Configuring Trust Score Parameters for Zero Trust Approach17 minutes to read
The Zero Trust methodology here employs micro-segmentation and behavioural analytics to calculate a trust score for users and resources based on predetermined parameters. To access resources configured with policy-based access control, users must met multiple conditional parameters defined by administrators or users with custom access policy roles. This documentation provides a detailed explanation of the trust score parameters and their implementation within the policy-based access approach. PAM360 utilizes a total of nineteen conditional and predefined parameters to determine the users' and resources' trust scores. These parameters are divided into two categories, one for users and the other for resources, and have been assigned weightage to calculate the respective user and resource trust score. Based on these parameters and their assigned weightage, PAM360 calculates the trust score for both users and resources. User Trust Score Parameters
|
Conditional Parameters to be Defined by the Administrator |
---|
Allowed OS Version |
Allowed Open Ports |
Allowed Browser Plugins/Addons |
Allowed Applications/Packages |
Allowed Process/Services |
Resource Belongs to Privileged Group |
Predefined Parameters Based on Default Application/Device Data |
Password Protected Device |
Active Antivirus Software |
Firewall Enabled |
Secure Boot Enabled |
Driver Integrity Verification Available |
Session Recording Enabled |
Privilege Elevation Agent Installed |
Navigate to Admin >> Zero Trust >> Configuration to define the conditional parameters' baseline values for the user (user authentication + user device) and resource trust score calculation.
Note:
Ensure to set the sign-in hours as per your device time conversion with the PAM360 configured server time. If you fail to set the correct sign-in hours as per your PAM360 server's time conversion, it might result in a reduced trust score with a score value of 0 for this parameter.
E.g., PAM360 server time - 5:00 (US) | User-machine time - 10:00 (UK).
The work shift of the user in the UK is 10:00 - 17:00. Then the Sign-In hours set here should be 5:00 - 12:00.
Note: If you need to monitor limited allowed machines or a machine that is different from the above-provided IP range, you can use this parameter with the respective IP addresses or the device names.
By default, all the devices/resources in an organization will be configured with a set of open ports, browser plugins/add-ons, applications/packages, and processes and services. To find out the respective details from a device/resource in an organization and to enter those in a specific acceptable format in the below parameters section, do the steps that follow:
Note: The parameters received through the output file are the default set of open ports, browser plugins/add-ons, applications/packages and processes and services configured for the device/resource. You can use these parameters to define the below conditional values.
Note: The allowed/blocked browser plugins/add-ons are only applicable to the web browsers Chrome and Firefox.
Notes:
i. For the parameters that contain allowed and blocked lists, you should provide valid input values. An empty parameter with a given weightage in the Trust Score page will consider the parameter as met for the respective trust score calculation.
ii. The characters entered in the parameter allowed list and the blocked list are case-sensitive.
Below are the parameters that cannot be configured or defined by the administrator. They are from predefined application/system properties. You can add a weightage for those properties on the Trust Score page for the trust score calculation as per your organization's needs and requirements. If you consider any of these parameters to be unchecked for the trust score calculation, enter a value of 0 in the Trust score weightage section else, you can provide a value of 1-10 based on your organization's importance over the parameter.
Note: We recommend you always enable the 2FA in PAM360 for an added layer of identity verification for greater security reasons.
Note: If you have any uncertainty over the status of the above parameters in any of the resources or user machines, you can perform the above steps in the respective user device/resources to check for the parameter status.
Note: This parameter will be met for the resource trust score calculation only when all the accounts in a resource have the enabled session recording in PAM360.
[Webinar] Weave privileged access security into your org-wide ITSM workflows. Register now