Table 5-1 Risk-based Authentication Terms
Term |
Description |
---|---|
Rule |
A rule indicates a condition that you want to evaluate during a login attempt. For evaluation, a rule is linked to a risk policy. A rule can be assigned to multiple risk policy. For example, to assess the IP address of a user and the location from which the user logs in, you need two separate rules: One for IP address and another rule for location. |
Risk Policy |
You can combine one or more rules with a risk policy. A rule cannot be processed without being included in a risk policy. You can combine multiple rules in a risk policy. |
Risk Score |
The value that is returned if the rule conditions do not meet. For example, you have set the risk score as 50. If the risk evaluation fails, 50 is the value returned to the risk engine. Assume that the IP address rule is assigned a risk score of 50 and the geolocation rule is assigned a risk score of 30. If both IP address rule and geolocation rule fail, the risk score is 80. If only the IP address rule fails, the risk score is 50. As the geolocation rule is evaluated successfully, the risk score is 0 for this rule. |
Is/Is Not condition |
When you configure a rule and select a parameter for assessment, you can determine how the conditions must match for each of the sub-parameters. For example, if you configure a rule to assess the IP address of a user, you can configure whether the IP address must be specific, be in a range, or be in a particular subnet. For example, if you want to assess whether the IP address of a user is within a range of 10.10.10.1 to 10.10.10.10, you can specify an Is condition in the rule configuration. This indicates that when the rule is evaluated, only IP addresses in the range of 10.10.10.1 to 10.10.10.10 must be considered as a valid IP addresses and then the user must be granted access. During the rule evaluation, if you want a rule to be passed when it does not meet a specific criteria, select Is Not in the rule configuration screen. For example, if you want to stop all login attempts from a particular IP address, then configure a rule using the Is condition. Using the same example as above, if you want to stop any login attempts from IP addresses in the range of 10.10.10.1 to 10.10.10.10, configure the rule using the Is Not condition. |
Combination Rule |
When you configure a set of rules, it is configured with the OR logical operator, by default. For example, if you have configured an IP address rule and a geolocation rule without any additional configuration, either the IP address rule is evaluated or the geolocation rule is evaluated. But, if you want both the IP address rule and the geolocation rule to be evaluated during a login attempt, configure a combination rule. A combination rule lets you use the AND/OR logical operators to configure a rule based on your preferences. For example, If you configure an IP address rule and a geolocation rule, select the AND operator to evaluate both rules. Whereas if you use the OR operator, either IP address rule or the geolocation rule is evaluated. |
Risk Level |
When a rule fails to evaluate successfully, the risk score is returned to the risk engine. If you have multiple rules configured, for each rule that fails to evaluate successfully, the risk score is added up to get a cumulative score. When configuring the risk level, you can determine the action the risk engine has to take if the total risk score crosses a certain limit and the risk level for the value. For example, you can determine that the risk is low if the total risk score is less than or equal to 50. Whereas if it is greater than 50, some action is required. Here action might mean an additional authentication request for the user. |
Action |
When a risk level and the associated risk score crosses the set threshold limit, you can configure the action as deny access or demand additional authentication. For example, if you have defined a risk level of High for a cumulative risk score of greater than 50, then you can specify that either the user must be denied access or additional authentication methods must be requested. |