09/19/2024 | News release | Distributed by Public on 09/19/2024 00:08
Dynamic User Risk Scoring
Zscaler user risk scoring leverages previous behavior records to assign risk scores to individual users. This allows organizations to set dynamic access control policies based on various risk factors, accounting for the latest threat intelligence. Risk scoring empowers organizations to restrict access to sensitive applications for users with a high risk score until their risk profile improves. Zscaler Internet Access (ZIA) analyzes over 65 indicators and dynamically calculates a user's risk score based on their internet activity.
The risk score has two components:
The indicator of risky behaviors consist of the following:
More information on how dynamic user risk scoring works, is available in a previous blog How Zscaler's Dynamic User Risk Scoring Works
The dynamic user risk scoring needs to be enabled under Administration > Advanced Settings: Real Time Risk Score Updates:
ZIA administrators can view the user risk score under Administration> User Management:
The dynamic user risk score generated by ZIA is shared with the associated ZPA tenant, allowing the configuration of the ZPA adaptive security policy.
Device Posture Check
The device posture check is configured in the Client Connector Mobile Portal under Administration> Device Posture: + Add Device Posture.
Note: The following posture checks are evaluated immediately when the posture changes, regardless of what is configured in the Frequency field:
For more information on device posture check configuration, please refer to
https://help.zscaler.com/client-connector/configuring-device-posture-profiles
Adaptive Access Policy for Private Apps
ZPA access policy rule configuration supports multiple criteria. The most commonly used criteria are Application Segment or Segment Group and user SCIM or SAML attributes. Configuring User Risk Score and Device Posture checks in the access rule enforces the adaptive access policy.
The User Risk Score and Device Posture check are evaluated periodically. In case of user risk or device posture change, access to the application will be blocked, and existing active sessions for that specific user using the device will be terminated.
The screenshot below shows an example of an adaptive access policy rule. It allows access to the Linux server for the ZPAusers SCIM Group only when all device posture checks are met; and only when the user risk score is Low or Medium. All existing sessions will be terminated if the dynamic user risk score changes to High or Critical or if the device's posture fails.
It is worth noting that this adaptive block access is applied to a single user or single device and is not a bulk action impacting all users. It is also possible to apply the adaptive security policy only to specific Application Segments or Segment Groups. This granular approach significantly reduces the risk of accidental denial of service.
In the ZPA portal, the User Risk Score can be viewed under Authentication> User Authentication > User Risk Scores:
Furthermore, if needed, ZPA administrators can manually override the dynamic user risk score: