all right we are 803 right now let's get it started um uh again thank you all for joining it's been a while since we had the last session uh Welcome to our platform Security Academy session today we're going to be talking about zero trust access especially around one of the core feature that we introduced at prod ofct Washington release uh to how we're going to have the the session validation context based um on the zero trust access which is something that ReRe who is the product owner we are going to go a little bit more details in the next uh couple of slides my name is fim I oneof the product manager uh outbound product manager here in platform security team I've been with service now for almost five years uh I've been working I worked for a few different PL products around conversational interface as well as the platform security as well I enjoy talking to the customer like you uh to understand your use cases and concerns so that I can provide some strategies to meet your business needs while staying aligned with your uh security needs I'm also joined by my colleague ReRe as a guest speaker to go over some of our major enhancement on our zero trust access as part of Washington release rer why don't you introduce yourself thanks a lot for good hello everyone good morning good afternoon good evening my name is randhir I a product manager here at service now I have been working with service now for almost 6 years now my primary focus area are user authentication API authentication and iations zero trust access and adaptive authentication and I'm super excited to show the details about our new Washington deliverable and uh talk more about the use cases where it can help you meeting your security par needs looking forward to the meeting and your questions all right so with that introduction one Harbor statement before we go any further as this is the company's policy around here so uh I just want to let you guys know we might talk about some of the things which is on our in on our road map maybe in other upcoming uh releases so if you're looking for uh any kind of decision to purchase our product please um take a look at our uh the product which is available in the store and make your U purchasing decision based on that as well with that I'll get back to uh render to go over some of the key enhancement as we introduce as part of Washington release sure so uh our agenda is pretty straightforward today I'll be talking about uh zero trust access and how it improves your security then we will do uh a live demo of the new feature how you can configure it as a security admin and how you can how it will impact the end users and then we will take your questions so with that I will be directly coming to the zero to uh and why is it important so it's currently a buzz bird and everyone uh is excited about the zero test security architecture and if we specifically talk about like applications level security and how customers can enable zero trust on service down instances or any other application uh application layer software so there are three important concept the first one is the least privileg access which basically talks about that you should only give uh the access that is required to perform a specific duty to the end users the second one is verify explicitly meaning uh you should not trust that once a user has provided their authentication that they are good for the whole session you should continuously put your security controls in a way that user is again and again uh validating their identity and ensuring that they still have the same uh Assurance session and then the third one is uh assuming breach uh what basically says it it's basically the same thing that uh you configure and Define your security controls in such a way that you assume that an attacker has stolen sensitive sorry let's say a cookies or any other way they have impersonated your uh account or has taken over your account and then uh your security controls can still protect uh from from you from the damages right so keeping these three uh important Concepts in mind we are building our uh zero trust access capability so in the Vancouver release we launched uh the session based access feature which basically allow you to Define policies um based on IP addresses location identity provider attributes to define the level of privileges users will get in a session so the typical examples would be uh you have some high privilege users you do not want to give them uh the sensitive uh roles when they are outside the trusted Network or if they're not using a company provided device you can use that feature now in this release uh we are going to uh like in the Washington release we have delivered another capability which is session validation context and I'll go deep into it uh but this is basically uh another control that will allow you to Define policies that runs throughout the session um again you can use uh different criterias like role group or IP uh to to define a policy and then this policy will be valuated throughout session uh and basically this slides talk about what are the different controls that are available on the platform today how you can use them to Define uh basically defense and DEP strategy meaning you can apply control at the time of login you can do after the login you can do during the login and then in the future releases we are also working on a capability which will allow you to verify the user identity continuously so uh as you already know we have adoptive authentication feature that is available with the platform from uh the Rome release onwards now with that feature there are two important concept uh one is pre-authentication policy and another is post authentication policy so pre-authentication policy is just uh very similar to IP address Access Control you can Define your IP ranges and then you can say the users are allowed to access the instance if they are coming from that range in addition you can also use location filter uh you can say that users are not allowed from certain uh countries and then you also have a trusted mobile app Feature which allow you to selectively allow your mobile app users once they have registered their devices trusted so that was a pre-authentication context feature then the post authentication context feature was useful in scenarios where you want to allow certain users only from trusted Network or trusted locations while for other users you are okay to have them login from anywhere so typically if you have like vendor risk management use cases or any other external user Persona let's say CSM users U and like let's say in your instance you are hosting itm item and CSM uh then many customers ask that I want my internal users to access the instance only from tuster Network while they also want to ensure that their external users can access from anywhere so in those scenarios post authentic ation policy comes into the picture and you can define a policy that says allow the access if it is an external user and second condition allow the access if it is internal user and login is from Custer Network so that control was available since the Rome release now uh in the Washington DC release we have gone one step further and then we allow you to Define another policy that you can evaluate during the session so once a user has authenticated session uh whenever their session attributes are changing specifically the IP address at that point you can uh run that policy and decide whether that session should continue or you should uh or or it should be terminated and as I mentioned in the future we are also planning to deliver a capability called continuous authentication and the idea there is that based on the type of data user is accessing and based on the risk associated with their activity uh you can ask the user to reverifying a reauthentication so that capability is planned for uh for the future releases so so in this demo I will be focusing mostly on the session validation context so this is a high level flow uh that for integration users regular users or mobile app users uh you can define various controls so one is denying the access another one is you can define a policy that allow the access after MFA then you have a a capability that allow the full access with post authentication policy and then zero trust access is something where you can control how much privileges users will get in a session so with session validation context the additional capability that you are getting is that these policies gets evaluated within the login session so this is the biggest difference so the post authentication context policy was only getting evaluated once and that was at the time of loging once we have identified the user either let's say if they have done SSO or if they doing local login once we have identified that okay this is the user and that this is their current role and groups we could uh check uh these additional security policies to say okay this user is not allowed because they are on outside the trust network uh so this is the biggest difference that your session valid context policy almost does the same thing but it's it gets evaluated multiple times during the loged in session and uh the logic is that every time your IP changes at that point we will trigger this policy and see if the session should continue or we should terminate the session this this policy gets evaluated for all authentication methods whether it's SSO elab authentication local authentication so it basically works with all all authentication mechanism one important caveat is that for mobile app users uh the behavior is slightly different and we can talk about in the later half so yeah with that I will be showing you the demo um so I will be talking about first logging in as admin and then I will talk how admin can defend these policies and then once they have defined these policies how the experience would be for the Indus perspective now important point to note here is that this policy basically provides you an additional control to protect your in uh protect your user sessions and integration sessions against attacks involving stolen cookies or basically attacks involving session hijacking and we will will talk about uh in the end that how you can use this policy uh for protection against those kind of attacks so now I'll switch to my instance okay so this is a demo instance and I will be logging in as an admin and we will be using our uh familiar adaptive authentication policy framework to define a policy and then later we will associate that policy to session validation context we'll also talk about different properties that need to be enabled for this feature and and then finally we'll talk about how you can verify uh the enforcement and are there any audit results that you can check okay so in this instance I will log in as an admin uh and I will directly we going to adap authentication so this plug-in uh comes automatically installed from W onwards but in case if it is not there you can install this adap authentication plug so if you go to adapter authentication um you get filter criterias policy cont text and then policies and properties now uh if you're not familiar the way adaptive authentication works is that first you define few inputs uh using which you want to craft your policies once your inputs are associated with policies then you define your conditions and then you associate your policies to a context context is nothing but an enforcement point and when one of the conditions associated with policy uh then uh the security control gets applied okay so our current use case for for the demo purpose today is very simple uh uh the admin wants to create a policy that says that the admin users it's a high privilege user they only want to allow that users to log into the instance if they are on trusted Network and for all other users they are okay to have a session from anywhere so for that feature uh first thing that we have to do as an admin is Define The Trusted Network so I'll go to adapter authentication and I fill the criteria and under this I can Define one or multiple ranges so for the demo purpose I have defined this tested Network okay so I have just taken uh the current Ty the ranges and then this my current session is actually part of this IP range okay so after defining the IP range the second thing we have to do is we also Define some role criteria so that we can Define proper conditions so for that I will go to ro filter criterias and I have also uh defined uh a ro filter criteria again this is very simple um has admin role and what it simply says is that this filter criteria will evaluate to true if the the user has the admin role after defining these two filter criterias The Next Step I have to do is uh Define a policy um so again for the demo purpose I have defined a policy and the policy is allow admin sessions from trusted networks and non-admin sessions can be allowed from anywhere everywhere okay so the first thing I have to do is I have to click on edit and then select the criterias that I want to use so as you can see I have already selected has admin Ro criteria and The Trusted Network criteria so I'll just cancel it once I have ass Associated the criterias to the policy the next thing we have to do is Define the conditions so I have two conditions the first condition says um that allow admin sessions from tested Network so this criteria will evaluate to true if the user has admin role and if they are on trusted Network again uh I'll just repeat this condition will Val to true if the user is on trusted Network and if they have admin R the second condition is non-admin sessions so this condition it doesn't use the IP criteria simply says that this condition will evaluate to true if the user does not have the admin role okay pretty basic conditions and after doing this we will activate the policy so you can see that I have already activated this policy now for this demo purpose I will assign this particular policy to two security adaptive authentication security context uh first one is your post authentication policy the post authentication policy I have defined the default policy as allow so what it will do is that it will allow the access to the instance only if one of the conditions associated with this policy evaluates to True again this is an allow policy it will allow the session if one of the condition Aviles to true if the condition uh if none of the condition inates to to true then uh users will see failed loging if they're using SSO they will be redirected to field login page similarly if they're using local login they will see a message saying that due to a policy your session is not allowed okay so this is an existing I've not talked about anything related to the new capability this is an existing thing so what I'm going to do is this is the new context that is available from the Washington release onwards which is called session validation context and I'm again using the same control I am defining an allow policy uh sorry I'm defining a policy uh with allow outcome and I'm using the same policy that within a logged in session uh allow the admins only from tuster Network while non-admins can have the session from everywhere okay after defining the policy uh I just need to enable two properties so first is your enable authentication property so this is required for post authentication policy to work and then there's this new property uh which is session valid for session validation feature okay once you enable this property you're all set to go uh in addition I have also defined this message this is a custom message to Showcase that when post authentication policy denies access to the instance user will get this custom message by default they get the same username and password ined message okay so with this uh we are all set and then I will uh I can do two things one is uh I can uh log in I can show a live demo but for that I have to change my network and then I may it disconnected so I have uh a recorded video of one minute and I'll quickly show it okay yeah while you're searching around your thanks I appreciate it that's really um insightful knowledge around the zero trust access so if if the team if you have any question regarding to the content that that we just presented pleas please feel free to type on the zoom chat and we we're happy to address your concern and question as well yes so I'm I'm ready with this demo so it's just take will take just one minute so it's the same instance and you can see that I have just recorded it 15 minutes ago so I will log in as an admin and because I'm connected on my VPN uh which is part of the trusted Network I will be able to successfully pass post post authentication policy and users user is able to have the session now for the demo purpose I'll just simply disconnect so at this point I am going out of the trusted Network so ideally the post authentication policies should sorry the session validation context policy should kick in and it should throw out this user so yeah this was the demo from the end user perspective and you can see that the moment Network changes the platform automatically detects the change and then apply the security policy that oh is this session uh still uh should it still be allowed or should I uh should I kick kick out the user and then invalidate it right um now um in what scenarios it will be important so if you if you have any such scenario where you have defined post authentication policy I will strongly recommend that you should also use that policy U with session validation context what it will do is that it will provide you protection throughout your session not only at the time of login but only only also throughout the session okay the second scenario is which is very important is protection against session hijacking attacks right so let's assume a scenario where uh an attacker has got hold to session cookies now uh if they import those cookies to uh a different machine or a different network they can they can have the session right now if you have session validation context enabled on your instance what will happen is that with the stolen cookies they will be able to launch the UI but the moment net uh the moment platform realizes that okay although the cookie is valid but I am seeing that it's not associated with the same IP address which was there at the time of login it will reevaluate the policy and because the admin will be outside of tested network uh they will immediately be uh logged out and the cookie will be invalidated so in that way you are basically binding your IP address to uh the session and then anyone who doesn't have access to trusted Network they will not be able to use those cookies now I'm always giving the example of trusted network but that's actually not necessary if you want that for every IP change you want to ask your users to login again then you can do that as well what you have to do is uh in your session validation context you you can simply say that I don't want to use any networked condition so in that way whenever IP changes it will revaluate the policy so I will give an example so let's say if you are defining a policy saying which is which is evaluating to two for all user sessions basically I can Define two conditions one is if the user has admin role or the second condition is if the user doesn't have the admin role so basically it will always uh be Val to two right now in this case uh what I can do is I can choose a policy in such a way that for uh that it will evaluate false uh when user uh is user's IP address is changing okay so what will happen in that case is uh every time the platform detects a change in the IP address it will evaluate the policy and then it will uh log out the user if the IP address is not SE uh the reason I have given the tested Network example is that we want to ensure that uh while we want to protect uh the instance and and apply the the right security we also do not want to hamper the user experience in a very bad way so for that reason I would recommend that uh you can Define your trusted Network and then U if there are if the IP address is changing uh from one IP to another IP within your trusted Network user should still continue to have the session but if it is going from your your defined range then you can uh log them out but yeah it's it's your choice if you if you are comfortable with the different security posture and you are okay uh your end users having a little bit poorer user experience then you can uh basically log them out every time the IP IP address changes but basically that that's the choice you have to make so with that I am done with the demo uh final thing uh if you want to see the uh different enforcement uh the Adaptive Authentication events table is there for you and then you can see the different logs uh where whereever whenever the session validation context policy relates to false you will be able to see a log here and you will be able to see what the policy was so in that way you can track uh that how many times uh the session validation policy context uh resulted in terminating the sessions yeah that's pretty much for the demo I'll go back to my slides or for can take any questions thank you so there's two questions one is from will uh he is asking how does a customer get entitled for this so um that's that's related to some sort of purchasing uh related question but I can answer uh if you're looking for uh to purchase zero trust access uh there are two way to purchase this one is you can purchase through our volt offering the volt is as you might aware that we r a lot of Academy sessions around Vault vault is our bundled security product that uh gives the additional layer of protection and security to service now platform so zero trust access is one of the the premium offering that we offer and bundle together within Vault so you can get that entitlement or you can if you're only looking for the zero trust access uh based on what ReRe just uh demoed and explained around these different capabilities you can purchase zero trust access through our allt skq as well yeah just to add one important for we know that session validation context provide security against session hijacking attacks so this feature we have made available within the Adaptive authentication so if you have installed adap authentication you will automatically get it without any additional uh skew purchase yeah cool so there's another question around there I'm not sure if you're reading that uh from Philipa fipa is asking I don't know if this is related to the topic but more likely it's related to authentication by the customer asked us if in the future change to groups or role will be applied immediately um to reduce attack on the surface so that's something that's you might bew is related to auth yeah this is related to authorization so basically what Philip is saying is that today the changes to role uh membership or the group membership gets applied only if the user current user logs out and then the then they login again uh ideally this should be doable I will take this as a feedback item and share with authorization PM but currently based on my current knowledge it is not possible I see however I would like you to look at the time limited sorry time limited roles feature uh if you want to allow certain roles to be given to the user for a very small duration for a specific purpose you can use a Time limited tools feature as well but I I'll take this as a feedback thank you so much for sharing it would back to that screen one more time I'm just going to go over a few um what's available portion there and then we'll get some questions hopefully so if you have any other questions regarding to zero trust access uh please feel free to ask and also uh rer and I had uh hosted one session in the past it's available on YouTube as well which is really around overview of the zero trust access cap ability for any really any features which came before Washington so if you really want to understand end to end how that's the privilege how we're going to reduce privilege access uh based on the IP address and network and devices that you're in uh the you feel I'll highly recommend you to watch that um the the presentation that we had which is on YouTube as well so this is one of the platform privacy and Security Academy session so if you're are really interested in uh around other product offerings for the access analyzer or platform encryption and access control or Beyond uh you feel free to register uh I'm happy to bring the experts uh who are extremely knowledgeable around this area to cover some of the key components and features and enhancement around these products as well so in the June 2024 we're going to be having another session around access analyzer as well next SL so there's uh there's a few um the documentations available for you to see View and and learn over platform especially from platform security perspective one of the thing that I highly recommend you to scan this QR code on the left to uh tune in and understand our all the recorded sessions that we had in the past uh through our Academy sessions for uh either if it's World bundle encryption data privacy uh zero trust access and some other uh the features enhancement that we had in the past as well so for the documentation and we have a product documentation that gives you intensive knowledge around all the product offerings and how are we going to be entitled to this how we going to kind of like just understand the features and what other the plug-in and configuration installation guides there as well and we have a na community so feel free to join us become a member and feel free to ask a lot of questions from us and give us a feedback so that we can take your input to make a better product in the future as well and like last but not least we have a service.com website so if you're interested in purchasing any of our product feel free to reach out to us through your sales uh uh we we're happy to take your um um the question or anything related to our security products uh before you make any purchasing decision as well so I'm going to give pause here like for two more minutes to see if the team has any other question uh before we wrap up rer do you have any other comments that you want to highlight yeah so as I mentioned uh if you have any other question related to zero tust access or in the whole authentication area please feel free to d drop that in the Q&A tab I'm happy to take those questions as well this this was pretty straightforward but in case you have any other question let's say AP access policy or or or Integrations let me know I can help with those questions as well yeah with that we're going to wrap up today's session so remember feel free to just subscribe to our YouTube channel under platform privacy and security where we have hosted roughly around like 13 14 different sessions there uh you can feel free to learn about all different product offerings and makeer purchasing decision uh thank you so much rer for joining this call I appreciate it to you all for joining this call till next time stay tuned bye-bye thanks a lot for by