The following use case shows how to use the Risk Engine to address specific security needs by customizing one or more risk rules. These configurations produce calculated risk levels that AppGate ZTNA uses to assign entitlements and allow or block access to resources according to a security policy.
This scenario has two parts:
The customer wants to secure access to a knowledge base app (KB app) used by employees. The company's security policy requires employees to run a recent OS—the latest version or no more than two versions behind.
The same customer wants to secure access to an expense reporting app (Fin app) used by both employees and contractors. Both groups must run a recent OS under the same conditions, and their devices must not be compromised. Employees use CrowdStrike; contractors use MVISION.
The following table summarizes the requirements:
Need | End users | Conditions |
|---|---|---|
Secure access to KB app | Employees | Recent OS (latest or no more than two versions behind) |
Secure access to Fin app | Employees | Recent OS (latest or no more than two versions behind); low CrowdStrike risk level |
Contractors | Recent OS (latest or no more than two versions behind); low MVISION risk level |
Part 1: Access to the KB app (employees)
Need | End users | Conditions |
|---|---|---|
Secure access to KB app | Employees | Recent OS (latest or no more than two versions behind) |
In the ZTP Cloud Console, go to Services > Risk Engine. Click + Add New.
Name and describe the new risk rule, then select an adapter. For this example, select OS Checker. Name the rule
Minimum OS Leveland click Save.
Adjust the risk mapping to match your security policy. Go to the Risk Mapping tab and click Edit Risk Mapping. By default, the OS Checker adapter maps a low risk level to 0–1 versions behind the latest OS. Adjust the low risk level range to 0–2 versions behind to match the security policy. Click Save to apply the new ranges.
In the AppGate ZTNA admin UI for the Collective that will use this risk level, go to Access > Conditions. Click +Add.
Name the condition
Meet OS Versionand add a description. Scroll down to Access Criteria, select Allowed when all below are true, click +Add, and select ZTP Risk Rule from the dropdown.Under Name, select the
Minimum OS Levelrule. Set Risk Level to Low. Click Save.
Go to Access > Entitlements.
Select the entitlement for the KB app, or click +Add to create it.
NOTE
For more information about entitlements in AppGate ZTNA, see the AppGate ZTNA Admin Guide.
Scroll down to Access Control, select Condition Based Access, and select the
Meet OS Versioncondition created in step 5. Click Save.
Part 2: Access to the Fin app (employees and contractors)
Need | End users | Conditions |
|---|---|---|
Secure access to Fin app | Employees | Recent OS (latest or no more than two versions behind); low CrowdStrike risk level |
Contractors | Recent OS (latest or no more than two versions behind); low MVISION risk level |
The Minimum OS Level risk rule created in Part 1 applies here as well. Two additional risk rules are required: one for the CrowdStrike Adapter and one for the MVISION Adapter.
In ZTP Cloud Console, go to Services > Risk Engine. Click + Add New.
Name and describe the new rule, then select CrowdStrike ZTA as the adapter. Name the rule
CrowdStrike risk score.Repeat steps 1 and 2 to create another risk rule. Select McAfee MVISION as the adapter and name the rule
MVISION risk score.Review the risk mapping for both new rules. Go to the Risk Mapping tab and click Edit Risk Mapping. For this example, the default ZTP mapping for both adapters requires no further configuration. When you return to the Risk Engine Rules view, all three risk rules appear in the list:
Minimum OS Level,CrowdStrike risk score, andMVISION risk score.In the AppGate ZTNA admin UI for the Collective that will use these risk levels, go to Access > Conditions. Click +Add.
Name the condition
Minimum Risk Level by Teamand add a description summarizing the conditions that employees and contractors must meet to access the Fin app.
Scroll down to Access Criteria and select Allow when custom logic is met.
NOTE
This option creates a boolean expression that combines numbered criteria. For more information about access control in AppGate ZTNA, see the AppGate ZTNA Admin Guide.
Configure five access criteria:
Two criteria identify the end user's population (employee or contractor).
Three criteria correspond to the three risk rules.
How you identify population depends on your environment. If employees and contractors authenticate with different identity providers, use the identity provider as the basis. If all end users share the same provider, use labels or other group membership attributes. To create the risk rule criteria, click Add and select ZTP Risk Rule from the dropdown. Add criteria for Minimum OS Level, CrowdStrike risk score, and MVISION risk score.
Set the Custom Logic field to combine the criteria correctly:
(2 AND 3 AND 5) OR (1 AND 4 AND 5)In this expression: employees (criterion 2) must meet the CrowdStrike risk score (criterion 3) and the Minimum OS Level (criterion 5); contractors (criterion 1) must meet the MVISION risk score (criterion 4) and the Minimum OS Level (criterion 5). Click Save.
Go to Access > Entitlements.
Select the entitlement for the Fin app, or click Add New to create it.
NOTE
For more information about entitlements in AppGate ZTNA, see the AppGate ZTNA Admin Guide.
Scroll down to Access Control, select Condition Based Access, and select the
Minimum Risk Level by Teamcondition you created. Click Save.
