{“lastseen”:”2025-12-09T11:35:46″,”description”:”\\n\\nZero Trust helps organizations shrink their attack surface and respond to threats faster, but many still struggle to implement it because their security tools don’t share signals reliably. 88% of organizations admit they’ve suffered significant challenges in trying to implement such approaches, according to Accenture**.** When products can’t communicate, real-time access decisions break down.\\n\\nThe Shared Signals Framework (SSF) aims to fix this with a standardized way to exchange security events. Yet adoption is uneven. For example, Kolide Device Trust doesn’t currently support SSF. \\n\\nScott Bean, Senior IAM and Security Engineer at MongoDB, proposed a way to solve the problem, giving teams an easy and intuitive way to operationalize SSF across their environment.\\n\\nIn this guide, we’ll share an overview of the workflow, plus step-by-step instructions for getting it up and running.\\n\\n## The problem \u2013 IAM tools don’t support SSF\\n\\nA core requirement of Zero Trust is continuous, reliable signals about user and device posture. But many tools don’t support SSF for Continuous Access Evaluation Protocol (CAEP), making it hard to share or act on these signals.\\n\\nTeams often face three challenges:\\n\\n * Tools lack native SSF support\\n * Signals require enrichment or correlation\\n * Managing SSF endpoints and token handling adds overhead\\n\\n\\n\\nWithout this interoperability, organizations struggle to apply consistent policies \u2014 and in cases like Kolide Device Trust, critical device events never reach systems like Okta.\\n\\n## The solution \u2013 a SSF transmitter that turns Kolide issues into CAEP events\\n\\nBecause SSF is built on HTTPS requests, the OpenID standard works with Tines’ HTTP Action.\\n\\nScott developed a new workflow integrating Kolide Device Trust with Tines, enabling it to send SSF signals to Okta. If a device is non-compliant, Kolide sends a message to the workflow via webhook. Tines enriches the signal, makes sure it can be linked to a user, builds a Security Event Token (SET), and then sends it to Okta.\\n\\nIn this way, Tines acts as the connective tissue that makes SSF work across the distributed IT environment, even if individual tools don’t natively support the standard. \\n\\nTines can:\\n\\n * **Receive signals from Kolide (and tools like it)** via webhook when a device becomes non-compliant\\n * **Enrich and correlate those signals** (e.g., map device to user)\\n * **Generate and sign SETs** that meet the SSF specification\\n * **Deliver them to Okta (and other identity providers)** to enforce Zero Trust\\n * **Host required SSF metadata endpoints** using API path prefixes, giving consuming systems a standards-compliant place to fetch keys and decrypt tokens\\n\\n\\n\\nAll of which makes Zero Trust enforcement faster, more reliable, and much easier to operationalize. IT teams are empowered with continuous, real-time risk assessment of devices, faster response to threats, and more flexible policy orchestration. And end users get the benefit of automated remediation, which helps to optimize productivity and minimize IT intervention.\\n\\nIf you want to go deeper into identity modernization, the Tines IAM guide explores how teams are unifying device trust, access decisions, and least-privilege enforcement with automation. Scott’s workflow is one of several real-world patterns inside.\\n\\n## Workflow overview\\n\\n### **Required tools:**\\n\\n * **Tines** \u2013 workflow orchestration and AI platform \\n * **Kolide** \u2013 device trust and posture monitoring\\n * **Okta** \u2013 identity platform receiving CAEP events\\n\\n\\n\\n### **Required credentials:**\\n\\n * Tines API Key – `Team` Scoped with the `Editor` role\\n * Kolide API Key – Read Only\\n * Kolide Webhook Signing Secret\\n\\n\\n\\n### **Required resources:**\\n\\nOkta domain, such as example.okta.com, example.oktapreview.com, or a branded domain.\\n\\n**How it works:**\\n\\nThe workflow creates a proof-of-concept SSF transmitter that can be registered with Okta and sends device compliance change CAEP events (sent as SETs), based on issues generated in Kolide. There are three elements:\\n\\n**1\\\\. Generate and store SET signing keys** (SETs are signed JSON Web Tokens):\\n\\n * Creates an RSA key pair and converts it to JWK format.\\n * Publishes the public key for SSF receivers to validate SET signatures.\\n * Stores the private JWK keyset as a Tines secret.\\n\\n\\n\\n**2\\\\. Expose SSF transmitter API**\\n\\nSSF receivers (like Okta) need:\\n\\n * a .well-known\/sse-configuration endpoint describing the transmitter\\n * a JWK endpoint exposing the public key used to verify SET signatures\\n * a webhook trigger acts as the SSF API surface\\n * logic returns the .well-known config\\n * logic returns the JWKs\\n\\n\\n\\nOnce this is live, teams can register a new SSF receiver in Okta under:\\n\\n * Security \u2192 Device Integrations \u2192 Receive shared signals\\n\\n\\n\\nAnd create a new stream using the API’s URL and the new `.well-known` endpoint\\n\\n**3\\\\. Create, sign and send of SETs from Kolide events**\\n\\n * Receives Kolide **issue** events via webhook and validates them using the signing secret.\\n * Fetches device and user metadata from Kolide.\\n * Builds a SET for a **Device Compliance Change** CAEP event.\\n * Signs the SET with the stored private key using the JWT_SIGN formula.\\n * Sends the signed token to Okta’s security-events endpoint.\\n\\n\\n\\nThis delivers real-time device-compliance updates to Okta so access policies can respond immediately.\\n\\n## Configuring the workflow \u2014 a step-by-step guide \\n\\nYou can build and run this entire workflow using Tines Community Edition.\\n\\n\\n\\n**1\\\\. Log into Tines or create a new account.**\\n\\n**2\\\\. Navigate to thepre-built workflow in the library.** Select import. This should take you straight to your new pre-built workflow.\\n\\n\\n\\n**3\\\\. Gather the required credentials**\\n\\n * Tines API Key (team-scoped with Editor role)\\n * Kolide API Key (read-only)\\n * Kolide Webhook Signing Secret\\n\\n\\n\\nThese ensure authenticated calls to Kolide and secure webhook validation.\\n\\n**4\\\\. Collect your required resources**\\n\\nYou’ll need an Okta tenant domain, such as:\\n\\n * example.oktapreview.com\\n * example.okta.com\\n * or your custom Okta brand domain\\n\\n\\n\\nThis domain is used when sending signed SETs to Okta’s security-events endpoint.\\n\\n**Note:** In the example provided, Scott set up as a `push` rather than a `poll` provider as tokens are sent based off of inbound webhooks, so there’s no need to store state**.**\\n\\n**5\\\\. Generate your SET signing keys**\\n\\n * Use the Generate JWK keyset action to create RSA keys\\n * Convert both public and private keys to JWK format (two event transforms)\\n * Store the resulting keyset using a Tines secret\\n\\n\\n\\nThis is required before Okta will accept and verify your SETs.\\n\\n**6\\\\. Publish the SSF transmitter API**\\n\\nThe SSF API webhook contains two branches:\\n\\n * .well-known endpoint \\n * Trigger: well-known\\n * Event transform: returns the SSF configuration declaring the transmitter’s capabilities\\n * JWKS endpoint \\n * Trigger: JWKs\\n * Event transform: returns the public JWKs so Okta can verify signatures\\n\\n\\n\\nOnce live, Okta can register this transmitter as a shared signals sender.\\n\\n**7\\\\. Connect Kolide and process device issues**\\n\\nThe Kolide integration flow follows these steps:\\n\\n * Webhook: Kolide webhook \u2013 receives issue opened\/resolved events\\n * Get device details \u2013 fetches metadata for the device involved\\n * Device has a user \u2013 branching logic to confirm a user is associated\\n * Get user details \u2013 look up user metadata for the CAEP payload\\n\\n\\n\\nDepending on whether the issue is new or resolved:\\n\\n * Build SET \u2013 construct the CAEP device_compliance_change event\\n * Sign SET \u2013 use the RSA private key stored earlier to produce an SSF-compliant SET\\n * Send SET \u2013 send the final signed token to Okta’s security-events endpoint\\n\\n\\n\\nAs soon as Okta receives and verifies the SET, the associated user risk level updates.\\n\\n## Bringing it all together \\n\\nSSF exists to help security tools speak the same language, delivering continuous insight into risk and device posture. But when key tools don’t support the standard, gaps open up, and access policies lag behind real-world changes.\\n\\nTines bridges these gaps by enabling new intelligent workflows. They ensure that even tools that don’t support SSF can send information in the same standardized way. By using Tines to generate, sign, and deliver compliance signals in real time, you get the benefits of SSF even when the source tool wasn’t built for it.\\n\\nIf you’d like to try this workflow yourself, you can spin it up in minutes with a free Tines account. And if you want to see how device posture fits into a broader identity strategy, this guide to modern IAM workflows offers practical patterns and real-world workflows like Scott’s you can start building on today.\\n\\nFound this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\\n”,”published”:”2025-12-09T11:30:00″,”modified”:”2025-12-09T11:30:00″,”type”:”thn”,”title”:”How to Streamline Zero Trust Using the Shared Signals Framework”,”source”:””,”references”:””,”id”:”THN:01E7C3152CF77F73E0768DC861ABECDC”,”bulletinFamily”:”info”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/thehackernews.com\/2025\/12\/how-to-streamline-zero-trust-using.html”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-09T11:35:46″,”description”:”\\n\\nZero Trust helps organizations shrink their attack surface and respond to threats faster, but many still struggle to implement it because their security tools don’t…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,11,43,5],"class_list":["post-29587","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n