Access risk score
The access risk score represents a measure of risk for an incoming access request. The score is computed by STA after the user enters their user name, but before policy decisions are made and the user authenticates.
This feature enables organizations to more easily adapt to the changing nature of risks associated with access to their resources. STA scenarios can include conditions that will check the risk score and implement policy decisions accordingly.
Access Risk Score is a preview feature. Contact Thales Customer Support to request access to this feature.
Range and thresholds
The access risk score can range from 0 to 200 and can, for example, be interpreted as follows:
-
High: 150 - 200
-
Medium: 120 - 149
-
Normal: 0 - 119 (scores below 90 are rare)
These are examples only. Before deciding what thresholds to use in policy decisions, you should collect access risk scores for a variety of user and resource situations in your network.
Risk and confidence factors
STA calculates the access risk score with a summation of weighted risk and confidence factors.
-
Risk factors increase the score
-
Confidence factors decrease the score
The default access risk score is 100. If no risk and confidence factors are detected, the score for an access request will be 100.
The key factors of risk in the calculation of the access risk score are:
-
New device for the user
-
New IP address for the user
-
New identity (user is seen for the first time)
-
Session replay risks
-
Device spoofing risks
-
Network spoofing risks
-
Identity spoofing risks
-
Bot detection
-
Impossible travel
-
Time of day
The key factors of confidence in the calculation of the access risk score are:
-
Past authentication success for the user on the device
-
Known user-device and IP address combination
-
No device cookie change over time
Device identification is implemented through a combination of elaborate device/browser fingerprinting and cookie recognition.
Risk conditions
You can configure the access risk score condition as part of your STA policy scenarios to determine the circumstances for which a policy-scenario applies.
The following is an example of an access risk score condition that would trigger on high-risk access attempts.
Collecting risk score data
To gain experience with the access risk score data that STA will be evaluating, create dummy scenarios and conditions to collect a risk score each time an access request is processed by your policies, without affecting the behavior of your system.
To collect access risk scores:
-
Open the policy of interest.
-
For all existing scenarios, set dummy access risk score conditions.
- Add a condition that looks for an access risk score value greater than 0 (which will always be True), and keep the rest of the scenario unchanged.
-
Create a scenario that captures the default or fallback case and that includes a dummy access risk score condition.
-
Create the default scenario for the policy.
-
Add one condition in this scenario that looks for an access risk score value greater than 0 (which will always be True), and make this the only condition of the scenario.
-
Set the decision for this scenario to be the same as the default decision of the policy itself.
-
Rank this scenario last in your list of scenarios for this policy.
-
Risk score data in access logs
For access requests that were processed by a policy scenario that includes an access risk score condition, an access risk score is recorded in the STA access logs and can be viewed on the Access Logs tab of the STA console.
The access logs can be ranked by risk score so that high-risk access requests can be identified quickly.