Introduction to shared risk policies
The Security Analytics Engine provides the option of having multiple applications use the same risk policy without having to recreate or edit the risk policy each time an application is added or your risk policy needs change. For more information on the different uses for risk policies, see Shared risk policies.
Shared risk policies
Before you begin working with shared risk policies, you need to be aware that they should perform two different roles for an application: evaluating and alerting. Although configured using the same settings, a risk policy used for alerting and a risk policy used for evaluation should be designed with that specific role in mind. An application does not distinguish between a shared risk policy and a non-shared risk policy, therefore you can use any combination of shared and non-shared risk policies for alerting and evaluation.
A risk policy that an application selects to use for evaluation will most likely be similar to the risk policy used in the Sample Application provided by default with the Security Analytics Engine (for more information, see Sample Application). It consists of all the conditions that you want checked during an access attempt and those conditions operate together to create a single risk score which the application then uses to determine whether to allow an access attempt, request additional authentication information from the user, or deny access. Alerts can be configured for the risk policy providing the evaluation in which case the alert is sent when the generated risk score exceeds the configured threshold.
A risk policy designed for alerting will in its simplest form consist of a single condition without modifiers. When an access attempt occurs, all risk policies with alerting enabled that are associated with the application will send alerts. Due to the method used for calculating risk scores, an alert sent with information about a single triggered condition is not always the same as the amount it contributed to the risk score during the access attempt.
Shared Policies page
The Shared Policies page is displayed when Shared Policies is clicked in the left pane of the Security Analytics Engine Administration web site. From this page you can launch the Shared Policy wizard to add new or edit existing shared risk policies. The Shared Policies page displays all the shared risk policies currently available for use by applications.
The following buttons appear across the top of the page:
This button is used for adding a new shared risk policy.
This button is used for editing an existing shared risk policy.
This button is used for deleting an existing shared risk policy.
The following information is displayed for each configured shared risk policy:
Policy Name
Displays the name assigned to the shared risk policy when it was created.
Description
Displays the description of the shared risk policy. This description was added when the shared risk policy was created.
Applications
Displays the applications currently assigned the shared risk policy.
Adding and managing shared risk policies
In instances where applications have similar risk evaluation or alerting needs, shared risk policies are used to ease the burden of creating and managing identical risk policies within multiple applications. It is the responsibility of the client application to determine which risk policy to evaluate during access attempts, however all risk policies with alerting enabled will automatically send alerts once they are associated with an application. For more information on configuring risk policies for evaluating and alerting, see Shared risk policies.
See the following sections for more information: