Configuring Trust Score Parameters for Zero Trust Approach

The Zero Trust methodology here employs micro-segmentation and behavioural analytics to calculate a trust score for users and resources based on predetermined parameters. To access resources configured with policy-based access control, users must met multiple conditional parameters defined by administrators or users with custom access policy roles. This documentation provides a detailed explanation of the trust score parameters and their implementation within the policy-based access approach.

PAM360 utilizes a total of nineteen conditional and predefined parameters to determine the users' and resources' trust scores. These parameters are divided into two categories, one for users and the other for resources, and have been assigned weightage to calculate the respective user and resource trust score. Based on these parameters and their assigned weightage, PAM360 calculates the trust score for both users and resources.

User Trust Score Parameters

Resource Trust Score Parameters

1. Conditional Parameters to be Defined by the Administrator

Navigate to Admin >> Zero Trust >> Configuration to define the conditional parameters' baseline values for the user (user authentication + user device) and resource trust score calculation.

a. User Authentication Parameters

1. Invalid Sign-In Attempts - Here you can define the allowed number of unsuccessful login attempts per defined day a user can make.
   E.g., Invalid Sign-in attempts allowed: 3 attempts in 7 days.
   In case a user has attempted to sign in more than three times with incorrect credentials, they fail to fulfill the specified condition. Consequently, this parameter will be assigned a score of 0 in the user trust score calculation, regardless of its weightage assigned.
   The following parameters work similarly for the respective trust score calculation.
   
2. Non-Office Hour Sign-In - This parameter defines the user login to the PAM360 application during the specified working hours. By default, the working hours will be from 09:00 - 18:00 for all the PAM360 users.
   If you want to change this parameter value diversely for different users, do the steps that follow:
   1. Click the Add Sign-In button.
   2. In the pop-up that opens, select the respective user group to whom the working hours are to be changed.
   3. Enter the Sign-In hours as per the organization's requirement, select Enable and click Save.
   4. If you select Disable, the default Sign-In hours 09:00 - 18:00 will be applicable for those users.

      Note:
      Ensure to set the sign-in hours as per your device time conversion with the PAM360 configured server time. If you fail to set the correct sign-in hours as per your PAM360 server's time conversion, it might result in a reduced trust score with a score value of 0 for this parameter.
      E.g., PAM360 server time - 5:00 (US) | User-machine time - 10:00 (UK).
      The work shift of the user in the UK is 10:00 - 17:00. Then the Sign-In hours set here should be 5:00 - 12:00.

3. Accessing from Allowed IPs - Here you can define the allowed users' IP addresses in the range that accesses the PAM360 application.
   E.g., Access from Allowed IP: 172.24.2XX.X to 172.24.2YY.Y.
   If a user presents in the above IP range and accesses the PAM360 application, the parametric condition will be met, and the parameter score will be added to the overall user trust score. Non-compliance with this parameter will lead the parameter score to 0, irrespective of the assigned parameter weightage in the trust score page.
4. Accessing from Allowed Devices - Similar to the allowed IP parameter, here you can define the IP addresses or the device names that are allowed to access the PAM360 application authorized by the organization. E.g., Allowed Device: pam-server3592.
   

   Note: If you need to monitor limited allowed machines or a machine that is different from the above-provided IP range, you can use this parameter with the respective IP addresses or the device names.

5. User Belongs to Privileged Group - In this parameter, you can add the user group with the users who are part of the privileged group in an organization. The users present in the added user group will have an added advantage of an additional user trust score without any condition and just being considered a privileged user.

b. User Device/Resource Parameters

By default, all the devices/resources in an organization will be configured with a set of open ports, browser plugins/add-ons, applications/packages, and processes and services. To find out the respective details from a device/resource in an organization and to enter those in a specific acceptable format in the below parameters section, do the steps that follow:

1. Download this zip file and extract it to any of the desired devices.
2. Open the respective folder Windows or Linux based on your Operating System (OS) where you have extracted the zip.
3. Execute the bash/ sh/ bat/ ps1 file 'fetch_configuration_details' with the run as administrator privilege.
4. Upon execution, an output file with the name 'query_result.txt' is generated in the same folder location.
5. Open the query_result.txt file to check for the default device data or system properties for defining the respective score parameter. Use the search option to search the value of the respective parameter with the relevant below ids:
   1. Antivirus_status
   2. Application_and_packages
   3. Chrome_extensions
      
   4. Disk_encryption_status
      
   5. Firefox_addons
      
   6. Firewall_status
      
   7. OS_version
      
   8. Open_ports
      
   9. Process_and_services
      
   10. Secure_boot_status

   Note: The parameters received through the output file are the default set of open ports, browser plugins/add-ons, applications/packages and processes and services configured for the device/resource. You can use these parameters to define the below conditional values.

1. Allowed OS Version - Here you can define the OS version that is allowed to be used by your organization's users. If a logged-in device/resource deviates from the list of the predefined OS version, it will impact the respective trust score irrespective of the trust score weightage.
   E.g., 10.0.22621
   
2. Allowed Open Ports - Here you can specify the ports that PAM360 users are allowed to access within this field. Users can provide a list of allowed or blocked ports, and if a user tries to access a port that is block-listed or not included in the allowed list, their trust score will be reduced based on the weightage given to this parameter.
   E.g., 8282, 7272, 9292, 6565
   
3. Allowed Browser Plugins/Addons - Using this parameter you can define the allowed browser plugins/add-ons to be used by the users who are going to be the part of policy-based access control method. Based on your organization's favorable, you can use the blocked/allowed list methods to list the plugins and add-ons.
   E.g., bdgkacbeblomgnaoildjnppjkamgoogc, pictureinpicture@mozilla.org, firefox-compact-light@mozilla.org
   

   Note: The allowed/blocked browser plugins/add-ons are only applicable to the web browsers Chrome and Firefox.

4. Allowed Applications/Packages - Here you can define the applications/packages that are allowed to be installed and used in the user devices/resources. This can be accomplished by either providing a list of allowed or blocked applications/packages. Based on the installed applications and packages, the respective trust score will vary upon the provided weightage to this parameter.
   E.g., Microsoft Office Standard 2016, Sublime Text, Intel(R) Wireless Manageability Driver, Microsoft .NET Runtime - 6.0.9 (x64)
   
5. Allowed Processes/Services - In this parameter, you can specify the processes/services that are permitted to run on the users' devices or resources. This can be attained by creating a list of allowed or restricted processes/services. The trust score for the respective user device/ resource parameter will be adjusted based on the processes/services that are running.
   E.g., services.exe, lsass.exe, NetworkManager
   
6. Privileged Resource Group (Resource Parameter) - In this parameter, you can add the resource group with the resources that are part of the privileged devices in an organization. The resources present in the added resource group will have an added advantage of an additional resource trust score without any condition and just being present in the privileged device group.

   Notes:
   i. For the parameters that contain allowed and blocked lists, you should provide valid input values. An empty parameter with a given weightage in the Trust Score page will consider the parameter as met for the respective trust score calculation.
   ii. The characters entered in the parameter allowed list and the blocked list are case-sensitive.

2. Predefined Parameters

Below are the parameters that cannot be configured or defined by the administrator. They are from predefined application/system properties. You can add a weightage for those properties on the Trust Score page for the trust score calculation as per your organization's needs and requirements. If you consider any of these parameters to be unchecked for the trust score calculation, enter a value of 0 in the Trust score weightage section else, you can provide a value of 1-10 based on your organization's importance over the parameter.

1. Two-Factor Authentication (Only for User Authentication) - Two-Factor Authentication (2FA) mentioned here represents the one used in the PAM360 for an additional way of identity. This 2FA parameter will act as an added score point for the user where the TFA is mandated for PAM360 login with a configured weightage value.

   Note: We recommend you always enable the 2FA in PAM360 for an added layer of identity verification for greater security reasons.

2. Device Protected by Password - This parameter verifies if the user's device or resource has password protection. If password protection is detected, the relevant score will be calculated based on its assigned weightage. If password protection is not detected, the score for this parameter will be zero, regardless of its assigned weightage.
3. Antivirus SW is Installed and Running - This parameter evaluates whether an antivirus program is installed and active on the user's device or resource. If an antivirus program is present and operational, it will contribute towards the score calculation. Conversely, the absence of an antivirus program will result in a reduced parameter score, which will impact the overall trust score accordingly.
   At this early stage of Zero Trust release, PAM360 has the capability to evaluate only a specific set of antivirus that is deployed in the resources/user machines. If your antivirus is not in the below-mentioned list, it is recommended to enter the weightage value as '0' to avoid unnecessary score reduction.
   1. Microsoft Defender
   2. Avast
   3. AVG
   4. Bitdefender
   5. Kaspersky
   6. McAfee
   7. Sophos
   8. Symantec
   9. Trend Micro
4. Firewall Enabled - This parameter examines whether a firewall is active on the user's device or resource. If a firewall is detected, the parameter will be considered for score calculation toward the final trust score value. Conversely, if no firewall is detected on the user's configured device or resource, the parameter will not be considered and will result in a parameter score of zero, regardless of its assigned weightage.
5. Secure Boot Enabled - The secure boot feature is to block the loading of malicious applications during device or resource startup. This particular parameter assesses the Secure Boot system summary status. If it is turned on, the parameter's score will be considered and added to the final trust score calculation. However, if the Secure Boot system summary status is changed to off on any user device or resource under the policy-based access control, the parameter will fail and receive a parameter score of zero, irrespective of its assigned weightage.
6. Device Integrity Verification Available - The integrity verification feature in operating systems examines the system files and drivers for malicious or corrupted applications. If the user's device or resource has this feature available, the parameter will be considered as met, and the assigned weightage score will be added to the final trust score calculation.

   Note: If you have any uncertainty over the status of the above parameters in any of the resources or user machines, you can perform the above steps in the respective user device/resources to check for the parameter status.

7. Session Recording Enabled (Only for Resource Trust Score) - This parameter represents the one that is enabled for the resources in PAM360 to play back the remote sessions. Assigning a weightage to this parameter will check for the configured resources for the session recording feature. If the session recording is enabled for the accounts of the resource, the parameter score will be added to the overall resource trust score.

   Note: This parameter will be met for the resource trust score calculation only when all the accounts in a resource have the enabled session recording in PAM360.

8. Privilege Elevation Agent Installed - Assigning a weightage to this parameter acts as an added trust score to the specific resources that are installed with the Self-Service Privilege Elevation module along with the Zero Trust module.

Related Document