Real-Time Risk Mitigation with ZPA Adaptive Access Policy

Dynamic User Risk Scoring

Zscaler user risk scoring leverages previous behavior records to assign risk scores to individual users. This allows organizations to set dynamic access control policies based on various risk factors, accounting for the latest threat intelligence. Risk scoring empowers organizations to restrict access to sensitive applications for users with a high risk score until their risk profile improves. Zscaler Internet Access (ZIA) analyzes over 65 indicators and dynamically calculates a user's risk score based on their internet activity.

The risk score has two components:

• Static (baseline) risk score: Review risky behavior for the past week and update every 24 hours
• Real-time risk score: Modifies baseline every 2 minutes and updates when the user comes in contact with malicious content (known or suspected)

The indicator of risky behaviors consist of the following:

• Pre-infection behavior:Malware blocked by ATP, Sandbox, malicious URL, etc.
• Post-infection behavior:Botnet traffic, Command & Control, etc.
• Suspicious behavior:Deny list, DLP violation, XSS, etc.

More information on how dynamic user risk scoring works, is available in a previous blog How Zscaler's Dynamic User Risk Scoring Works

The dynamic user risk scoring needs to be enabled under Administration > Advanced Settings: Real Time Risk Score Updates:

ZIA administrators can view the user risk score under Administration> User Management:

The dynamic user risk score generated by ZIA is shared with the associated ZPA tenant, allowing the configuration of the ZPA adaptive security policy.

Device Posture Check

The device posture check is configured in the Client Connector Mobile Portal under Administration> Device Posture: + Add Device Posture.

Note: The following posture checks are evaluated immediately when the posture changes, regardless of what is configured in the Frequency field:

• Process Check
• Detect Carbon Black
• Detect CrowdStrike
• Detect SentinelOne
• Detect Microsoft Defender

For more information on device posture check configuration, please refer to

https://help.zscaler.com/client-connector/configuring-device-posture-profiles

Adaptive Access Policy for Private Apps

ZPA access policy rule configuration supports multiple criteria. The most commonly used criteria are Application Segment or Segment Group and user SCIM or SAML attributes. Configuring User Risk Score and Device Posture checks in the access rule enforces the adaptive access policy.

The User Risk Score and Device Posture check are evaluated periodically. In case of user risk or device posture change, access to the application will be blocked, and existing active sessions for that specific user using the device will be terminated.

The screenshot below shows an example of an adaptive access policy rule. It allows access to the Linux server for the ZPAusers SCIM Group only when all device posture checks are met; and only when the user risk score is Low or Medium. All existing sessions will be terminated if the dynamic user risk score changes to High or Critical or if the device's posture fails.

It is worth noting that this adaptive block access is applied to a single user or single device and is not a bulk action impacting all users. It is also possible to apply the adaptive security policy only to specific Application Segments or Segment Groups. This granular approach significantly reduces the risk of accidental denial of service.

In the ZPA portal, the User Risk Score can be viewed under Authentication> User Authentication > User Risk Scores:

Furthermore, if needed, ZPA administrators can manually override the dynamic user risk score:

Public link

Please use the above public link if you want to share this noodl on another website.