Continuous Monitoring

Zero Trust Architecture (ZTA) isn’t a standard but rather a security model or paradigm best described in NIST SP 800-207. It represents a shift in cybersecurity strategy, focusing on the principle of "never trust, always verify." ZTA involves a set of guiding principles and practices aimed at enhancing security by continuously validating every request for access, regardless of its origin within or outside the network perimeter.

NIST SP 800-207 serves as a comprehensive framework outlining these principles and providing guidance on implementing Zero Trust in various environments. From this, the concept of ‘continuous monitoring’ is applied to users, applications, and devices, according to NIST.

When applied to the user, the suggestion and intent is that the authenticated session requires as much security attention as the authentication ceremony bringing it into existence. This gives rise to the concept of ‘continuous authentication monitoring,’ which continuously verifies throughout the authenticated session that the authenticated user is present and actively engaged in the session. Should that not be the case, remedial action should be taken to protect the resources the session grants access to.

ZTA continues to evolve. As of January 2025, most government agencies and many large enterprises have or are implementing measures based on them. Indeed, government agencies must adopt it under OMB directives. FINTEC, healthcare, and critical infrastructure can also be expected to be impacted sooner rather than later. In recognition of this reality, AffirmedID is one of the first authentication service solutions to adopt continuous authentication monitoring as a standard part of its service.

AffirmedID believes continuous monitoring of the authenticated session must begin with the authentication ceremony and continue to the logout event. In other words, a seamless experience that includes participation by the authenticator device and app, something the user retains throughout the session.

NIST SP 800-207 recommends user monitoring prioritize location, proximity, and behaviors over direct interaction. Interestingly, each of these also contributes to AffirmedID user recognition and identity verification processes. As a result, its monitoring services originate in the app and extend to reporting activity of the identity service in the cloud. On a continuous basis throughout the session the app uploads to the identity service its current findings for device location and proximity and user presence. This is based on their device use and behaviors. Configurable updates occur at least every 15 minutes.

The cloud-based reporting services assemble events from the app inputs in standard common event format (CEF) and upload those to the SIEM monitoring service selected by the service provider. Syslog is used for uploading. Its use and that of CEF assure AffirmedID compatibility with many popular SIEM services including Juniper, Akamai, Splunk (Cisco), and IBM. AffirmedID SIEM reporting is also compatible with the Wazuh project and will become more so in Q2 of 2025 when direct integration becomes available.

The AffirmedID app uses unique methods for reporting device location and proximity and user behaviors ensuring it does so within privacy rights boundaries.