked

Endpoint drops out of compliance, access revoked

Success: When the endpoint dropped out of compliance, access to the RSS was revoked via the UAG tunnel. Future access was prevented by Workspace One Access.

F-4.2.a-b, F-4.5.a-b

N/A

N/A

No branch to test.

F-5.1.a, F-5.3.a, F-5.4.a, F-5.6.a

Endpoint not compliant, No access to resource

Endpoint not compliant, No access to resource

Success: Access to the GitLab resource failed if the device was not in compliance.

F-5.1.b, F-5.3.b, F-5.4.b, F-5.6.b

Endpoint compliant, Access granted to resource

Endpoint compliant, Access granted to resource

Success: Once the endpoint was brought back into compliance, access to the GitLab RSS was granted.

F-5.2.a-b, F-5.5.a-b

N/A

N/A

No branch to test.

F-6.1, F-6.2

N/A

N/A

Data use policy capabilities were not part of this build

F-7.1, F-7.2

N/A

N/A

Data use policy capabilities were not part of this build

F-8.1, F-8.2, F-8.3

N/A

N/A

This build did not have the capability to suspend a user’s session based on URL monitoring.

F-9.1, F-9.2, F-9.3

N/A

N/A

This build did not have the capability to suspend a user’s session based on URL monitoring.

F-10.1, F-10.2, F-10.3

N/A

N/A

This build did not have the capability to suspend a user’s session based on URL monitoring.

F-11.1, F-11.2, F-11.3

N/A

N/A

This build did not have the capability to suspend a user’s session based on URL monitoring.

F-12.1, F-12.2, F-12.3

N/A

N/A

This build did not have the capability to suspend a user’s session based on URL monitoring.

F-13.1, F-13.2, F-13.3

N/A

N/A

This build did not have the capability to suspend a user’s session based on URL monitoring.

F-14.1.a, F-14.1.c, F-14.1.d, F-14.1.f, F-14.2.a, F-14.2.c, F-14.2.d, F-14.2.f

Access Denied

Access Partially Denied

Partial Success: MTD was able to monitor device and block domain specific traffic based on suspect behavior, which blocked access to the resource. However, the deny action was placed on the device, not the Enterprise ID itself.

F-14.1.b, F-14.1.e, F-14.2.b, F-14.2.e

N/A

N/A

No branch to test.

F-14.1.d-l, F-14.2.d-l

N/A

N/A

No PaaS or SaaS services available for this build.

F-14.3

N/A

N/A

Guest devices had no management software to implement policy enforcement.

F-15

Same results as F-14 but with “Other-ID”.

F-16.1.a, F-16.1.c, F-16.1.d, F-16.1.f, F-16.2.a, F-16.2.c, F-16.2.d, F-16.2.f

Access Terminated

Access Partially Terminated

Partial Success: MTD was able to monitor device and block domain specific traffic based on suspect behavior, which terminated an active session once detected. However, the deny action was placed on the device, not the Enterprise ID itself.

F-16.1.b, F-16.2.b

N/A

N/A

No branch to test.

F-16.1.d-l, F-16.2.d-l

N/A

N/A

No PaaS or SaaS services available for this build

F-17

F-17 results match results from F-16.

G-1.1.a

Access Successful

Access Successful

Success: Communication was allowed between the subject and the resource.

G-1.1.b

Access Not Successful

Access Not Successful

Success: Communication was blocked between the subject and the resource.

G-1.1.c-f, G-1.2, G-2, G-3

N/A

N/A

Branch and cloud services were not available for testing in this build.

G-4

N/A

N/A

The capability to demonstrate this scenario was not included in this build. However, VMware Tanzu can provide the capability to control service calls between containers.

G-5.1.a, G-5.1.c, G-5.1.d, G-5.1.f

Access Successful

Access Successful

Success: Service communication to endpoint was allowed.

G-5.1.b, G-5.1.e, G-5.1.g-r

N/A

N/A

Branch and cloud services were not available for testing in this build.

All H Use Cases

N/A

N/A

N/A

Enterprise 1 Build 5 (E1B5) - SASE and Microsegmentation - PAN NGFW and PAN Prisma Access as PEs Detailed Demonstration Results#

Table 8 lists the full results for microsegmentation and SASE demonstrations run in Enterprise 1 Build 5 (E1B5). The technology deployed in E1B5 was able to determine endpoint compliance for Windows, macOS, Linux, and mobile devices and prevent noncompliant endpoints from accessing private resources.

Table 8 - Detailed Demonstration Results for E1B5

Demo ID

Expected Outcome

Observed Outcome

Comments

A-1.1.a-d, A-1.2.a-d, A-1.4.a-d

Access to Network

N/A

Out of scope for this build. The Palo Alto Networks (PAN) product leveraged to perform this function was not installed.

A-1.1.e, i, A-1.2.e, i, A-1.3.a, d, A-1.4.e

Access to Network

Access to Network

Success: User successfully logged on to Global Protect (GP) agent and endpoint was validated for compliance. User was given access to specific resources and network locations based on policies created in the PE. Note: EP and BYOD were onboarded the same way by installing and logging onto the GP client. Note: All of Use Case A was demonstrated with Windows, Linux, and iOS devices.

A-1.1.f, j, A-1.2.f, j, A-1.3.b, e, A-1.4.f

Max. Limited Access to Network

Max. Limited Access to Network

Success: If compliance was not met, user had access to limited resources. Once compliance was met, user was granted access to all resources that were assigned based on policy. Note: EP and BYOD were onboarded the same way by installing and logging onto a GP client.

A-1.1.g, k, A-1.2.g, k, A-1.3.c, f, A-1.4.g

No Access to Network

No Access to Network

Success: If user did not successfully authenticate to PAN GP, there was no access to network resources. Note: EP and BYOD were onboarded the same way by installing and logging onto a GP client.

A-1.1.h, l, m, A-1.2.h, l, m

Access to Public Network

Access to Public Network

Success: User who was not onboarded had access to the guest Wi-Fi, which allowed public network access. All devices that were not onboarded were treated as guests. These devices had access to the public network.

A-1.2.a-d

N/A

N/A

There were no resources in the branch office. However, configuration would be identical to resources that are on-prem.

A-1.4.e-g, A-2.4.d-f

N/A

N/A

No endpoints were deployed in the cloud for this build.

A-2.1.a-c, A-2.2.a-c, A-2.4.a-c

N/A

N/A

Out of scope for this build. Cortex XDR, which would be leveraged to perform this function, was not available for this build.

A-2.1.d, g, A-2.2.d, g, A-2.3.a, d, A-2.4.d

Access to Network

Access to Network

Success: EP logged on to GP client again after it expires. User was given access to networks and resources that it is allowed once reauthentication was successful.

A-2.1.e, h, A-2.2.f, j, A-2.3.b, e, A-2.4.e

Max. Limited Access to Network

Max. Limited Access to Network

Success: After reauthentication, if compliance was not met, user had access to limited resources only. Once compliance was met, user had access to all resources that were assigned based on policy. Note: compliance validation was performed when user reauthenticated and was set to check periodically and when there was a change to the endpoint’s configuration. If compliance failed, EP had limited access.

A-2.1.f, i, A-2.2.f, i, A-2.3.c, f, A-2.4.f

Terminate Access to Network

Terminate Access to Network

Success: If user did not successfully reauthenticate to GP, there was no access to network resources.

A-2.1.h, A-2.2.h

Access to Public Network

Access to Public Network

Success: User who were not onboarded had access to the guest Wi-Fi, which allowed public network access.

A-3

API call is recorded

API Call is recorded

Success: PAN NGFW and Prisma Access sent all logs to IBM QRadar.

B-1.1-6.a, B-4.1.a, B-4.2.a, B-4.3.a, D-1.1.a, D-1.2.a, D-1.3.a, D-4.1.a, D-4.2.a, D-4.3.a

Access Successful

Access Partially Successful

Partial Success: For both laptop and mobile endpoints, user access to resource RSS1 was successful, with user and endpoint passing authN/authZ and compliance. Compliance of RSS not performed due to time constraint. PAN was able to put a client (Cortex XDR) on the RSS to track compliance and feed that information into a policy for user access.

Note: For all B-1 use cases, logging into PAN GP validated both user and device. PAN NGFW and Prisma Access policies dictated what resources a user was able to access. In our use cases, user devices functioned the same way on-prem, at a branch office, or at a remote site. The PEP that was closest to the endpoint applied compliance checks and granular policies for access.

B-1.1-6.b, B-4.1.b, B-4.2.b, B-4.3.b, D-1.1.b, D-1.2.b, D-1.3.b, D-4.1.b, D-4.2.b, D-4.3.b

Access Successful

Access Partially Successful

Partial Success: For both laptop and mobile endpoints, user access to resource RSS1 was successful, with user and endpoint passing authN/authZ and compliance. Compliance of RSS was not performed due to time constraint.

B-1.1-6.c, B-4.1.c, B-4.2.c, B-4.3.c, D-1.1.c, D-1.2.c, D-1.3.c, D-4.1.c, D-4.2.c, D-4.3.c

Access Not Successful

Access Not Successful

Success: Demonstration completed with user not able to log in to PAN GP due to a failed authentication.

B-1.1-6.d, B-4.1.d, B-4.2.d, B-4.3.d, D-1.1.d, D-1.2.d, D-1.3.d, D-4.1.d, D-4.2.d, D-4.3.d

Access Not Successful

Access Not Successful

Success: For both laptop and mobile endpoints, user access for E2 to resource RSS1 was not successful. Since there was no policy for E2 to access resource RSS1, the PAN NGFW denied traffic from this user.

B-1.1-6.e, B-4.1.e, B-4.2.e, B-4.3.e, D-1.1.e, D-1.2.e, D-1.3.e, D-4.1.e, D-4.2.e, D-4.3.e

Access Successful

Access Successful

Partial Success: For both laptop and mobile endpoints, user access to resource RSS2 was successful, with user and endpoint passing authN/authZ and compliance. Compliance of RSS was not performed due to time constraint.

B-1.1-6.f, B-4.1.f, B-4.2.f, B-4.3.f, D-1.1.f, D-1.2.f, D-1.3.f, D-4.1.f, D-4.2.f, D-4.3.f

Access Not Successful

Access Not Successful

Success: Demonstration completed with user not able to log in to resource with a failed authentication. Note: Endpoint compliance was validated along with user login.

B-1.1-6.g, B-4.1.g, B-4.2.g, B-4.3.g, D-1.1.g, D-1.2.g, D-1.3.g, D-4.1.g, D-4.2.g, D-4.3.g

Access Not Successful

Access Not Successful

Success: Demonstration completed with user not able to log in to resource with a failed authentication. Note: Endpoint compliance was validated along with user login.

B-1.1-6.h, B-4.1.h, B-4.2.h, B-4.3.h, D-1.1.h, D-1.2.h, D-1.3.h, D-4.1.h, D-4.2.h, D-4.3.h

Access Successful

Access Successful

Success: User and endpoint authentication timed out and user reauthenticated successfully. The session to the resource has timed out. After session timed out, user was reauthenticated. Note: User authentication to PE and user authentication to resource were separate processes. If user failed reauthentication to PE, access to resource was lost.

B-1.1-6.i, B-4.1.i, B-4.2.i, B-4.3.i, D-1.1.i, D-1.2.i, D-1.3.i, D-4.1.i, D-4.2.i, D-4.3.i

Access Not Successful

Access Not Successful

Success: After session timeout, user tried to login with incorrect password and was denied.

B-1.1-6.j, B-4.1.j, B-4.2.j, B-4.3.j, D-1.1.j, D-1.2.j, D-1.3.j, D-4.1.j, D-4.2.j, D-4.3.j

Access Not Successful

Access Not Successful

Success: Device posture failure detected, so access was denied.

B-1.1-6.k, B-4.1.k, B-4.2.k, B-4.3.k, D-1.1.k, D-1.2.k, D-1.3.k, D-4.1.k, D-4.2.k, D-4.3.k

Access Limited

Access Not Successful

Partial success: Access to RSS2 was blocked. Could not perform limited access.

B-1.1-6.l-m, B-4.1.l-m, B-4.2.l-m, B-4.3.l-m, D-1.1.l-m, D-1.2.l-m, D-1.3.l-m, D-4.1.l-m, D-4.2.l-m, D-4.3.l-m

Access Denied

Access Denied

Success: User was denied access because the endpoint was noncompliant. Device posture failure detected. Could not perform limited access.

B-1.1-6.n-p, B-4.1.n-p, B-4.2.n-p, B-4.3.n-p, D-1.1.n-p, D-1.2.n-p, D-1.3.n-p, D-4.1.n-p, D-4.2.n-p, D-4.3.n-p

N/A

N/A

Compliance checks for resources were out of scope based on time constraints.

B-2.1.a-d, B-2.2.a-d, B-2.3.a-d

Access Successful

Access Successful

Success: User E4 had access to the URL based on URL filtering policies at all times. PAN PEPs were able to limit access based on time-of-day. For these use cases, User E4 was able to access these URLs after hours.

B-2.1.e, B-2.2.e, B-2.3.e

Access Not Successful

Access Not Successful

Success: User E4 did not authenticate due to incorrect password. Access was not successful.

B-2.1.f, B-2.2.f, B-2.3.f

Access Not Successful

Access Not Successful

Success: Based on URL filtering policies, User E5 did not have access to the URL. Therefore, user was denied access.

B-2.1.g, B-2.2.g, B-2.3.g

Access Successful

Access Successful

Success: User E5 had access to the URL based on URL filtering policies.

B-2.1.h-i, B-2.2.h-I, B-2.3.h-i

Access Not Successful

Access Not Successful

Success: Based on URL filtering policies, User E5 did not have access to the URLs outside of working hours.

B-2.1.j, B-2.2.j, B-2.3.j

Access Not Successful

Access Not Successful

Success: User E5 did not authenticate due to incorrect password. Access was not successful.

B-2.1.k, B-2.2.k, B-2.3.k

Access Successful

Access Successful

Success: User E4 was able to access the URL after reauthentication.

B-2.1.l, B-2.2.l, B-2.3.l

Access Not Successful

Access Not Successful

Success: User E5 did not reauthenticate due to incorrect password. Access was not successful.

B-2.1.m, B-2.2.m, B-2.3.m

Access Not Successful

Access Not Successful

Success: Access was not successful due to failed compliance check.

B-2.1.n, B-2.2.n, B-2.3.n

Access Successful

Access Successful

Success: Compliance check was not needed when accessing this URL by User E4.

B-2.1.o-p, B-2.2.o-p, B-2.3.o-p

Access Not Successful

Access Not Successful

Success: Access was not successful due to failed compliance check of User E5’s device.

B-3.1.a, B-3.4.a

Real Req Success

Real Req Success

Success: Real Request was successfully authenticated. Note: B-3.2, B-3.3, and B-3.5 were not tested due to time constraints. However, the outcomes for these use cases would be the same, as this build leverages credentials and host profile information for verification at the PEP.

B-3.1.b, B-3.4.b

Real Req Fail

Real Req Fail

Success: Incorrect credentials were entered, and the Real Request failed as expected.

B-3.1.c, B-3.4.c

Limit Access for Real Request, Deny Access to Hostile Request

N/A

Per recommendation configuration, if the hostile user had the device and credentials, PAN PEPs did not block access. PAN also did not have the ability to limit access to a resource. In this case, the user with the stolen credentials needed the PAN GP information to log in to the GP client. If a hostile user had both 1st and 2nd factor authentication credentials, access was successful.

B-3.1.d, B-3.4.d

Real Request Keep Access, Deny Access to Hostile Request

Real Request Keep Access, Deny Access to Hostile Request

Success: Since real request was properly authenticated, this user kept access. There was no access for hostile user due to failed authentication.

B-3.1.e, B-3.4.e

Hostile Request Successful

Hostile Request Successful

Success: Hostile Request was successfully authenticated.

B-3.1.f, B-3.4.f

Hostile Request Unsuccessful

Hostile Request Unsuccessful

Success: Incorrect credentials were entered, and the Hostile Request failed as expected.

B-3.1.g, B-3.4.g

Real Request Fail, Hostile Request Access Limited

N/A

PAN did not stop users from access if all credentials were correct per configuration. Please see B-3.1.c for capabilities.

B-3.1.h, B-3.4.h

Real Request Fail, Hostile Request remains authenticated

Real Request Fail, Hostile Request remains authenticated

Success: Incorrect credentials were entered, and the Real Request failed as expected. Hostile Request successfully authenticated and access was granted.

B-3.1.i, B-3.4.i

Real Req Success

Real Req Success

Success: Real Request was successfully authenticated. In cases where stolen credentials were reported, updates to configuration to change user credentials denied hostile users.

B-3.1.j, B-3.4.j

Real Request remains authenticated, Hostile Request Fail

Real Request remains authenticated, Hostile Request Fail

Success: Since real request had already been authenticated, request was retained. Hostile request failed authentication and access was not successful.

B-3.1.k, B-3.4.k

Hostile Request Fail

Hostile Request Fail

Success: Incorrect credentials were entered, and the Hostile Request failed as expected. In cases where stolen credentials were reported, updates to configuration to change user credentials denied hostile users.

B-3.1.l, B-3.4.l

Real Request Access Successful

Real Request Access Successful

Success: Real Request was successfully reauthenticated. In cases where stolen credentials were reported, updates to configuration to change user credentials denied hostile users.

B-3.1.m, B-3.4.m

Hostile Request Access Denied

Hostile Request Access Denied

Success: Incorrect credentials were entered for reauthentication, and the Hostile Request failed as expected. In cases where stolen credentials were reported, updates to configuration to change user credentials denied hostile users.

B-3.1.n, B-3.4.n

All Sessions Terminated

All Sessions Terminated

Success: In cases where stolen credentials were reported, updates to configuration to deny that connection and change user credentials denied hostile users.

B-3.1.o, B-3.4.o

All Sessions Terminated

All Sessions Terminated

Success: In cases where stolen credentials were reported, updates to configuration to deny that connection and change user credentials denied all users. The real user had to reauthenticate using new credentials.

B-4

All results for B-4 were the same as B-1.

B-5

All results for B-5 were the same as B-2.

B-6

The B-6.1 use case was performed and the results were the same as B-3.1. Other use cases were not performed due to time constraints. The results would be the same as B-6.1 since the build uses user information and host information profiles for verification.

B-7.1.a, b, g, h, m, n, s, t, y, z, ae, af

Success

Partial Success

Partial Success: Just-in-time privileges were manually completed in PAN NGFW and Prisma Access to allow a user to access a resource. However, just-in-time access privileges with automation were not tested and required integration with other zero trust tools which have the capabilities to manage user attributes and notify the PAN policy engines.

B-7.c-f, i-l ,o-r, aa-ad, ag-aj

Success

N/A

There were no resources deployed in the branch office or at a remote location. Enterprise 1 did not have a PaaS or SaaS solution. These use cases were not tested although the results would be the same as above due to policies.

B-8

N/A

N/A

PAN solutions did not have the ability to control a resource’s privileges.

C-1.1.a, C-1.2.a, C-1.3.a, C-1.4.a, C-1.5.a, C-1.6.a

Access Successful

Access Successful

Success: Access to resource is granted.

C-1.1.b, C-1.2.b, C-1.3.b, C-1.4.b, C-1.5.b, C-1.6.b, C-6.1.b, C-6.2.b, C-6.3.b, C-6.4.b, C-6.5.b, C-6.6.b

Access Not Successful

Access Not Successful

Success: Endpoint was non-compliant and was denied access to the resource.

C-1.1.c, C-1.4.c, C-2.1.c, C-2.4.c, C-6.1.c, C-6.4.c

N/A

N/A

Use cases were not performed. RSS compliance not available in Ent1.

C-1.1.d, C-1.4.d, C-2.1.d, C-2.4.d, C-6.1.d, C-6.4.d

Access Not Successful

Partial Success

Partial Success: Policy is enforced and denied a non-compliant endpoint. However, RSS compliance not available in Ent1.

C-2.1.a, C-2.2.a, C-2.3.a, C-2.4.a, C-2.5.a, C-2.6.a, C-6.1.a, C-6.2.a, C-6.3.a, C-6.4.a, C-6.5.a, C-6.6.a

Limited Access Successful

Limited Access Successful

Success: Federated-ID user has access to certain resources only based on policy.

C-2.1.b, C-2.2.b, C-2.3.b, C-2.4.b, C-2.5.b, C-2.6.b

Access Not Successful

Access Not Successful

Success: Policy is enforced and denied a non-compliant endpoint.

C-3.1.a, C-3.2.a, C-3.3.a, C-5.1.a, C-5.2.a

Access Successful

Access Successful

Success: Compliant endpoint and user are allowed access to this website.

C-3.1.b, C-3.2.b, C-3.3.b, C-5.1.b, C-5.2.b

Access Not Successful

Access Not Successful

Success: Non-compliant endpoint is denied access.

C-3.1.c, C-3.2.c, C-3.3.c, C-5.1.c, C-5.2.c

Access Not Successful

Access Not Successful

Success: Compliant endpoint is denied access due to policy.

C-3.1.d, C-3.2.d, C-3.3.d, C-5.1.d, C-5.2.d

Access Not Successful

Access Not Successful

Success: Endpoint is non-compliant and policy does not allow access to this website.

C-4

Access Not Successful

Access Not Successful

Success: Access to internet resources is denied due to policy.

C-5.3.a, C-5.3.b, C-5.3.c, C-5.3.d

N/A

N/A

When user is remote, results match Ent3 results, as a BYOD device in a remote location does not have Ent1 policies applied.

C-7.1.a, C-7.2.a, C-7.3.a, C-7.4.a, C-7.5.a, C-7.6.a, C-8.1.a, C-8.2.a, C-8.3.a, C-8.4.a, C-8.5.a, C-8.6.a

Access Successful

Access Successful

Success: Compliant endpoint and user are allowed access.

C-7.1.b, C-7.2.b, C-7.3.b, C-7.4.b, C-7.5.b, C-7.6.b

Access Not Successful

Access Not Successful

Success: An endpoint that is flagged as stolen is denied access by policy.

C-7.1.c, C-7.2.c, C-7.3.c, C-7.4.c, C-7.5.c, C-7.6.c, C-8.1.b, C-8.2.b, C-8.3.b, C-8.4.b, C-8.5.b, C-8.6.b

Access Not Successful

Access Not Successful

Success: A user credential that is flagged as stolen is denied access by policy.

C-7.1.d, C-7.2.d, C-7.3.d, C-7.4.d, C-7.5.d, C-7.6.d

Access Not Successful

Access Not Successful

Success: User credential and endpoint that are flagged as stolen are denied access by policy.

C-8.1.a, C-8.2.a, C-8.3.a, C-8.4.a, C-8.5.a, C-8.6.a

Access Successful

Access Successful

Success: Compliant endpoint and user are allowed access.

C-8.1.b, C-8.2.b, C-8.3.b, C-8.4.b, C-8.5.b, C-8.6.b

Access Not Successful

Access Not Successful

Success: User credential that is flagged as stolen is denied access by policy.

All D Use Cases

All D use cases were the same as B use cases.

E-1.1a, E-1.2.a

Success

Success

Success: Access to a guest user Wi-Fi provided to a guest user for access to public resource.

E-1.1.b, E-1.2.b

Success

Success

Success: Access to a guest user Wi-Fi provided to a guest user for access to public internet.

F-1.1.a, F-1.2.a, F-1.3.a, F-1.4.a, F-1.5.a, F-1.6.a

Success

Success

Success: When PAN GP prompted for reauthentication, if user successfully authenticated, session remained active.

F-1.1.b, F-1.2.b, F-1.3.b, F-1.4.b, F-1.5.b, F-1.6.b

Success

Success

Success: When PAN GP prompted for reauthentication, if authentication failed, user lost access to resources. The PEP denied user access to resources.

F-2

Success

Success

Success: Results were the same as F-1. PAN GP authenticated user and validated device when user logged onto GP client, and it periodically revalidated device and re-authenticated the user based on configuration.

F-3

Success

N/A

Due to time constraints, resource authentication was not implemented.

F-4

Success

Success

Success: Device compliance was checked periodically. If compliance failed, PAN policies denied access to resources.

F-5

Success

Success

Success: Device compliance was checked periodically. If compliance failed, PAN policies denied user access to resources. Once the endpoint was compliant and validated by PAN PE, the PAN PEP allowed access. Note: compliance was checked every five minutes, so access could take up to five minutes after the device became compliant again.

F-6, F-7

Success

Success

Success: PAN applied a threshold to file upload or download. If user exceeded that threshold, that session was terminated. PAN leveraged specific file attributes to flag data usage violations. If a user attempteds to download information that was considered in violation of policies, user lost access to that resource. These policies were applied to both enterprise-owned and BYOD devices accessing data that was on-prem or in the cloud.

F-8, F-9

Success

Success

Success: Dynamic user groups were created and applied to policies to deny the user any access if that user was attempting to access a URL that was in violation of policy. User lost access to the internet once PAN detected a violation.

F-10, F-12

Access Not Successful

Access Not Successful

Success: PAN policies leveraged dynamic user groups to identify a user who was trying to access a resource that was prohibited. Once that action was detected, the user was quarantined. Access to a resource that was previous allowed was then denied.

F-11, F-13

Access Not Successful

Access Not Successful

Success: PAN policies leveraged dynamic user groups to identify a user who was trying to access a resource that was prohibited. Once that action was detected, the user was quarantined. Access to an active session to the resource was denied.

F-14, F-15, F-16, F-17

N/A

N/A

Due to time constraints, PAN Cortex XDR was not deployed on the endpoints. PAN PE’s was able to receive threat information from Cortex XDR and was able to deploy policies to deny the affected endpoints from accessing resources.

G-1.1.a

Access Successful

Access Partially Successful

Partial Success: For all service-to-service use cases, policies were created in the PE to allow access by the subject. PAN Cortex XDR was not available to provide endpoint protection to the server and compliance. Cortex XDR was able to integrate with the PE to provide additional capabilities for access and compliance.

G-1.1.b

Access Not Successful

Access Not Successful

Partial Success: Based on policy, subject was denied from communicating with the resource. However, compliance capabilities were not available. Cortex XDR was not available to provide this capability.

G-1.1.c-j

N/A

N/A

Due to time constraints, these use cases were not performed.

G-1.2

N/A

N/A

There were no resources in the branch office. Therefore, these use cases were not performed.

G-2, G-3, G-4

N/A

N/A

Due to time constraints, these use cases were not completed. However, the PAN NGFW within the cloud can enforce policies for the resources.

G-5.1.a-f

Access Successful

Access Successful

Success: Access was successful by applying policy to allow access from service to the endpoint.

G-5.1.g-r

N/A

N/A

Due to time constraints, these use cases were not performed.

H-1.1.a, b, H-1.2.c, H-1.3.e, f, H-1.4.g, H-1.5.i, j, H-1.6.k, H-1.7.m, n, H-1.8.o, H-1.9.q, r, H-1.10.s

Access Successful

Partial Success

Partial Success: For this scenario, PAN PEPs allowed UserA to have full access and UserB access to view certain data. While the PEPs were not able to actively show a redacted version of a file or database result based on user privileges, they were able to inspect a file for a predetermined sensitive data level and block or allow users from accessing the file.

Note: While PAN PE/PEP was able to allow or deny access to specific data or applications within a resource, data classification was out of scope of this project. In order for this use case to be properly demonstrated, data had to be classified. After classification, PAN PE/PEPs were able to develop policies to allow or deny user access to these data classes. This applies to all H use cases. For this reason, all use cases were able to be partially tested with data that represented different classifications.

H-1.2.d, H-1.4.h, H-1.6.l, H-1.8.p, H-1.10.t

Access Not Successful

Partial Success

Partial Success: For this scenario, PAN PEPs were able to deny UserB access. While the PEPs were not able to actively show a redacted version of a file or database result based on user privileges, they were able to inspect a file for a predetermined sensitive data level and block or allow users from accessing the file.

H-2.1.a, H-2.2.c, H-2.3.e, H-2.4.g

Access Successful

Access Successful

Partial Success: PAN PEPs were able to allow or deny users based on the result of HIP checks on the identify endpoints. Users were able to be prevented from accessing specific data within the enterprise based on the results derived from HIP checks.

H-2.1.b, H-2.2.d, H-2.3.f, H-2.4.f

Access Restricted

Access Successful

Partial Success: PAN PEPs were able to restrict users based on the result of HIP checks on the identify endpoints. Users were able to be prevented from accessing specific data within the enterprise based on the results derived from HIP checks.

H-3.1.a, H-3.2.c, H-3.3.e, H-3.4.g, H-3.5.i, H-3.6.k, H-3.7.m, H-3.8.o, H-3.9.q, H-3.10.s, H-3.11.u, H-3.12.w

Internet Access Not Successful

Internet Access Not Successful

Partial Success: A user was able to be placed in a dynamic user group and be denied access to specific Internet sites. If the user attempted to reach a specific internet site, the user was quarantined and denied access to the resource.

H-3.1.b, H-3.2.d, H-3.3.f, H-3.4.h, H-3.5.k, H-3.6.l, H-3.7.n, H-3.8.p, H-3.9.r, H-3.10.t, H-3.11.w, H-3.12.x

Internet Access Successful

Internet Access Successful

Partial Success: A user was able to be placed in a dynamic user group and be denied access to specific Internet sites. If the user attempted to reach a specific internet site, the user was quarantined and denied access to the resource.

H-4.1.a, H-4.2.c, H-4.3.e, H-4.4.g, H-4.5.i, H-4.6.k, H-4.7.m, H-4.8.o, H-4.9.q, H-4.10.s, H-4.11.u, H-4.12.w

Access Not Successful

Access Not Successful

Partial Success: An authentication profile was set up to request MFA when user attempted to access specific data within a resource. If authentication failed, user did not have access to the data.

H-4.1.b, H-4.2.d, H-4.3.f, H-4.4.h, H-4.5.k, H-4.6.l, H-4.7.n, H-4.8.p, H-4.9.r, H-4.10.t, H-4.11.w, H-4.12.x

Access Successful

Access Successful

Partial Success: An authentication profile was set up to request MFA when user attempted to access specific data within a resource. If authentication was successful, user had access to the data.

H-5

Access Successful

Access Successful

Partial Success: Temporary access was granted to user by updating policies with PE and pushed to PEP.

H-6

Operation Successful/Denied

N/A

PAN PEPs was able to allow or deny access to data within a resource. However, it could not perform functions such as write access/deny to data within a resource.

H-7

Download Successful

N/A

PAN Cortex XDR had the ability to perform this function. Due to time constraints, Cortex XDR was not configured.

Enterprise 2 Build 5 (E2B5) - SDP and SASE - Lookout SSE and Okta Identity Cloud as PEs Detailed Demonstration Results#

Table 9 lists the full results for SDP and SASE demonstrations run in Enterprise 2 Build 5 (E2B5). The technology deployed in E2B5 was able to determine endpoint compliance for Windows, macOS, and mobile devices and prevent noncompliant endpoints from accessing private resources.

Table 9 - Detailed Demonstration Results for E2B5

Demo ID

Expected Outcome

Observed Outcome

Comments

A-1, A-2

N/A

N/A

Components to handle network-level onboarding and authentication were not included in this build.

A-3.1, A-3.2, A-3.5, A-3.6

User request and action is recorded

User request and action is recorded

Success: User request and action are clearly recorded within Lookout SSE.

A-3.3, A-3.4

N/A

N/A

Branch office was not available in Enterprise 2.

B-1.1.a, B-1.3.a, B-1.4.a, B-1.6.a, B-4.1.a, B-4.3.a, B-4.4.a, B-4.6.a, D-1.1.a, D-1.3.a, D-1.4.a, D-1.6.a, D-4.1.a, D-4.3.a, D-4.4.a, D-4.6.a

Access Successful

Access Successful

Success: User successfully authenticated and was granted access to RSS1.

B-1.1.b, B-1.3.b, B-1.4.b, B-1.6.b, B-4.1.b, B-4.3.b, B-4.4.b, B-4.6.b, D-1.1.b, D-1.3.b, D-1.4.b, D-1.6.b, D-4.1.b, D-4.3.b, D-4.4.b, D-4.6.b

Access Successful

Access Successful

Success: User successfully authenticated and was granted access to RSS2.

B-1.1.c, B-1.3.c, B-1.4.c, B-1.6.c, B-4.1.c, B-4.3.c, B-4.4.c, B-4.6.c, D-1.1.c, D-1.3.c, D-1.4.c, D-1.6.c, D-4.1.c, D-4.3.c, D-4.4.c, D-4.6.c

Access Not Successful

Access Not Successful

Success: User failed authentication and was denied access.

B-1.1.d, B-1.3.d, B-1.4.d, B-1.6.d, B-4.1.d, B-4.3.d, B-4.4.d, B-4.6.d, D-1.1.d, D-1.3.d, D-1.4.d, D-1.6.d, D-4.1.d, D-4.3.d, D-4.4.d, D-4.6.d

Access Not Successful

Access Not Successful

Success: User successfully authenticated but was denied access to RSS1 due to policy.

B-1.1.e, B-1.3.e, B-1.4.e, B-1.6.e, B-4.1.e, B-4.3.e, B-4.4.e, B-4.6.e, D-1.1.e, D-1.3.e, D-1.4.e, D-1.6.e, D-4.1.e, D-4.3.e, D-4.4.e, D-4.6.e

Access Successful

Access Successful

Success: User successfully authenticated and was granted access to RSS2.

B-1.1.f, B-1.3.f, B-1.4.f, B-1.6.f, B-4.1.f, B-4.3.f, B-4.4.f, B-4.6.f, D-1.1.f, D-1.3.f, D-1.4.f, D-1.6.f, D-4.1.f, D-4.3.f, D-4.4.f, D-4.6.f

Access Not Successful

Access Not Successful

Success: User failed authentication and was denied access.

B-1.1.g, B-1.3.g, B-1.4.g, B-1.6.g, B-4.1.g, B-4.3.g, B-4.4.g, B-4.6.g, D-1.1.g, D-1.3.g, D-1.4.g, D-1.6.g, D-4.1.g, D-4.3.g, D-4.4.g, D-4.6.g

Access Not Successful

Access Not Successful

Success: User failed authentication and was denied access.

B-1.1.h, B-1.3.h, B-1.4.h, B-1.6.h, B-4.1.h, B-4.3.h, B-4.4.h, B-4.6.h, D-1.1.h, D-1.3.h, D-1.4.h, D-1.6.h, D-4.1.h, D-4.3.h, D-4.4.h, D-4.6.h

Access Successful

Access Successful

Success: User successfully reauthenticated and was granted access to RSS1.

B-1.1.i, B-1.3.i, B-1.4.i, B-1.6.i, B-4.1.i, B-4.3.i, B-4.4.i, B-4.6.i, D-1.1.i, D-1.3.i, D-1.4.i, D-1.6.i, D-4.1.i, D-4.3.i, D-4.4.i, D-4.6.i

Access Not Successful

Access Not Successful

Success: User failed reauthentication and was denied access.

B-1.1.j, B-1.3.j, B-1.4.j, B-1.6.j, B-4.1.j, B-4.3.j, B-4.4.j, B-4.6.j, D-1.1.j, D-1.3.j, D-1.4.j, D-1.6.j, D-4.1.j, D-4.3.j, D-4.4.j, D-4.6.j

Access Not Successful

Access Not Successful

Success: User successfully reauthenticated, but endpoint was noncompliant. User was denied access to RSS1.

B-1.1.k, B-1.3.k, B-1.4.k, B-1.6.k, B-4.1.k, B-4.3.k, B-4.4.k, B-4.6.k, D-1.1.k, D-1.3.k, D-1.4.k, D-1.6.k, D-4.1.k, D-4.3.k, D-4.4.k, D-4.6.k

Access Limited

Access Limited

Success: User successfully reauthenticated, but endpoint was noncompliant. User access was limited, preventing the user from uploading files to or downloading files from RSS2.

B-1.1.l-m, B-1.3.l-m, B-1.4.l-m, B-1.6.l-m, B-4.1.l-m, B-4.3.l-m, B-4.4.l-m, B-4.6.l-m, D-1.1.l-m, D-1.3.l-m, D-1.4.l-m, D-1.6.l-m, D-4.1.l-m, D-4.3.l-m, D-4.4.l-m, D-4.6.l-m

Access Not Successful

Access Not Successful

Success: User successfully reauthenticated, but endpoint was noncompliant. User was denied access to resource.

B-1.1.n-p, B-1.3.n-p, B-1.4.n-p, B-1.6.n-p, B-4.1.n-p, B-4.3.n-p, B-4.4.n-p, B-4.6.n-p, D-1.1.n-p, D-1.3.n-p, D-1.4.n-p, D-1.6.n-p, D-4.1.n-p, D-4.3.n-p, D-4.4.n-p, D-4.6.n-p

N/A

N/A

RSS management and compliance capabilities are not included in this build.

B-1.2, B-1.5, B-2.2, B-3.2, B-3.3, B-4.2, B-4.5, B-5.2, B-6.2, B-6.3, D-1.2, D-1.5, D-2.2, D-3.2, D-3.3, D-4.2, D-4.5, D-5.2, D-6.2, D-6.3

N/A

N/A

Branch office was not available in Enterprise 2.

B-2.1.a-d, B-2.1.g, B-2.1.k, B-2.1.n, B-2.3.a-d, B-2.3.g, B-2.3.k, B-2.3.n, B-5.1.a-d, B-5.1.g, B-5.1.k, B-5.1.n, B-5.3.a-d, B-5.3.g, B-5.3.k, B-5.3.n, D-2.1.a-d, D-2.1.g, D-2.1.k, D-2.1.n, D-2.3.a-d, D-2.3.g, D-2.3.k, D-2.3.n, D-5.1.a-d, D-5.1.g, D-5.1.k, D-5.1.n, D-5.3.a-d, D-5.3.g, D-5.3.k, D-5.3.n

Access Successful

Access Successful

Success: User successfully authenticated/reauthenticated and was allowed access to URL based on policy.

B-2.1.e, B-2.1.j, B-2.1.l, B-2.3.e, B-2.3.j, B-2.3.l, B-5.1.e, B-5.1.j, B-5.1.l, B-5.3.e, B-5.3.j, B-5.3.l, D-2.1.e, D-2.1.j, D-2.1.l, D-2.3.e, D-2.3.j, D-2.3.l, D-5.1.e, D-5.1.j, D-5.1.l, D-5.3.e, D-5.3.j, D-5.3.l

N/A

N/A

Out of scope; the capability to control a user’s internet access while not connected and authenticated to Lookout SSE was not included in this build.

B-2.1.f, B-2.3.f, B-5.1.f, B-5.3.f, D-2.1.f, D-2.3.f, D-5.1.f, D-5.3.f

Access Not Successful

Access Not Successful

Success: User successfully authenticated, but was denied access to URL due to policy.

B-2.1.h-i, B-2.3.h-i, B-5.1.h-i, B-5.3.h-i, D-2.1.h-i, D-2.3.h-i, D-5.1.h-I, D-5.3.h-i

Access Not Successful

Access Not Successful

Success: User successfully authenticated, but was denied access to URL due to being outside of access hours.

B-2.1.m, B-2.1.o-p, B-2.3.m, B-2.3.o-p, B-5.1.m, B-5.1.o-p, B-5.3.m, B-5.3.o-p, D-2.1.m, D-2.1.o-p, D-2.3.m, D-2.3.o-p, D-5.1.m, D-5.1.o-p, D-5.3.m, D-5.3.o-p

Access Not Successful

Access Not Successful

Success: User successfully authenticated, but was denied access to URL due to endpoint noncompliance.

B-3.1.a, B-3.1.i, B-3.1.l, B-3.4.a, B-3.4.i, B-3.4.l, B-3.5.a, B-3.5.i, B-3.5.l, B-6.1.a, B-6.1.i, B-6.1.l, B-6.4.a, B-6.4.i, B-6.4.l, B-6.5.a, B-6.5.i, B-6.5.l, D-3.1.a, D-3.1.i, D-3.1.l, D-3.4.a, D-3.4.i, D-3.4.l, D-3.5.a, D-3.5.i, D-3.5.l, D-6.1.a, D-6.1.i, D-6.1.l, D-6.4.a, D-6.4.i, D-6.4.l, D-6.5.a, D-6.5.i, D-6.5.l

Real Req Success

Real Req Success

Success: Real User successfully authenticated/reauthenticated and was granted access to the resource.

B-3.1.b, B-3.4.b, B-3.5.b, B-6.1.b, B-6.4.b, B-6.5.b, D-3.1.b, D-3.4.b, D-3.5.b, D-6.1.b, D-6.4.b, D-6.5.b

Real Req Not Successful

Real Req Not Successful

Success: Real User failed authentication and was not granted access to the resource.

B-3.1.c, B-3.1.g, B-3.4.c, B-3.4.g, B-3.5.c, B-3.5.g, B-6.1.c, B-6.1.g, B-6.4.c, B-6.4.g, B-6.5.c, B-6.5.g, D-3.1.c, D-3.1.g, D-3.4.c, D-3.4.g, D-3.5.c, D-3.5.g, D-6.1.c, D-6.1.g, D-6.4.c, D-6.4.g, D-6.5.c, D-6.5.g

Change to Access Limited for Real Req, Access Not Successful for Hostile Req

Change to Access Limited for Real Req, Change to Access Limited for Hostile Req

Partial Success: While the capability to differentiate between a Real Request and Hostile Request using the exact same credentials is not present in this build, the presence of multiple concurrent sessions can be used to raise the user’s risk score, triggering policies that can limit or block the user’s access to enterprise resources.

B-3.1.d, B-3.4.d, B-3.5.d, B-6.1.d, B-6.4.d, B-6.5.d, D-3.1.d, D-3.4.d, D-3.5.d, D-6.1.d, D-6.4.d, D-6.5.d

Real Req Keep Access, Hostile Req Not Successful

Real Req Keep Access, Hostile Req Not Successful

Success: Real User retained access, Hostile User failed authentication, and access was denied.

B-3.1.e, B-3.4.e, B-3.5.e, B-6.1.e, B-6.4.e, B-6.5.e, D-3.1.e, D-3.4.e, D-3.5.e, D-6.1.e, D-6.4.e, D-6.5.e

Hostile Req Access Successful

Hostile Req Access Successful

Success: Hostile User successfully authenticated and was granted access to the resource.

B-3.1.f, B-3.4.f, B-3.5.f, B-6.1.f, B-6.4.f, B-6.5.f, D-3.1.f, D-3.4.f, D-3.5.f, D-6.1.f, D-6.4.f, D-6.5.f

Hostile Req Not Successful

Hostile Req Not Successful

Success: Hostile User failed authentication and access was denied.

B-3.1.h, B-3.4.h, B-3.5.h, B-6.1.h, B-6.4.h, B-6.5.h, D-3.1.h, D-3.4.h, D-3.5.h, D-6.1.h, D-6.4.h, D-6.5.h

Real Req Not Succesful, Hostile Req Keep Access

Real Req Not Succesful, Hostile Req Keep Access

Success: Real User failed authentication and was denied access to the resource. Hostile User retained access.

B-3.1.j, B-3.4.j, B-3.5.j, B-6.1.j, B-6.4.j, B-6.5.j, D-3.1.j, D-3.4.j, D-3.5.j, D-6.1.j, D-6.4.j, D-6.5.j

Real Req Keep Access, Hostile Req Not Successful

Real Req Keep Access, Hostile Req Not Successful

Success: User credentials were reported stolen and new credentials were issued to Real User. Real User retained access, Hostile User failed authentication, and access was denied.

B-3.1.k, B-3.1.m, B-3.4.k, B-3.4.m, B-3.5.k, B-3.5.m, B-6.1.k, B-6.1.m, B-6.4.k, B-6.4.m, B-6.5.k, B-6.5.m, D-3.1.k, D-3.1.m, D-3.4.k, D-3.4.m, D-3.5.k, D-3.5.m, D-6.1.k, D-6.1.m, D-6.4.k, D-6.4.m, D-6.5.k, D-6.5.m

Hostile Req Not Successful

Hostile Req Not Successful

Success: User credentials were reported stolen. Hostile User failed authentication/reauthentication, and access was denied.

B-3.1.n-o, B-3.4.n-o, B-3.5.n-o, B-6.1.n-o, B-6.4.n-o, B-6.5.n-o, D-3.1.n-o, D-3.4.n-o, D-3.5.n-o, D-6.1.n-o, D-6.4.n-o, D-6.5.n-o

All Sessions Terminated

All Sessions Terminated

Success: User credentials were reported stolen. All existing access sessions were terminated.

B-7, D-7

Success

Partial Success

Partial Success: Just-in-time privileges can be manually completed to allow a user to access a resource.

B-8.5.a, B-8.5.b, B-8.5.m, B-8.5.n, D-8.5.a, D-8.5.b, D-8.5.m, D-8.5.n

Session Continues

Session Continues

Success: User was prompted for step-up authentication, and the session continued upon successful authentication.

B-8.5.d, B-8.5.e, B-8.5.p, B-8.5.q, D-8.5.d, D-8.5.e, D-8.5.p, D-8.5.q

Session Terminated

Session Terminated

Success: User was prompted for step-up authentication, and the session was terminated upon failed authentication.

Remaining B-8, D-8 Use Cases

N/A

N/A

Branch Office and PaaS resources were not present in Enterprise 2. Capabilities to perform step-up authentication with on-prem and IaaS resources were not present in this build. Guest scenarios (No-ID) were not able to perform step-up authentication due to lack of user identity/credentials.

All C Use Cases

N/A

N/A

Out of scope for this build. Federation with other Enterprises was not performed.

All E Use Cases

N/A

N/A

Unmanaged/guest device internet traffic capabilities are not included in this build. To control network access for unmanaged/guest devices, network traffic can be forwarded to Lookout SSE for policy enforcement.

F-1.1.a, F-1.3.a, F-1.4.a, F-1.6.a

Session stays active

Session stays active

Success: User successfully reauthenticated, and access was retained.

F-1.1.b, F-1.3.b, F-1.4.b, F-1.6.b

Session will be terminated

Session will be terminated

Success: User failed reauthentication, and access to RSS was denied.

F-2

Success

Success

In this build, user and endpoint authentication are linked. Therefore, results are the same as F-1.

F-3

N/A

N/A

RSS management and compliance capabilities are not included in this build.

F-4.1.a, F-4.3.a, F-4.4.a, F-4.6.a

Session stays active

Session stays active

Success: Endpoint remained in compliance, and session stayed active.

F-4.1.b, F-4.3.b, F-4.4.b, F-4.6.b

Session will be terminated

Session will be terminated

Success: Endpoint became noncompliant, and access session was terminated.

F-5.1.a, F-5.3.a, F-5.4.a, F-5.6.a

Access Not Successful

Access Not Successful

Success: Endpoint remained noncompliant, and access was not successful.

F-5.1.b, F-5.3.b, F-5.4.b, F-5.6.b

Access Successful

Access Successful

Success: Endpoint became compliant, and access was successful.

F-1.2, F-2.2, F-4.2, F-5.2

N/A

N/A

Enterprise 2 does not have a branch location. However, policies can be applied the same way to users if they are on-prem, or to resources based in the cloud.

F-6, F-7, F-10, F-11, F-12, F-13, F-14, F-15, F-16, F-17

N/A

N/A

The capabilities to demonstrate these scenarios are not included in this build. The individual actions described can be detected and blocked, but an additional SOAR capability would need to be integrated to complete the scenarios.

F-8.1.a, F-8.1.c, F-8.1.d, F-8.1.f, F-8.1.j, F-8.1.l, F-8.2.a, F-8.2.c, F-8.2.d, F-8.2.f, F-8.2.j, F-8.2.l

Access stopped

Access stopped

Success: Lookout SSE’s Adaptive Threshold policy can raise a user’s risk level after a specified number of policy violations. After this occurs, access to the resource is stopped.

F-8.1.b, F-8.1.e, F-8.1.g, F-8.1.h, F-8.1.i, F-8.1.k, F-8.2.b, F-8.2.e, F-8.2.g, F-8.2.h, F-8.2.i, F-8.2.k

N/A

N/A

Branch office and PaaS resources were not available in Enterprise 2.

F-8.3

N/A

N/A

Since Lookout’s Adaptive Threshold policy is applied to individual user identities, it is not applicable to Guest (No-ID) entities.

F-9

Success

Success

Scenario F-9 results were the same as F-8.

All G Use Cases

N/A

N/A

Service-Service communication capabilities are not included in this build.

H-1.1.a-b, H-1.2.c, H-1.5.i-j, H-1.6.k, H-1.9.q-r, H-10.s

Access Successful

Access Successful

Success: User was granted access to data based on policy.

H-1.2.d, H-1.6.l, H-1.10.t

Access Not Successful

Access Not Successful

Success: User was denied access to data based on policy.

H-1.3, H-1.4, H-1.7, H-1.8

N/A

N/A

Enterprise 2 does not have a branch location. However, policies can be applied the same way to users if they are on-prem, or to resources based in the cloud.

H-2.1.a, H-2.2.c, H-2.4.g

Access Successful

Access Successful

Success: User was successfully granted access to data based on policy.

H-2.1.b, H-2.2.d, H-2.4.h

Access Restricted

Access Restricted

Success: User access to data was successfully restricted based on policy.

H-2.3

N/A

N/A

PaaS services were not available for testing with Enterprise 2.

H-3

N/A

N/A

Capabilities to demonstrate this scenario are not included in this build.

H-4.4.g, H-4.6.k, H-4.10.s, H-4.12.w

Access Not Successful

Access Not Successful

Success: When user requested high classified data, reauthentication was requested. After reauthentication was failed, user access was denied.

H-4.4.h, H-4.6.l, H-4.10.t, H-4.12.x

Access Successful

Access Successful

Success: When user requested high classified data, reauthentication was requested. After reauthentication succeeded, user access was allowed.

H-4.1, H-4.3, H-4.7, H-4.9

N/A

N/A

Capabilities to apply this scenario to on-prem resources were not included in this build.

H-4.2, H-4.5, H-4.8, H-4.11

N/A

N/A

Branch Office was not available for testing with Enterprise 2.

H-5.1.a, H-5.1.b, H-5.2.c, H-5.2.d, H-5.4.g, H-5.4.h

Access Successful

Access Successful

Success: Lookout SSE policy was provisioned to allow the user to temporarily access high-level data via a time-based policy.

H-5.3

N/A

N/A

PaaS services were not available for testing with Enterprise 2.

H-6.1.a-b, H-6.3.e, H-6.4.g, H-6.6.k

Operation Successful

Operation Successful

Success: User successfully performed data operation.

H-6.3.f, H-6.5.j, H-6.6.l

Operation Denied

Operation Denied

Success: Data operation was denied based on endpoint type or subject location.

H-6.2, H-6.5

N/A

N/A

Enterprise 2 does not have a branch location. However, policies can be applied the same way to users if they are on-prem, or to resources based in the cloud.

H-7.1.a-b, H-7.2.c-d, H-7.4.g-h

Download Successful

Download Successful

Success: Upon download, Lookout SSE encrypts high-classified data with a key that is tied to the individual user identity.

H-7.3

N/A

N/A

PaaS services were not available for testing with Enterprise 2.

Enterprise 3 Build 5 (E3B5) - SDP and SASE - Microsoft Entra Conditional Access (formerly called Azure AD Conditional Access) and Microsoft Security Service Edge as PEs Detailed Demonstration Results#

Table 10 lists the full results for SDP and SASE demonstrations run in Enterprise 3 Build 5 (E3B5). The technology deployed in E3B5 was able to determine endpoint compliance for Windows, Linux, macOS, and mobile devices and prevent noncompliant endpoints from accessing private resources.

Table 10 - Detailed Demonstration Results for E3B5

Demo ID

Expected Outcome

Observed Outcome

Comments

A-1.1.a-d

N/A

N/A

The capability to demonstrate resource access to network was not included in this build.

A-1.1.e

Access to Network

Access to Network

Success: Endpoint had access to network in accordance with SSE policy.

A-1.1.f

Max. Limited Access to Network

Max. Limited Access to Network

Success: Endpoint had access limited in accordance with SSE policy.

A-1.1.g

No Access to Network

No Access to Network

Success: SSE can restrict, deny, or allow access to the network

A-1.1.h

Access to Public Network

N/A

Demonstration could not be completed. By Scenario A-1 definition, an endpoint has already undergone onboarding.

A-1.1.i

Access to Network

Access to Network

Success: BYOD had access to network in accordance with SSE policy.

A-1.1.j

Limited Access to Network

Limited Access to Network

Success: Endpoint had access limited to the local subnet in accordance with SSE policy.

A-1.1.k

No Access to Network

No Access to Network

Success: In the current configuration, the endpoint had access limited to the local subnet in accordance with SSE policy.

A-1.1.l

Access to Public Network

N/A

Demonstration cannot be completed. By Scenario A-1 definition, the BYOD had already undergone onboarding.

A-1.1.m

Access to Public Network

Access to Public Network

Success: The build provides guest devices with access to public network in accordance with local network policy.

A-1.2.a-m

Access to Network

N/A

Demonstration could not be completed. There was no branch office configured for Enterprise 3.

A-1.3.a

Access to Network

Access to Network

Success: Endpoint had access to network in accordance with SSE policy.

A-1.3.b

Max. Limited Access to Network

Max. Limited Access to Network

Success: Endpoint had access limited in accordance with SSE policy.

A-1.3.c

No Access to Network

No Access to Network

Success: Endpoint was denied access to the network after failing to authenticate to the SSE. Endpoint access blocked by local network policy.

A-1.3.d

Access to Network

Access to Network

Success: BYOD had access to network in accordance with SSE policy.

A-1.3.e

Max. Limited Access to Network

Max. Limited Access to Network

Success: Endpoint had access limited in accordance with SSE policy.

A-1.3.f

No Access to Network

No Access to Network

Success: BYOD was denied access to the network after failing to authenticate to the SSE.

A-1.4.a-g

N/A

N/A

Partial Success: Not able to determine or make decisions based on resource compliance. Using policy engine rules, a user or endpoint could be allowed, denied, or provided with broad or limited access to a set of cloud and on-prem applications.

A-2.1.a

Keep Access to Network

Keep Access to Network

Success: Resource had access to network in accordance with SSE policy.

A-2.1.b

N/A

N/A

The capability to demonstrate resource access to network was not included in this build.

A-2.1.c

N/A

N/A

The capability to demonstrate resource access to network was not included in this build.

A-2.1.d

Keep Access to Network

Keep Access to Network

Success: Endpoint had access to network in accordance with SSE policy.

A-2.1.e

Max. Limited Access to Network

Max. Limited Access to Network

Success: Endpoint had access limited in accordance with SSE policy.

A-2.1.f

N/A

N/A

The capability to demonstrate resource access to network was not included in this build.

A-2.1.g

Keep Access to Network

Keep Access to Network

Success: BYOD had access to network in accordance with SSE policy.

A-2.1.h

Max. Limited Access to Network

Max. Limited Access to Network

Success: Endpoint had access limited in accordance with SSE policy.

A-2.1.i

Terminate Access to Network

Limit Access to Network

Success: BYOD had access limited to the local subnet in accordance with SSE policy.

A-2.2.a-i

N/A

N/A

Demonstration could not be completed. There was no branch office configured for Enterprise 3.

A-2.3.a

Keep Access to Network

Keep Access to Network

Success: Endpoint had access to network in accordance with SSE policy.

A-2.3.b

Max. Limited Access to Network

Max. Limited Access to Network

Success: Endpoint had access limited in accordance with SSE policy.

A-2.3.c

Terminate Access to Network

Terminate Access to Network

Success: Endpoint had access terminated after failing to reauthenticate to the SSE.

A-2.3.d

Keep Access to Network

Keep Access to Network

Success: BYOD had access to network in accordance with SSE policy.

A-2.3.e

Max. Limited Access to Network

Max. Limited Access to Network

Success: BYOD had access limited in accordance with SSE policy.

A-2.3.f

Terminate Access to Network

Terminate Access to Network

Success: BYOD had access terminated after failing to reauthenticate to the SSE.

A-2.4.a-c

N/A

N/A

Demonstration cannot be completed. Build is not able to determine resource compliance.

A-2.4.d

Keep Access to Network

Keep Access to Network

Success: SSE was able to allow and keep access to resources.

A-2.4.e

Max. Limited Access to Network

Max. Limited Access to Network

Success: SSE was able to limit access to IaaS applications.

A-2.4.f

Terminate Access to Network

Terminate Access to Network

Success: SSE and Azure are able to terminate access to IaaS applications.

A-3.1.a

User request and action is recorded

User request is recorded

Success: User activity and transaction flow was logged using Entra ID.

A-3.2.a

User request and action is recorded

User request is recorded

Success: User activity and transaction flow was logged using Entra ID.

A-3.3.a, A-3.4.a

N/A

N/A

Branch office testing is not available for this build.

A-3.5.a, A-3.6.a

User request and action is recorded

User request is recorded

Success: User activity and transaction flow were logged.

A-3.1.b, A-3.2.b, A-3.3.b, A-3.4.b

API call is recorded

API call is recorded

Success: Service activity and transaction flow was logged by Entra ID.

B-1.1.a

Access Successful

Access Successful

Success: Users access RSS1 based on the EP and RSS compliance SSE and Entra Conditional Access policy.

B-1.1.b

Access Successful

Access Successful

Success: Users access RSS2 based on the EP and RSS compliance with SSE and Entra Conditional Access policy.

B-1.1.c

Access Not Successful

Access Not Successful

Success: User authentication failure to Entra ID prevents access.

B-1.1.d

Access Not Successful

Access Not Successful

Success: E2 is not authorized to access RSS1 in accordance with SSE and Entra Conditional Access policy.

B-1.1.e

Access Successful

Access Successful

Success: Users access RSS2 based on the EP and RSS compliance SSE and Entra Conditional Access policy.

B-1.1.f, B-1.1.g

Access Not Successful

Access Not Successful

Success: User authentication failure to Entra ID prevents access.

B-1.1.h

Access Successful

Access Successful

Success: Session timeout is set to one minute for demonstration purposes. After session timed out, user was reauthenticated to Entra ID.

B-1.1.i

Access Not Successful

Access Not Successful

Success: Users were prevented from accessing resources after reauthentication failure to Entra ID.

B-1.1.j

Access Not Successful

Access Not Successful

Success: Initial user authentication to Entra ID was successful and user was granted access to RSS1. After E1 became noncompliant, user access to RSS1 was blocked in accordance with SSE and Entra Conditional Access policy, and the user was unable to re-authenticate to Entra ID.

B-1.1.k

Access Limited

Access Not Successful

Partial success: Initial user authentication to Entra ID was successful and user was granted access to RSS2. In this case, changing the user’s access level on RSS2 would require application-level control that is not available at this time. After E1 became noncompliant, user access to RSS2 was blocked in accordance with SSE and Entra Conditional Access policy, and the user was unable to reauthenticate to Entra ID.

B-1.1.l

Access Not Successful

Access Not Successful

Success: After E1 became noncompliant, user access to RSS1 was blocked in accordance with SSE and Entra Conditional Access policy, and the user was unable to authenticate to Entra ID.

B-1.1.m

Access Limited

Access Not Successful

Partial success: In this case, changing the user’s access level on RSS2 would require application-level control that is not available at this time. After E1 became noncompliant, user access to RSS2 was blocked in accordance with SSE and Entra Conditional Access policy, and the user was unable to authenticate to Entra ID.

B-1.1.n-p

N/A

N/A

The build did not have the capability to test resource compliance.

B-1.2.a-p

N/A

N/A

Cannot test because there is no branch office in Enterprise 3.

B-1.3.a-p

The results are the same as B-1.1, given that network policies allow the user/device to access the enterprise remotely using a VPN connection. See results from B-1.1.

B-1.4.a

Access Successful

Access Successful

Success: Users access RSS1 based on the EP compliance with SSE and Entra Conditional Access policy.

B-1.4.b

Access Successful

Access Successful

Success: Users access RSS2 based on the EP compliance with SSE and Entra Conditional Access policy.

B-1.4.c

Access Not Successful

Access Not Successful

Success: User authentication failure to Entra ID prevents access.

B-1.4.d

Access Not Successful

Access Not Successful

Success: E2 is not authorized to access RSS1 in accordance with SSE and Entra Conditional Access policy.

B-1.4.e

Access Successful

Access Successful

Success: Users access RSS2 based on the EP and RSS compliance with SSE and Entra Conditional Access policy.

B-1.4.f, B-1.4.g

Access Not Successful

Access Not Successful

Success: User authentication failure to Entra ID prevents access.

B-1.4.h

Access Successful

Access Successful

Success: Session timeout is set to one minute for demonstration purposes. After session timed out, user was reauthenticated to Entra ID.

B-1.4.i

Access Not Successful

Access Not Successful

Success: Users were prevented from accessing resources after reauthentication failure to Entra ID.

B-1.4.j

Access Not Successful

Access Not Successful

Success: Initial user authentication to Entra ID was successful and user was granted access to RSS1. After E1 became noncompliant, user access to RSS1 was blocked in accordance with SSE and Conditional Access policy, and the user was unable to reauthenticate to Entra ID.

B-1.4.k

Access Limited

Access Not Successful

Partial success: Initial user authentication to Entra ID was successful and user was granted access to RSS2. In this case, changing the user’s access level on RSS2 would require application-level control that is not available at this time. After E1 became noncompliant, user access to RSS2 was blocked in accordance with SSE and Entra Conditional Access policy, and the user was unable to reauthenticate to Entra ID.

B-1.4.l

Access Not Successful

Access Not Successful

Success: After E1 became noncompliant, user access to RSS1 was blocked in accordance with SSE and Entra Conditional Access policy, and the user was unable to authenticate to Entra ID.

B-1.4.m

Access Limited

Access Not Successful

Partial success: In this case, changing the user’s access level on RSS2 would require application-level control that is not available at this time. After E1 became noncompliant, user access to RSS2 was blocked in accordance with SSE and Entra Conditional Access policy, and the user was unable to authenticate to Entra ID.

B-1.4.n-p

N/A

N/A

Demonstration cannot be performed as verification of cloud resource compliance is not available at this time.

B-1.5.a-p

N/A

N/A

Demonstration cannot be performed as branch office is not available at this time.

B-1.6.a-p

In the current implementation, remote users are connected via SSE that routes network traffic to the on-prem environment. All test results are similar to B-1.4.a-p.

B-2.1.a-d, g, n

Access Successful

Access Successful

Success: Access allowed in accordance with Global Access Secure policy.

B-2.1.e, f, l, m, o, p

Access Not Successful

Access Not Successful

Success: Access denied in accordance with Global Access Secure policy.

B-2.2

N/A

N/A

Demonstration cannot be performed as branch office is not available at this time.

B-2.3

In the current implementation, remote users are connected via SSE that routes network traffic to the on-prem environment. All test results are similar to B-2.1.a-p.

B-3.1.a, B-3.4.a, B-3.5.a

Real Req Success

Real Req Success

Success: Real Request successfully authenticated.

B-3.1.b, B-3.4.b, B-3.5.b

Real Req Fail

Real Req Fail

Success: Incorrect credentials were entered, and the Real Request failed as expected.

B-3.1.c, B-3.4.c, B-3.5.c

Limit Access for Real Request, Deny Access to Hostile Request

N/A

Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.d, B-3.4.d, B-3.5.d

Real Request Keep Access, Deny Access to Hostile Request

N/A

Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.e, B-3.4.e, B-3.5.e

Hostile Request Successful

Hostile Request Successful

Success: Hostile Request successfully authenticated.

B-3.1.f, B-3.4.f, B-3.5.f

Hostile Request Unsuccessful

Hostile Request Unsuccessful

Success: Incorrect credentials were entered, and the Hostile Request failed as expected.

B-3.1.g, B-3.4.g, B-3.5.g

Real Request Fail, Hostile Request Access Limited

N/A

Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context.

B-3.1.h, B-3.4.h, B-3.5.h

Real Request Fail, Hostile Request remains authenticated

Real Req Fail, Hostile Req remains authenticated

Success: Real User with incorrect credentials fails authentication while Hostile User with correct credentials successfully authenticates and keeps access to resources.

B-3.1.i, B-3.4.i, B-3.5.i

Real Req Success

Real Req Success

Success: Real Request successfully authenticated.

B-3.1.j, B-3.4.j, B-3.5.j

Real Request remains authenticated, Hostile Request Fail

Real Request remains authenticated, Hostile Request Fail

Success: Entra ID Identity protection was used to demonstrate limiting and denying access to resources once user identity risk such as compromised password was detected.

B-3.1.k, B-3.4.k, B-3.5.k

Hostile Request Fail

Hostile Request Fail

Success: Incorrect credentials were entered, and the Hostile Request failed as expected.

B-3.1.l, B-3.4.l, B-3.5.l

Real Request Access Successful

Real Request Access Successful

Success: Real Request successfully reauthenticated.

B-3.1.m, B-3.4.m, B-3.5.m

Hostile Request Access Denied

Hostile Request Access Denied

Success: Hostile Request reauthentication fails.

B-3.1.n, B-3.4.n, B-3.5.n

Hostile Request Session Terminated

Hostile Request Session Terminated

Success: Entra ID sessions terminated.

B-3.1.o, B-3.4.o, B-3.5.o

Real Request Session Terminated

Real Request Session Terminated

Success: Entra ID sessions terminated.

B-3.2, B-3.3

N/A

N/A

Branch office is not included in Build 3.

B-4

All demonstrations here are the same as B-1 since the device is both authenticated and compliant.

B-5.1.a-d, B-5.3.a-d

Access Successful

Access Successful

Success: Entra SSE has the capability to control access to internet based on user attributes, endpoint compliance, and destination URL.

B-5.1.e, B-5.3.e

Access Not Successful

Access Not Successful

Success: User is blocked from accessing internet URL due to not being properly authenticated.

B-5.1.f, B-5.3.f

Access Not Successful

Access Not Successful

Success: User is blocked from accessing internet URL due to policy.

B-5.1.g, B-5.3.g

Access Successful

Access Successful

Success: Authorized user is allowed access to URL based on policy.

B-5.1.h-i, B-5.3.h-i

N/A

N/A

N/A: Unable to demonstrate scenario because SSE does not currently have the feature to deny based on time of day.

B-5.1.j, B-5.3.j

Access Not Successful

Access Not Successful

Success: User is blocked from accessing internet URL due to not being properly reauthenticated.

B-5.1.k, B-5.3.k

Access Successful

Access Successful

Success: User successfully accesses Internet URL after successful re-authentication.

B-5.1.l, B-5.3.l

Access Not Successful

Access Not Successful

Success: User is blocked from accessing internet URL due to failed re-authentication.

B-5.1.m, o, p, B-5.3.m, o, p

Access Not Successful

Access Not Successful

Success: User is blocked based on endpoint compliance.

B-5.1.n, B-5.3.n

Access Successful

Access Successful

Success: User is allowed access to URL2 based on policy.

B-6

All demonstrations here are the same as B-3 since the device is both authenticated and compliant.

B-7.1.a, e, g, I, k, y, ac, ae, ag, ai

Access Not Successful

Access Not Successful

Success: Access privileges are not preset on a resource; the Policy Engine temporarily assigns privileges to an eligible user just before the user is granted access to the resources. Ineligible users are not assigned JIT privileges.

B-7.1.b, f, h, j, l, z, ad, af, ah, aj

Access Successful

Access Successful

Success: Access privileges are not preset on a resource; the Policy Engine temporarily assigns privileges to an eligible user just before the user is granted access to the resources.

B-7.1.c, d, m-x, aa, ab

N/A

N/A

Branch office is not included in Build 3.

B-8.1.a-r

N/A

N/A

N/A: Unable to complete demonstration. Current build could not extend step-up authentication capability to third-party on-prem applications or services.

B-8.2.a-r

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

B-8.3.a-r

N/A

N/A

N/A: Unable to complete demonstration. Current build could not extend step-up authentication capability to third-party IaaS services.

B-8.4.a-c

Session Continues

Session Continues

Success: Demonstration successful for connections to PaaS service.

B-8.4.d-f

Session Terminates

Session Terminates

Success: Demonstration successful for connections to PaaS service.

B-8.4.g-l

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

B-8.4.m-o

Session Continues

Session Continues

Success: Demonstration successful for connections to PaaS service.

B-8.4.p-r

Session Terminated

Session Terminated

Success: Demonstration successful for connections to PaaS service.

B-8.5.a-c

Session Continues

Session Continues

Success: Demonstration successful for connections to SaaS service.

B-8.5.d-f

Session Terminated

Session Terminated

Success: Demonstration successful for connections to SaaS service.

B-8.5.g-l

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

B-8.5.m-o

Session Continues

Session Continues

Success: Demonstration successful for connections to SaaS service.

B-8.5.p-r

Session Terminated

Session Terminated

Success: Demonstration successful for connections to SaaS service.

C-1.1.a, C-1.2.a, C-1.3.a, C-1.4.a, C-1.5.a, C-1.6.a

Access Successful

Access Successful

Success: Access to resource is granted.

C-1.1.b, C-1.2.b, C-1.3.b, C-1.4.b, C-1.5.b, C-1.6.b, C-6.1.b, C-6.2.b, C-6.3.b, C-6.4.b, C-6.5.b, C-6.6.b

Access Not Successful

Access Not Successful

Success: Endpoint was noncompliant and was denied access to the resource.

C-1.1.c, C-1.4.c, C-2.1.c, C-2.4.c, C-6.1.c, C-6.4.c

N/A

N/A

N/A: Use cases were not performed. RSS compliance not available in Ent1.

C-1.1.d, C-1.4.d, C-2.1.d, C-2.4.d, C-6.1.d, C-6.4.d

Access Not Successful

Partial Success

Partial Success: Policy is enforced and denied a noncompliant endpoint. However, RSS compliance not available in Ent1.

C-2.1.a, C-2.2.a, C-2.3.a, C-2.4.a, C-2.5.a, C-2.6.a, C-6.1.a, C-6.2.a, C-6.3.a, C-6.4.a, C-6.5.a, C-6.6.a

Limited Access Successful

Limited Access Successful

Success: Federated-ID user has access to certain resources only based on policy.

C-2.1.b, C-2.2.b, C-2.3.b, C-2.4.b, C-2.5.b, C-2.6.b

Access Not Successful

Access Not Successful

Success: Policy is enforced and denied a non-compliant endpoint.

C-3.1.a, C-3.2.a, C-3.3.a, C-5.1.a, C-5.2.a

Access Successful

Access Successful

Success: Compliant endpoint and user are allowed access to this website.

C-3.1.b, C-3.2.b, C-3.3.b, C-5.1.b, C-5.2.b

Access Not Successful

Access Not Successful

Success: Noncompliant endpoint is denied access.

C-3.1.c, C-3.2.c, C-3.3.c, C-5.1.c, C-5.2.c

Access Not Successful

Access Not Successful

Success: Compliant endpoint is denied access due to policy.

C-3.1.d, C-3.2.d, C-3.3.d, C-5.1.d, C-5.2.d

Access Not Successful

Access Not Successful

Success: Endpoint is noncompliant and policy does not allow access to this website.

C-4

Access Not Successful

Access Not Successful

Success: Access to internet resources is denied due to policy.

C-5.3.a, C-5.3.b, C-5.3.c, C-5.3.d

N/A

N/A

N/A: When user is remote, results match Ent3 results, as a BYOD device in a remote location does not have Ent1 policies applied.

C-7.1.a, C-7.2.a, C-7.3.a, C-7.4.a, C-7.5.a, C-7.6.a, C-8.1.a, C-8.2.a, C-8.3.a, C-8.4.a, C-8.5.a, C-8.6.a

Access Successful

Access Successful

Success: Compliant endpoint and user are allowed access.

C-7.1.b, C-7.2.b, C-7.3.b, C-7.4.b, C-7.5.b, C-7.6.b

Access Not Successful

Access Not Successful

Success: An endpoint that is flagged as stolen is denied access by policy.

C-7.1.c, C-7.2.c, C-7.3.c, C-7.4.c, C-7.5.c, C-7.6.c, C-8.1.b, C-8.2.b, C-8.3.b, C-8.4.b, C-8.5.b, C-8.6.b

Access Not Successful

Access Not Successful

Success: A user credential that is flagged as stolen is denied access by policy.

C-7.1.d, C-7.2.d, C-7.3.d, C-7.4.d, C-7.5.d, C-7.6.d

Access Not Successful

Access Not Successful

Success: User credential and endpoint that are flagged as stolen are denied access by policy.

C-8.1.a, C-8.2.a, C-8.3.a, C-8.4.a, C-8.5.a, C-8.6.a

Access Successful

Access Successful

Success: Compliant endpoint and user are allowed access.

C-8.1.b, C-8.2.b, C-8.3.b, C-8.4.b, C-8.5.b, C-8.6.b

Access Not Successful

Access Not Successful

Success: User credential that is flagged as stolen is denied access by policy.

All D Use Cases

All demonstrations here are the same as B since the device is both authenticated and compliant. Note that the user is a contractor.

E-1.1.a, b

Access Successful

Access Successful

Success: Guests could access public resources and internet in accordance with local network policy.

E-1.2.a, b

N/A

N/A

Demonstration could not be performed because the branch office was not available at the time.

F-1.1.a, F-1.3.a

Session Stays Active

Session Stays Active

Partial Success: A user was logged out after a period of inactivity, triggering a reauthentication prompt for the user. Session was only re-established if user reauthentication was successful.

F-1.1.b, F-1.3.b

Session Terminated

Session Terminated

Partial Success: A user was logged out after a period of inactivity, triggering a reauthentication prompt for the user. Session was not re-established if user reauthentication was unsuccessful.

F-1.2, F-1.5

N/A

N/A

Demonstration could not be performed because the branch office was not available at the time.

F-1.4.a, F-1.6.a

Session Stays Active

Session Stays Active

Partial Success: A user was logged out after a period of inactivity, triggering a reauthentication prompt for the user. Session was only reestablished if user reauthentication was unsuccessful.

F-1.4.b, F-1.6.b

Session Terminated

Session Terminated

Partial Success: A user was logged out after a period of inactivity, triggering a reauthentication prompt for the user. Session was not reestablished if user reauthentication was unsuccessful.

F-2.1.a, F-2.3.a, F-2.4.a, F-2.6.a

N/A

N/A

Demonstration could not be completed. Device reauthentication was not implemented in this build.

F-2.2, F-2.5

N/A

N/A

Demonstration could be completed. There was no branch office configured for Enterprise 3.

F-2.1.b, F-2.3.b, F-2.4.b, F-2.6.b

N/A

N/A

Demonstration could not be completed. Device reauthentication was not implemented in this build.

F-3

N/A

N/A

For this build, resource authentication was not tested.

F-4.1.a, F-4.3.a, F-4.4.a, F-4.6.a

Session Stays Active

Session Stays Active

Success: Requestor was able to continue with already-established sessions with devices that remain compliant.

F-4.1.b, F-4.3.b, F-4.4.b, F-4.6.b

Session Terminated

Session Terminated

Success: While session was not immediately terminated due to compliance checks being done at intervals, continued access to resource was blocked and session was terminated once negative compliance determination was made.

F-4.2.a-b, F-4.5.a-b

N/A

N/A

Demonstration could not be completed. There was no branch office configured for Enterprise 3.

F-5.1.a, F-5.3.a, F-5.4.a, F-5.6.a

Access Not Successful

Access Not Successful

Success: Access was denied with requestor’s noncompliant endpoints.

F-5.1.b, F-5.3.b, F-5.4.b, F-5.6.b

Access Successful

Access Successful

Success: Requestors with compliant endpoints were allowed access to resources.

F-5.2, F-5.5

N/A

N/A

Demonstration could not be completed. There was no branch office configured for Enterprise 3.

F-6.1.a, c, d, f, g, i, j, l, F-6.2.a, c, d, f, g, I, j, l

Access Stopped

Access Stopped

Success: User session was disconnected once data violation was detected.

F-7.1.b, e, h, k, F-7.2.b, e, h, k

N/A

N/A

Demonstration could not be completed. There was no branch office configured for Enterprise 3.

F-7.1.a, c, d, f, g, i, j, l, F-7.2.a, c, d, f, g, I, j, l

Access Stopped

Access Stopped

Success: User session was disconnected once data violation was detected.

F-7.1.b, e, h, k, F-7.2.b, e, h, k

N/A

N/A

Demonstration could not be completed. There was no branch office configured for Enterprise 3.

F-8.1.a, c, d, f, g, i, j, l

Access Stopped

Access Stopped

Success: Demonstration successful. Resource access blocked.

F-8.1.b, e, h, k

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-8.2.a, c, d, f, g, i, j, l

Access Stopped

Access Stopped

Success: Demonstration successful. Resource access blocked.

F-8.2.b, e, h, k

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-8.3.a-l

Access Stopped

N/A

Unable to stop resource access on an unmanaged endpoint since the endpoint is guest and doesn’t have any management software.

F-9.1.a, c, d, f, g, i, j, l,

Access Stopped

Access Stopped

Success: Demonstration successful. Resource access blocked.

F-9.1.b, e, h, k

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-9.2.a, c, d, f, g, i, j, l

Access Stopped

Access Stopped

Success: Demonstration successful. Resource access blocked.

F-9.2.b, e, h, k

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-9.3

N/A

N/A

Unable to stop resource access on an unmanaged endpoint since the endpoint is guest and doesn’t have any management software.

F-10.1.a-d, i-p, u-z, aa, ab, ag-an, as-av

Access Not Successful

Access Not Successful

Success: Demonstration successful. Enterprise user’s access disabled.

F-10.1.e-h, q-t, ac-af, ao-ar

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-10.2.a-d, i-p, u-z, aa, ab, ag-an, as-av

Access Not Successful

Access Not Successful

Success: Demonstration successful. Enterprise user’s access disabled.

F-10.2.e-h, q-t, ac-af, ao-ar

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-10.3.a-d, i-p, u-z, aa, ab, ag-an, as-av

Access Not Successful

Access Not Successful

Success: Demonstration successful. Enterprise user’s access disabled.

F-10.3.e-h, q-t, ac-af, ao-ar

N/A

N/A

Success: Demonstration successful. Enterprise user’s access disabled.

F-11.1.a-d, i-p, u-z, aa, ab, ag-an, as-av

Active Session Terminated

Active Session Terminated

Success: Demonstration successful. Enterprise user’s active session terminated.

F-11.1.e-h, q-t, ac-af, ao-ar

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-11.2.a-d, i-p, u-z, aa, ab, ag-an, as-av

Active Session Terminated

Active Session Terminated

Success: Demonstration successful. Enterprise user’s active session terminated.

F-11.2.e-h, q-t, ac-af, ao-ar

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-11.3.a-d, i-p, u-z, aa, ab, ag-an, as-av

Active Session Terminated

Active Session Terminated

Success: Demonstration successful. Enterprise user’s active session terminated.

F-11.3.e-h, q-t, ac-af, ao-ar

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-12.1.a-d, i-p, u-z, aa, ab, ag-an, as-av

Access Not Successful

Access Not Successful

Success: Demonstration successful. User’s access disabled.

F-12.1.e-h, q-t, ac-af, ao-ar

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-12.2.a-d, i-p, u-z, aa, ab, ag-an, as-av

Access Not successful

Access Not Successful

Success: Demonstration successful. User’s access disabled.

F-12.2.e-h, q-t, ac-af, ao-ar

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-12.3.a-d, i-p, u-z, aa, ab, ag-an, as-av

Access Not Successful

Access Not Successful

Success: Demonstration successful. User’s access disabled.

F-12.3.e-h, q-t, ac-af, ao-ar

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-13.1.a-d, i-p, u-z, aa, ab, ag-an, as-av

Active Session Terminated

Active Session Terminated

Success: Demonstration successful. User’s active session terminated.

F-13.2.e-h, q-t, ac-af, ao-ar

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-13.3.a-d, i-p, u-z, aa, ab, ag-an, as-av

Active Session Terminated

Active Session Terminated

Success: Demonstration successful. User’s active session terminated.

F-14.1.a, c, d, f, g, i, j, l

Access Not Successful

Access Not Successful

Success: Access to resource was denied from endpoints identified as high risk.

F-14.1.b, e, h, k

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-14.2.a, c, d, f, g, i, j, l

Access Not Successful

Access Not Successful

Success: Access to resource was denied from endpoints identified as high risk.

F-14.2.b, e, h, k

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-14.3

N/A

N/A

Unable to classify an unmanaged endpoint as high risk based on detected suspicious activity, since the endpoint is guest and doesn’t have any management software.

F-15.1.a, c, d, f, g, i, j, l

Access Not Successful

Access Not Successful

Success: Access to resource was denied from endpoints identified as high risk.

F-15.1.b, e, h, k

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-15.2.a, c, d, f, g, i, j, l

Access Not Successful

Access Not Successful

Success: Access to resource was denied from endpoints identified as high risk.

F-15.2.b, e, h, k

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-15.3

N/A

N/A

Unable to classify an unmanaged endpoint as high risk based on detected suspicious activity, since the endpoint is guest and doesn’t have any management software.

F-16.1.a, c, d, f, g, i, j, l

Access Stopped

Access Stopped

Success: Session was terminated from an endpoint with suspicious activity.

F-16.1.b, e, h, k

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-16.2.a, c, d, f, g, i, j

Access Stopped

Access Stopped

Success: Session was terminated from an endpoint with suspicious activity.

F-16.2.b, e, h, k

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-16.3

N/A

N/A

Unable to classify an unmanaged endpoint as high risk based on detected suspicious activity, since the endpoint is guest and doesn’t have any management software.

F-17.1.a, c, d, f, g, i, j, l

Access Stopped

Access Stopped

Success: Session was terminated from an endpoint with suspicious activity.

F-17.1.b, e, h, k

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-17.2.a, c, d, f, g, i, j, l

Access Stopped

Access Stopped

Success: Session was terminated from an endpoint with suspicious activity.

F-17.2.b, e, h, k

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

F-17.3

N/A

N/A

Unable to classify an unmanaged endpoint as high risk based on detected suspicious activity, since the endpoint is guest and doesn’t have any management software.

G-1.1

N/A

N/A

Demonstration could not be completed. Chosen on-prem application in the lab does not provide authenticated API access to client applications using access tokens issued by an external authorization server.

G-1.2

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

G-2.1.a, e

Access Successful

Access Successful

Success: API calls made using the appropriate Azure roles were successfully made to Azure IaaS.

G-2.1.b, f

Access Not successful

Access Not Successful

Success: API calls from client apps without the right Azure roles were denied

G-2.1.c, d

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

G-2.2.a, e

Access Successful

Access Successful

Success: API calls from client apps leveraging Entra ID as authorization server were successfully made to read Entra ID user profiles.

G-2.2.b, f

Access Not Successful

Access Not Successful

Success: API calls to update Entra ID user profiles from client apps without the right permissions were denied.

G-2.2.c, d

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

G-2.3.a, e

Access Successful

Access Successful

Success: API calls from client apps leveraging Entra ID as authorization server were successfully made to Outlook Online.

G-2.3.b, f

Access Not Successful

Access Not Successful

Success: API calls to Outlook Online from client apps without the correct permissions were denied.

G-2.3.c, d

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

G-3.1.a, c

Access Successful

Access Successful

Success: API calls from client apps leveraging Entra ID as authorization server and hosted on Azure VMs or Azure Functions were successfully made to manage Entra ID users and VMs.

G-3.1.b, d

Access Not Successful

Access Not Successful

Success: API calls from client apps hosted on Azure VMs or Azure Functions attempting to manage Entra ID users or Azure VMs without authorization were denied access.

G-3.1.e, f

N/A

N/A

For this build, this use case was not tested; if time permits, we can test in the future.

G-3.2.a, c

Access Successful

Access Successful

Success: API calls from client apps leveraging Entra ID as authorization server and hosted on Azure VMs or Azure Functions were successfully made to manage Entra ID users and VMs.

G-3.2.b, d

Access Not Successful

Access Not Successful

Success: API calls from client apps hosted on Azure VMs or Azure Functions attempting to manage Entra ID users or Azure VMs without authorization were denied access.

G-3.2.e

Access Successful

Access Successful

Success: Microsoft Sentinel playbooks were used to make successful API calls to Entra ID.

G-3.2.f

N/A

N/A

For this build, this use case was not tested; if time permits, we can test in the future.

G-3.3.a, c

Access Successful

Access Successful

Success: API calls from client apps leveraging Entra ID as authorization server and hosted on Azure VMs or Azure Functions were successfully made to manage Outlook online mail.

G-3.3.b, d

Access Not Successful

Access Not Successful

Success: API calls from client apps hosted on Azure VMs or Azure Functions attempting to manage mailboxes in Outlook Online without authorization were denied access.

G-3.3.e

Access Successful

Access Successful

Success: Microsoft 365 Defender Portal forwards alerts and incidents to Microsoft Sentinel.

G-3.3.f

Access Not Successful

Access Not Successful

Success: Unauthorized SaaS applications are denied.

G-4

N/A

N/A

N/A: This use case was not tested due to time constraints.

G-5.1.a, c, d, f, m, o, p, r

Access Successful

Access Successful

Success: Microsoft Intune initiates various actions to endpoints.

G-5.1.b, e, n, q

N/A

N/A

Demonstration cannot be completed. There is no branch office configured for Enterprise 3.

G-5.1.g-l

N/A

N/A

In this build, services used to communicate with endpoints are SaaS and not PaaS.

H-1.1.a, H-1.2.c

N/A

N/A

Demonstration could not be completed as relevant access controls implemented were applicable only for SaaS apps and cloud resources.

H-1.1.b, H-1.2.d

N/A

N/A

Demonstration could not be completed as relevant access controls implemented were applicable only for SaaS apps and cloud resources.

H-1.3, H-1.4, H-1.7, H-1.8

N/A

N/A

Demonstration could not be completed as the build does not have a branch office.

H-1.5, H-1.6.a, H-1.9, H-1.10.a

Access Successful

Access Successful

Success: Access controls that allowed or blocked users were placed on data resources in the cloud. Access decisions were made based on level of data classification as well as the groups the users belonged to.

H-1.6.b, H-1.10.b

Access Not Successful

Access Not Successful

Success: Access controls were placed on data resources in the cloud that allowed or blocked users from accessing resources based on level of data classification as well as the groups the users belonged to.

H-2.1.a

N/A

N/A

Demonstration could not be completed. Required access controls applied to cloud resources only.

H-2.1.b

N/A

N/A

Demonstration could not be completed. Required access controls applied to cloud resources only.

H-2.2.a, H-2.3.a, H-2.4.a

Access Successful

Access Successful

Success: Access controls were applied to data in the cloud that allowed or blocked user access based on endpoint compliance. The data was differentiated by using separate directories to store data with differing classifications. Using an out-of-compliance endpoint would prevent access to data of high classification but not data of low classification.

H-2.2.b, H-2.3.b, H-2.4.b

Access Restricted

Access Restricted

Success: Access controls were applied to data in the cloud that allowed or blocked user access based on endpoint compliance. The data was differentiated by using separate directories to store data with differing classifications. Using an out-of-compliance endpoint would prevent access to data of high classification but not data of low classification.

H-3.1-3, H-3.7-9

N/A

N/A

Access controls could only be applied to data resources residing in the cloud and not to data resources on-prem.

H-3.4.g, H-3.6.k, H-3.10.s, H-3.12.w

Internet Access Not Successful

Internet Access Not Successful

Success: The trusted locations feature in Entra Conditional Access was used to define from which locations a user could access data based on its classification. Data was differentiated based on which folder object it resided in.

H-3.4.h, H-3.6.l, H-3.10.t, H-3.12.x

Internet Access Successful

Internet Access Successful

Success: The trusted locations feature in Entra Conditional Access was used to define from which locations a user could access data based on its classification. Data was differentiated based on which folder object it resided in.

H-3.5, H-3.8, H-3.11

N/A

N/A

Demonstration could not be completed as there is no branch office in this build.

H-4.1-3

N/A

N/A

Access controls could only be applied to data resources residing in the cloud and not to data resources on-prem.

H-4.4.g, H-4.6.k, H-4.10.s, H-4.12.w

Access Not Successful

Access Not Successful

Success: The authentication context feature along with Entra Conditional Access was implemented to classify data residing in the cloud and trigger MFA for a user seeking to access a folder object designated as sensitive.

H-4.4.h, H-4.6.l, H-4.10.t, H-4.12.x

Access Successful

Access Successful

Success: The authentication context feature along with Entra Conditional Access was implemented to classify data residing in the cloud and trigger MFA for a user seeking to access a folder object designated as sensitive.

H-4.2, H-4.5, H-4.8, H-4.11,

N/A

N/A

Branch offices were not implemented in this build.

H-5.1

N/A

N/A

Build uses Microsoft Entra ID Privileged Identity Management feature, which only applies to cloud resources.

H-5.2, H-5.3, H-5.4

Access Successful

Access Successful

Success: Microsoft Entra ID Privileged Identity Management was used to define which users could request and be temporarily elevated to a privileged role or group allowing them to have JIT access to sensitive data and resources.

H-6.1.a, H-6.4.g, H-6.6.k

Operation Successful

Operation Successful

Success: Access controls were applied in SharePoint that gave the ability to view and download data based on user’s group membership.

H-6.1.b, H-6.4.h, H-6.6.l

Operation Denied

Operation Denied

Success: Access controls were applied in SharePoint that prevented modification and downloading of files based on the user’s group membership.

H-6.2, H-6.5

N/A

N/A

Demonstration could not be completed as there is no branch office in the build.

H-7.1-4

Download Successful

Download Successful

Success: Encryption was applied to data that was downloaded. The data required a password for decryption.

Enterprise 1 Build 6 (E1B6) - SDP and Microsegmentation - Ivanti Neurons for Zero Trust Access as PEs Detailed Demonstration Results#

Table 12 lists the full results for SDP and microsegmentation demonstrations run in Enterprise 1 Build 6 (E1B6). The technology deployed in E1B6 was able to determine endpoint compliance for Windows, Linux, and macOS and prevent noncompliant endpoints from accessing private resources.

Table 12 - Detailed Demonstration Results for E1B6

Demo ID

Expected Outcome

Observed Outcome

Comments

A-1.1.a-d, A-1.4.a-d, A-2.1.a-c, A-2.4.a-c, A-3.1.b, A-3.2.b, A-3.3.b, A-3.4.b

N/A

N/A

N/A: This build does not have resource authentication as Ivanti Policy Secure (IPS) was not available due to time constraints. Other solutions can be leveraged to perform this function.

A-1.1.e, A-1.1.i, A-1.4.e

Access to Network

Access to Network

Success: Once a device is onboarded and Ivanti Secure Access client is installed, a user’s login and compliance will be validated. Once compliance is checked, the user will have access to the network based on policy.

A-1.1.f, A-1.1.j, A-1.4.f

Max. Limited Access to Network

Max. Limited Access to Network

Success: If compliance fails, the user will have limited access to the network based on policy.

A-1.1.g, A-1.1.k, A-1.4.g

No Access to Network

No Access to Network

Success: If authentication is unsuccessful, there is no access to resources.

A-1.1.h, A-1.1.l, A-1.1-m

N/A

N/A

N/A: Prior to onboarding, the endpoint is subject to the enterprise’s network setup.

A-1.2, A-2.2

Success

Success

Success: Branch office use cases are the same as on-prem use cases in A-1.1.

A-1.3.a, A-1.3.d

Access to Network

Access to Network

Success: Once a device is onboarded and the Ivanti client is installed, a user’s login and compliance will be validated. Once compliance is checked, the user will have access to the network based on policy.

A-1.3.b, A-1.3.e

Max. Limited Access to Network

Max. Limited Access to Network

Success: If compliance fails, the user will have limited access to the network based on policy.

A-1.3.c, A-1.3.f

No Access to Network

No Access to Network

Success: If authentication is unsuccessful, there is no access to resources.

A-2.1.d, A-2.1.g, A-2.3.a, A-2.3.d, A-2.4.d

Keep Access to Network

Keep Access to Network

Success: Once reauthentication is completed, access to network will be available.

A-2.1.e, A-2.1.h, A-2.3.b, A-2.3.e, A-2.4.e

Max. Limited Access to Network

Max. Limited Access to Network

Success: After reauthentication, user will be denied access to resources that require compliance.

A-2.1.f, A-2.1.i, A-2.3.c, A-2.3.f, A-2.4.f

Terminate Access to Network

Terminate Access to Network

Success: If authentication is unsuccessful, there is no access to resources.

A-3.1.a, A-3.2.a, A-3.3.a, A-3.4.a, A-3.5.a, A-3.6.a

User request and action is recorded

User request and action is recorded

Success: Logs are recorded by Ivanti nZTA.

A-3.1.b, A-3.2.b, A-3.3.b, A-3.4.b, A-3.5.b, A-3.6.b

N/A

N/A

N/A: RSS information is not recorded by Ivanti nZTA.

B-1.1.a, B-1.2.a, B-1.3.a, B-1.4.a, B-1.6.a, B-4.1.a, B-4.3.a, B-4.4.a, B-4.6.a, D-1.1.a, D-1.3.a, D-1.4.a, D-1.6.a, D-4.1.a, D-4.3.a, D-4.4.a, D-4.6.a

Access Successful

Access Successful

Success: For Windows, Linux, and macOS endpoints, user access to resource RSS1 was successful, with user and endpoint passing authN/authZ and compliance. Note: For all B-1 use cases, it does not matter where the user’s device resides; Ivanti nZTA policies dictate what resources a user can access. In our use cases, user devices will function the same way on-prem, at a branch office, or at a remote site.

B-1.1.b, B-1.2.b, B-1.3.b, B-1.4.b, B-1.6.b, B-4.1.b, B-4.3.b, B-4.4.b, B-4.6.b, D-1.1.b, D-1.3.b, D-1.4.b, D-1.6.b, D-4.1.b, D-4.3.b, D-4.4.b, D-4.6.b

Access Successful

Access Successful

Success: For Windows, Linux, and macOS endpoints, user access to resource RSS2 was successful, with user and endpoint passing authN/authZ and compliance. Note: For all B-1 use cases, it does not matter where the user’s device resides; Ivanti nZTA policies dictate what resources a user can access. In our use cases, user devices will function the same way on-prem, at a branch office, or at a remote site.

B-1.1.c, B-1.2.c, B-1.3.c, B-1.4.c, B-1.6.c, B-4.1.c, B-4.3.c, B-4.4.c, B-4.6.c, D-1.1.c, D-1.3.c, D-1.4.c, D-1.6.c, D-4.1.c, D-4.3.c, D-4.4.c, D-4.6.c

Access Not Successful

Access Not Successful

Success: Demonstration completed with user not able to log in to Ivanti client due to a failed authentication.

B-1.1.d, B-1.2.d, B-1.3.d, B-1.4.d, B-1.6.d, B-4.1.d, B-4.3.d, B-4.4.d, B-4.6.d, D-1.1.d, D-1.3.d, D-1.4.d, D-1.6.d, D-4.1.d, D-4.3.d, D-4.4.d, D-4.6.d

Access Not Successful

Access Not Successful

Success: User does not have permission to access resources based on policy. Therefore, when user tries to access the resource, the connection is denied.

B-1.1.e, B-1.2.e, B-1.3.e, B-1.4.e, B-1.6.e, B-4.1.e, B-4.3.e, B-4.4.e, B-4.6.e, D-1.1.e, D-1.3.e, D-1.4.e, D-1.6.e, D-4.1.e, D-4.3.e, D-4.4.e, D-4.6.e

Access Successful

Access Successful

Success: User is able to access the resource based on policy.

B-1.1.f, B-1.2.f, B-1.3.f, B-1.4.f, B-1.6.f, B-4.1.f, B-4.3.f, B-4.4.f, B-4.6.f, D-1.1.f, D-1.3.f, D-1.4.f, D-1.6.f, D-4.1.f, D-4.3.f, D-4.4.f, D-4.6.f

Access Not Successful

Access Not Successful

Success: Demonstration completed with user not able to log in to Ivanti client due to a failed authentication. User does not have access to resources.

B-1.1.g, B-1.2.g, B-1.3.g, B-1.4.g, B-1.6.g, B-4.1.g, B-4.3.g, B-4.4.g, B-4.6.g, D-1.1.g, D-1.3.g, D-1.4.g, D-1.6.g, D-4.1.g, D-4.3.g, D-4.4.g, D-4.6.g

Access Not Successful

Access Not Successful

Success: Demonstration completed with user not able to log in to Ivanti client due to a failed authentication.

B-1.1.h, B-1.2.h, B-1.3.h, B-1.4.h, B-1.6.h, B-4.1.h, B-4.3.h, B-4.4.h, B-4.6.h, D-1.1.h, D-1.3.h, D-1.4.h, D-1.6.h, D-4.1.h, D-4.3.h, D-4.4.h, D-4.6.h

Access Successful

Access Successful

Success: For Windows endpoint, user access to resource RSS1 was successful after reauthentication.

B-1.1.i, B-1.2.i, B-1.3.i, B-1.4.i, B-1.6.i, B-4.1.i, B-4.3.i, B-4.4.i, B-4.6.i, D-1.1.i, D-1.3.i, D-1.4.i, D-1.6.i, D-4.1.i, D-4.3.i, D-4.4.i, D-4.6.i

Access Not Successful

Access Not Successful

Success: Demonstration completed with user not able to log in to Ivanti client due to a failed authentication. User does not have access to resources.

B-1.1.j, B-1.2.j, B-1.3.j, B-1.4.j, B-1.6.j, B-4.1.j, B-4.3.j, B-4.4.j, B-4.6.j, D-1.1.j, D-1.3.j, D-1.4.j, D-1.6.j, D-4.1.j, D-4.3.j, D-4.4.j, D-4.6.j

Access Not Successful

Access Not Successful

Success: Demonstration completed with user not able to log in to Ivanti client due to a failed authentication. User does not have access to resources.

B-1.1.k, B-1.2.k, B-1.3.k, B-1.4.k, B-1.6.k, B-4.1.k, B-4.3.k, B-4.4.k, B-4.6.k, D-1.1.k, D-1.3.k, D-1.4.k, D-1.6.k, D-4.1.k, D-4.3.k, D-4.4.k, D-4.6.k

Access Limited

Access Denied

Partial Success: Ivanti does not have the ability to provide limited access. The application will need to be configured separately to allow limited access.

B-1.1.l-m, B-1.2.l-m, B-1.3.l-m, B-1.4.l-m, B-1.6.l-m, B-4.1.l-m, B-4.3.l-m, B-4.4.l-m, B-4.6.l-m, D-1.1.l-m, D-1.3.l-m, D-1.4.l-m, D-1.6.l-m, D-4.1.l-m, D-4.3.l-m, D-4.4.l-m, D-4.6.l-m

Access Not Successful

Access Denied

Success: User was denied access because the endpoint was noncompliant. Device posture failure detected. Currently cannot perform limited access.

B-1.1.n-p, B-1.2.n-p, B-1.3.n-p, B-1.4.n-p, B-1.6.n-p, B-4.1.n-p, B-4.3.n-p, B-4.4.n-p, B-4.6.n-p, D-1.1.n-p, D-1.3.n-p, D-1.4.n-p, D-1.6.n-p, D-4.1.n-p, D-4.3.n-p, D-4.4.n-p, D-4.6.n-p

N/A

N/A

N/A: Resource compliance is not available for this build. However, if user does not have a policy to access the resource, the endpoint will be denied access regardless of the resource’s compliance state.

B-1.5, B-2.2, B-3.2, B-3.3, B-4.2, B-4.5, B-5.2, B-6.2, B-6.3, D-1.2, D-1.5, D-2.2, D-3.2, D-3.3, D-4.2, D-4.5, D-5.2, D-6.2, D-6.3

Success

Success

Success: The results of all branch office use cases are the same as on-prem use cases.

B-2, B-5

N/A

N/A

N/A: The Ivanti solution in this build does not support policies applied to users and devices accessing the internet. Ivanti partners with another vendor to manage user access to the internet.

B-3.1.a, B-3.1.i, B-3.1.l, B-3.4.a, B-3.4.i, B-3.4.l, B-3.5.a, B-3.5.i, B-3.5.l, B-6.1.a, B-6.1.i, B-6.1.l, B-6.4.a, B-6.4.i, B-6.4.l, B-6.5.a, B-6.5.i, B-6.5.l, D-3.1.a, D-3.1.i, D-3.1.l, D-3.4.a, D-3.4.i, D-3.4.l, D-3.5.a, D-3.5.i, D-3.5.l, D-6.1.a, D-6.1.i, D-6.1.l, D-6.4.a, D-6.4.i, D-6.4.l, D-6.5.a, D-6.5.i, D-6.5.l

Real Req Success

Access Successful

Success: Real Request successfully authenticated.

B-3.1.b, B-3.4.b, B-3.5.b, B-6.1.b, B-6.4.b, B-6.5.b, D-3.1.b, D-3.4.b, D-3.5.b, D-6.1.b, D-6.4.b, D-6.5.b

Real Req Not Successful

Real Req Fail

Success: Incorrect credentials were entered, and the Real Request failed as expected.

B-3.1.c, B-3.1.g, B-3.4.c, B-3.4.g, B-3.5.c, B-3.5.g, B-6.1.c, B-6.1.g, B-6.4.c, B-6.4.g, B-6.5.c, B-6.5.g, D-3.1.c, D-3.1.g, D-3.4.c, D-3.4.g, D-3.5.c, D-3.5.g, D-6.1.c, D-6.1.g, D-6.4.c, D-6.4.g, D-6.5.c, D-6.5.g

N/A

N/A

N/A: Unable to complete demonstration. Current build does not have the capability to differentiate between the Real Request and Hostile Request in this context. Note: nZTA can limit the number of concurrent logins from a single user, the number of allowed devices per user, and connections using IP-based geolocation. GeoIP accuracy may be reduced on WiFi and mobile networks.

B-3.1.d, B-3.4.d, B-3.5.d, B-6.1.d, B-6.4.d, B-6.5.d, D-3.1.d, D-3.4.d, D-3.5.d, D-6.1.d, D-6.4.d, D-6.5.d

Real Req Keep Access, Hostile Req Not Successful

Real Request Keep Access, Deny Access to Hostile Request

Success: Existing access is maintained. The hostile user failed authentication; there is no access.

B-3.1.e, B-3.4.e, B-3.5.e, B-6.1.e, B-6.4.e, B-6.5.e, D-3.1.e, D-3.4.e, D-3.5.e, D-6.1.e, D-6.4.e, D-6.5.e

Hostile Req Access Successful

Hostile Request Successful

Success: Hostile Request successfully authenticated.

B-3.1.f, B-3.4.f, B-3.5.f, B-6.1.f, B-6.4.f, B-6.5.f, D-3.1.f, D-3.4.f, D-3.5.f, D-6.1.f, D-6.4.f, D-6.5.f

Hostile Req Not Successful

Hostile Req Not Successful

Success: Incorrect credentials were entered, and the Hostile Request failed as expected.

B-3.1.h, B-3.4.h, B-3.5.h, B-6.1.h, B-6.4.h, B-6.5.h, D-3.1.h, D-3.4.h, D-3.5.h, D-6.1.h, D-6.4.h, D-6.5.h

Real Req Not Succesful, Hostile Req Keep Access

Real Req Not Succesful, Hostile Req Keep Access

Success: Existing access is maintained, and unsuccessful authentication is blocked.

B-3.1.i, B-3.4.i, B-3.5.i

Real Req Success

Real Req Success

Success: Real Request successfully authenticated. In cases where stolen credentials are reported, updates to configuration to change user credentials will deny hostile users.

B-3.1.j, B-3.4.j, B-3.5.j, B-6.1.j, B-6.4.j, B-6.5.j, D-3.1.j, D-3.4.j, D-3.5.j, D-6.1.j, D-6.4.j, D-6.5.j

Real Req Keep Access, Hostile Req Not Successful

Real Req Keep Access, Hostile Req Not Successful

Success: Real Request successfully authenticated. In cases where stolen credentials are reported, updates to configuration to change user credentials will deny hostile users.

B-3.1.k, B-3.1.m, B-3.4.k, B-3.4.m, B-3.5.k, B-3.5.m, B-6.1.k, B-6.1.m, B-6.4.k, B-6.4.m, B-6.5.k, B-6.5.m, D-3.1.k, D-3.1.m, D-3.4.k, D-3.4.m, D-3.5.k, D-3.5.m, D-6.1.k, D-6.1.m, D-6.4.k, D-6.4.m, D-6.5.k, D-6.5.m

Hostile Req Not Successful

Hostile Req Not Successful

Success: Incorrect credentials were entered, and the Hostile Request failed as expected. In cases where stolen credentials are reported, updates to configuration to change user credentials will deny hostile users.

B-3.1.n-o, B-3.4.n-o, B-3.5.n-o, B-6.1.n-o, B-6.4.n-o, B-6.5.n-o, D-3.1.n-o, D-3.4.n-o, D-3.5.n-o, D-6.1.n-o, D-6.4.n-o, D-6.5.n-o

All Sessions Terminated

All Sessions Terminated

Success: In cases where stolen credentials are reported, updates to configuration to change user credentials will deny hostile users.

B-7, D-7

Success

Partial Success

Partial Success: JIT privileges can be manually completed in Ivanti nZTA to allow a user to access a resource. However, JIT access privileges with automation are not tested and require integration with other zero trust tools which have the capabilities to manage user attributes and notify the nZTA system.

B-8, D-8

Success

Partial Success

Partial Success: User was prompted for step-up authentication, and access was granted upon successful authentication. Note: resource compliance is not available for this build.

C-1.1.a, C-1.2.a, C-1.3.a, C-1.4.a, C-1.5.a, C-1.6.a

Access Successful

Access Successful

Success: Access to resource is granted.

C-1.1.b, C-1.2.b, C-1.3.b, C-1.4.b, C-1.5.b, C-1.6.b, C-6.1.b, C-6.2.b, C-6.3.b, C-6.4.b, C-6.5.b, C-6.6.b

Access Not Successful

Access Not Successful

Success: Endpoint was noncompliant and was denied access to the resource.

C-1.1.c, C-1.4.c, C-2.1.c, C-2.4.c, C-6.1.c, C-6.4.c

N/A

N/A

N/A: Use cases were not performed. RSS compliance not available in Ent1.

C-1.1.d, C-1.4.d, C-2.1.d, C-2.4.d, C-6.1.d, C-6.4.d

Access Not Successful

Partial Success

Partial Success: Policy is enforced and denied a non-compliant endpoint. However, RSS compliance not available in Ent1.

C-2.1.a, C-2.2.a, C-2.3.a, C-2.4.a, C-2.5.a, C-2.6.a, C-6.1.a, C-6.2.a, C-6.3.a, C-6.4.a, C-6.5.a, C-6.6.a

Limited Access Successful

Limited Access Successful

Success: Federated-ID user has access to certain resources only based on policy.

C-2.1.b, C-2.2.b, C-2.3.b, C-2.4.b, C-2.5.b, C-2.6.b

Access Not Successful

Access Not Successful

Success: Policy is enforced and denied a noncompliant endpoint.

C-3.1.a, C-3.2.a, C-3.3.a, C-5.1.a, C-5.2.a

Access Successful

Access Successful

Success: Compliant endpoint and user are allowed access to this website.

C-3.1.b, C-3.2.b, C-3.3.b, C-5.1.b, C-5.2.b

Access Not Successful

Access Not Successful

Success: Noncompliant endpoint is denied access.

C-3.1.c, C-3.2.c, C-3.3.c, C-5.1.c, C-5.2.c

Access Not Successful

Access Not Successful

Success: Compliant endpoint is denied access due to policy.

C-3.1.d, C-3.2.d, C-3.3.d, C-5.1.d, C-5.2.d

Access Not Successful

Access Not Successful

Success: Endpoint is noncompliant and policy does not allow access to this website.

C-4

Access Not Successful

Access Not Successful

Success: Access to internet resources is denied due to policy.

C-5.3.a, C-5.3.b, C-5.3.c, C-5.3.d

N/A

N/A

N/A: When user is remote, results match Ent3 results, as a BYOD device in a remote location does not have Ent1 policies applied.

C-7.1.a, C-7.2.a, C-7.3.a, C-7.4.a, C-7.5.a, C-7.6.a, C-8.1.a, C-8.2.a, C-8.3.a, C-8.4.a, C-8.5.a, C-8.6.a

Access Successful

Access Successful

Success: Compliant endpoint and user are allowed access.

C-7.1.b, C-7.2.b, C-7.3.b, C-7.4.b, C-7.5.b, C-7.6.b

Access Not Successful

Access Not Successful

Success: An endpoint that is flagged as stolen is denied access by policy.

C-7.1.c, C-7.2.c, C-7.3.c, C-7.4.c, C-7.5.c, C-7.6.c, C-8.1.b, C-8.2.b, C-8.3.b, C-8.4.b, C-8.5.b, C-8.6.b

Access Not Successful

Access Not Successful

Success: A user credential that is flagged as stolen is denied access by policy.

C-7.1.d, C-7.2.d, C-7.3.d, C-7.4.d, C-7.5.d, C-7.6.d

Access Not Successful

Access Not Successful

Success: User credential and endpoint that are flagged as stolen are denied access by policy.

C-8.1.a, C-8.2.a, C-8.3.a, C-8.4.a, C-8.5.a, C-8.6.a

Access Successful

Access Successful

Success: Compliant endpoint and user are allowed access.

C-8.1.b, C-8.2.b, C-8.3.b, C-8.4.b, C-8.5.b, C-8.6.b

Access Not Successful

Access Not Successful

Success: User credential that is flagged as stolen is denied access by policy.

All E Use Cases

N/A

N/A

N/A: Ivanti considers this out of scope for their products. Other technologies should be used to perform this.

F-1.1.a, F-1.2.a, F-1.3.a, F-1.4.a, F-1.5.a, F-1.6.a

Session stays active

Session stays active

Success: If user successfully authenticates, session remains active. If authentication fails, user will lose access to resources.

F-1.1.b, F-1.2.b, F-1.3.b, F-1.4.b, F-1.5.b, F-1.6.b

Session will be terminated

Session is terminated

Success: If authentication fails, user will lose access to resources. Ivanti client will show the failed authentication and no resources will show up in the client GUI.

F-2.1.a, F-2.2.a, F-2.3.a, F-2.4.a, F-2.4.a, F-2.6.a

Success

Success

Success: With a successful reauthentication, the user retains access to the resource.

F-2.1.b, F-2.2.b, F-2.3.b, F-2.4.b, F-2.5.b, F-2.6.b

Session is terminated

Session is terminated

Success: Reauthentication fails and user loses tunnel connectivity to the gateway. Session is terminated.

F-3

N/A

N/A

N/A: This build does not have resource authentication as the product was not available due to time constraints. Other technologies can be used to perform this.

F-4.1.a, F-4.2.a, F-4.3.a, F-4.4.a, F-4.5.a, F-4.6.a

Session stays active

Session stays active

Success: Updates to compliance are made when the endpoint device posture changes.

F-4.1.b, F-4.2.b, F-4.3.b, F-4.4.b, F-4.5.b, F-4.6.b

Session is terminated

Session is terminated

Success: Updates to compliance are made when the endpoint device posture changes. Once device fails compliance, nZTA client removes access to resources.

F-5.1.a, F-5.2.a, F-5.3.a, F-5.4.a, F-5.5.a, F-5.6.a

Access Not Successful

Access Not Successful

Success: When compliance fails, user does not have access to resources.

F-5.1.b, F-5.2.b, F-5.3.b, F-5.4.b, F-5.5.b, F-5.6.b

Access Successful

Access Successful

Success: Updates to compliance are made when the endpoint device posture changes. Once device is compliant, nZTA client provides access to resources.

F-6, F-7, F-8, F-9

N/A

N/A

N/A: Data use policy capabilities are not included in this build. Ivanti does not have this capability. Integration with other vendors is necessary.

F-10, F-12

N/A

N/A

N/A: Ivanti nZTA policies dictate whether a user has access to that resource or not. If there is no policy to allow a user to access a resource and the user attempts to reach that resource, the attempt will not be able to leave the end device or it will be denied by the nZTA Gateway. If there is no route to that resource, the request never leaves the endpoint. For example, if there’s a policy to access a resource via HTTPS only and the user tries to SSH to that resource, the gateway will deny the SSH connection.

F-11, F-13

N/A

N/A

N/A: Ivanti does not manage access to internet sites. Other tools are needed to integrate with Ivanti to manage access to the internet.

F-14, F-15, F-16, F-17

N/A

N/A

N/A: Ivanti does not allow any traffic past the nZTA Gateway if there is no policy to allow that specific access from the nZTA client. Logs of these attempts are provided to the SIEM.

All G Use Cases

N/A

N/A

N/A: Service-Service communication capabilities are not included in this build. Ivanti does not have this capability.

All H Use Cases

N/A

N/A

N/A: Data-level security capabilities are not included in this build. Ivanti does not have this capability. Integration with other vendors is necessary.