VMware announced in March that Risk Analytics, a feature of Workspace ONE Intelligence, is now generally available. It will first integrate with Workspace ONE Access to provide enhanced risk-based conditional access.
Let’s take a look at Risk Analytics is and what it adds to Workspace ONE Access.
First announced at VMworld 2019, Risk Analytics provides continuous monitoring of all Workspace ONE managed devices and users within an organization. Each device gets a calculated Risk Score, and for users with multiple devices, the user gets a Risk Score that’s an aggregate of their scored devices.
Each device and user will get one of three scores: low, medium, and high. An organization needs to have at least 100 same-platform devices for Risk Analytics to provide a Risk Score as it needs to review a sufficient number of devices to determine what security settings are normally enabled to help identify outlier devices. Risk Score is calculated once a day.
The Risk Analytics workflow consists of ingesting device data from Workspace ONE, identifying risky behaviors, calculating the Risk Score, and conducting an automated response.
Workspace ONE ingests data from multiple sources: endpoint analytics from Workspace ONE UEM, CVEs through MITRE, identity analytics from Workspace ONE Access, app analytics from the Workspace ONE Intelligence SDK, and threat analytics from Trust Network.
When it comes to identifying risky behaviors, there are currently three areas Risk Analytics reviews: out-of-date operating systems, risky settings, and application risk. For each, VMware compares against similar devices in your organizations to properly determine whether something is a risky behavior. For risky settings, this is focused around the deliberate disabling of security features, like the firewall, AV, and passcodes.
As for application risk, Risk Analytics looks at four areas when determining a score: 1. did a user download too many apps within a 14-day period; 2. did the user download unusual apps; 3. are they keeping a large number of apps on a device; and 4. are they keeping a large number of unusual apps on a device? For the first two areas only, there is a 30-day grace period following Workspace ONE enrollment.
With the Risk Score calculated, admins can create automated responses using the Automation Custom Connector that trigger upon discovery of an issue. An example action could be that if devices are discovered to have out-of-date OSes, an update is pushed to the device or the user is notified that they need to update the OS, and then remove the user’s access until they have done so.
Workspace ONE Access integration
VMware revealed that the first integration of Risk Analytics is with Workspace ONE Access (formerly VMware Identity Manager). This is the only integration they’re talking about now, but I could easily see this getting applied elsewhere down the road. To use Risk Analytics with Access, companies will need to have cloud-hosted Access and then set up the connector between the two services through the Workspace ONE Intelligence dashboard.
Risk Analytics will complement Workspace ONE Access’s already existing risk-based conditional access for employees logging into business apps through Workspace ONE. Previously, Access’s conditional access provided a static white/blacklisting of applications, fixed compliance checks, and an OS check. Now, Intelligence will push Risk Scores to Access to provide more dynamic signals before allowing users to access their business apps.
With Risk Analytics in place, the new risk-based conditional access workflow will authenticate by first checking device compliance (is it managed, jailbroken, etc.), checking the user’s identity both through authentication strength and authentication provider (looking at things like session time, etc.), and then the Risk Score is applied.
Admins use the Workspace ONE Access dashboard to set how it handles automated remediation. For now, there are just the three settings of low, medium, and high and three remediation steps, allow access, require a step-up authentication factor, or deny access.
One thing to note: since the Risk Score is calculated just once every 24 hours, users who remediate issues will remain locked out of their apps until the new score is calculated. VMware confirmed this to be true.
Risk Analytics continues VMware’s focus on zero trust through what they’ve decided to call “intrinsic security.” I’m sure we’ll continue to hear more around their intrinsic security vision in the months to come, as the messaging around the VMware Carbon Black integration for the cloud was a focus at RSA 2020.