Oracle Cloud Infrastructure Documentation

Managing Adaptive Security and Risk Providers

This section describes adaptive security and risk providers, how to activate adaptive security, how to configure the Default risk provider, how to add a third-party risk provider.

Required Policy or Role

To manage identity domain settings, you must have one of the following access grants:
  • Be a member of the Administrators group
  • Be granted the Identity Domain Administrator role or the Security Administrator role
  • Be a member of a group granted manage domains

To understand more about policies and roles, see The Administrators Group, Policy, and Administrator Roles, Understanding Administrator Roles, and Understanding Policies.

Understand Adaptive Security

Adaptive Security provides strong authentication capabilities for your users, based on their behavior within, and across multiple heterogeneous on-premises applications and cloud services.

Adaptive Security analyzes a user’s risk profile based on their historical behavior, such as too many unsuccessful sign-on attempts and too many unsuccessful MFA attempts. To evaluate the user’s behavior across other systems with which IAM isn’t directly involved, Adaptive Security allows you to configure your existing risk providers to obtain the user’s risk score from third-party risk providers, such as Symantec CloudSOC Cloud Access Security Broker (CASB). With this context and risk information, Adaptive Security profiles each user, and arrives at its own risk score and an overall consolidated risk level (High, Medium, Low).

These scores and risk levels can be used with policies to enforce a remediation action, such as allowing or denying the user from accessing IAM and its protected applications and resources, requiring the user to provide a second factor to authenticate into IAM.

Administrators can also view how the user’s risk profile trended over time, and drill down to see details associated with each event.

Understanding Risk Providers

Identity domain administrators and security administrators use identity domain risk providers to configure various contextual and threat events to be analyzed within an identity domain. An identity domain can also consume user risk scores from third-party risk providers.

Default Risk Provider

An identity domain includes a default risk provider with a list of supported contextual and threat events, such as too many unsuccessful login attempts or too many unsuccessful MFA attempts. Administrators can enable events of interest, and specify weighting or severity for each of these events. The system uses the configured weighting to compute the user’s risk score.

You can configure the following events for a risk provider:
  • Access from an unknown device
  • Too many unsuccessful login attempts
  • Too many unsuccessful MFA attempts
  • Access from suspicious IP addresses
  • Access from an unfamiliar location
  • Impossible travel between locations
As an example, if a user uses a new (unknown) device to sign in, the system won't recognize the device, and will the trigger the Access from an unknown login device event.
Administrator can assign weighting to events that correspond to risk ranges. Consider the weighting for each of the risks as follows:
  • low risk range (0-25)
  • medium risk range (26-75)
  • high risk range (76-100)
If the administrator wants to consider the user login from an unknown device to be of low risk, then the administrator sets the weighting for that event to be less than 25. If the administrator wants to consider the same event to be of medium risk, then the administrator sets the weighting for that event to be from 26 through 75. Any value set above 75 for that event is considered as high risk. If the user violates more than one event, then the risk score is a combination of two weightings and corresponds to the appropriate risk level. The user's risk scores are evaluated continuously and are reduced based on the remediation actions that are taken by the user, such as successful logins and password resets.

Third-Party Risk Providers

Administrators can add risk providers to obtain a user’s risk score from the Symantec third-party risk engine. This risk engine provides additional intelligence on the user’s behavior across heterogeneous systems with which IAM isn’t directly involved.

To provide a consolidated risk profile of the user at any time, IAM takes the highest level of the risk scores of both the default IAM risk provider and the configured third-party risk providers, and qualifies the user as a high-risk, medium-risk, or low-risk user. For example, if a user’s risk score from the default risk provider is within the Low range, but the risk score from a third-party risk provider is within the Medium range, then the user’s consolidated risk level is set to Medium.

Administrators can then use the identity domain risk score, third-party risk score, or consolidated user risk level as conditions that can be used with identity domain sign-on policies to enforce a remediation action, such as allowing or denying the user from accessing an identity domain and its protected applications and resources, requiring the user to provide a second factor to authenticate into an identity domain, and so on.

Using the Console

Activating Adaptive Security

Start evaluating contextual and threat analysis, and obtain user risk scores from the configured third-party risk providers by turning on adaptive security.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Security and then Adaptive security.
  2. In the Adaptive security page, turn on Adaptive intelligence.
Deactivating Adaptive Security

Stop performing contextual and threat event analytics, and obtaining user risk scores from third-party risk providers by turning off adaptive security.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Security and then Adaptive security.
  2. In the Adaptive security page, turn off Adaptive intelligence.
Configuring the Default Risk Provider

You can modify the default risk provider that's associated with an identity domain.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Security and then Adaptive security.
  2. Click the Actions menu in the Default risk provider row and then Edit risk provider. Change the Description or the Risk range. See Adding a Third-Party Risk Provider for more information about risk ranges.
  3. Select or clear a check box to enable or disable the event. You can't disable all events for the default risk provider.
    Note

    See Modifying the custom password policy to learn how to set the maximum number of unsuccessful logins for the Too many unsuccessful login attempts event.

    See Configuring Multi-Factor Authentication Settings to learn how to set the maximum number of unsuccessful MFA logins for the Too many unsuccessful MFA attempts event.

  4. Set a value (weighting) for each event that corresponds to the risk range for this risk provider.

    For example, suppose you set the Low risk range for the risk provider to be from 0 through 10, the Medium risk range to be from 11 through 80, and the High risk range to be from 81 through 100.

    If you set the weighting of the Access from an unknown device event to 20, and a low-risk user accesses an identity domain with an unknown device, then the user's risk range changes to Medium.

  5. Click Save changes.
  6. Confirm your changes.
Adding a Third-Party Risk Provider

You can add a risk provider that can be used to obtain a user’s risk score from the Symantec third-party risk engine. This risk score provides additional intelligence on the user’s behavior across heterogeneous systems with which IAM isn’t directly involved. Administrators can then use this third-party risk score with identity domain sign-on policies to enforce a remediation action, such as allowing or denying the user from accessing an identity domain and its protected applications and resources, requiring the user to provide a second factor to authenticate, and so on.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Security and then Adaptive security.
  2. Click Create risk provider. The Create risk provider page appears.
  3. Use the following table as a guide when adding a third-party risk provider.
    Field Description
    Company Select the vendor of the risk provider solution.
    Name Enter the name of the risk provider.
    Description Provide a brief description of the risk provider.
    Risk provider URL Enter the risk provider URL that IAM can use to obtain the user's risk score.
    Authentication type

    This menu contains two methods that IAM uses to authenticate against the risk provider: BASIC and TOKEN.

    If you select BASIC, then the User name and Password fields appear. Enter the user name and password that IAM uses to authenticate against the risk provider.

    If you select TOKEN, then the Scheme and Token fields appear. Enter the name of the authentication scheme and the authentication token that IAM uses to pass a user's credentials to the risk provider.
    Username The username for the risk provider.
    Password The password for the risk provider.
    User identifier Select the unique identifier for user accounts that IAM uses to link the user in the risk provider. This identifier can be either the user name or the primary email address.
    Refresh rate Specify how often (in minutes or hours) IAM calls the risk provider to check for refreshed scores.
  4. In the Risk range pane of the Add risk provider page, the risk levels configured in the risk provider are shown automatically, if the provider supports an API to get this information. If the API is not available, then the administrator can specify the risk ranges manually, as configured in the risk provider. This is just to provide a reference to the configured risk ranges in the risk provider and has no significance in the risk calculations.
  5. To check whether the risk provider information is correct, click Validate risk provider.
    Verify that you see the The connection to the {risk_provider_name} risk provider has been validated. message.
    Note

    If you receive an error message, then check the values that you entered or selected for the Risk provider URL and Authentication type fields.
  6. Click Create risk provider. The risk provider is added and saved with a deactivated status. See Activating a Risk Provider for more information about activating this risk provider.
Activating a Risk Provider

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Security and then Adaptive security.
  2. In the Risk providers section, click the Actions menu to the right of the risk provider that you want to activate.
  3. Select Activate risk provider.
  4. Confirm the activation.
Deactivating a Risk Provider

If the default risk provider is deactivated, then none of the events configured in this risk provider is used for the user’s risk score analysis. If third-party risk providers are deactivated, risk scores are not retrieved from these risk providers.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Security and then Adaptive security.
  2. In the Risk providers section, click the Actions menu to the right of the risk provider that you want to deactivate.
  3. Select Deactivate risk provider.
  4. Confirm the deactivation.
Viewing Details About a Risk Provider

View details such as the name, company, and activation status of each risk provider. You can also see other information, such as the risk levels and authentication information associated with the risk provider.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Security and then Adaptive security.
  2. Click the Actions menu in the Default risk provider row and then Edit risk provider.
    The risk provider opens and displays: Details and Risk range. See Adding a Third-Party Risk Provider for more information about these panes.
    Note

    If you clicked the default risk provider, then you’ll see a third section: Events. See Configuring the Default Risk Provider to learn more about this pane.
Modifying a Third-Party Risk Provider

After viewing details about, activating, or deactivating a risk provider that you added, you can modify it.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Security and then Adaptive security.
  2. In the Risk providers section, click the Actions menu to the right of the risk provider that you want to modify and select Edit risk provider.
  3. Make any necessary changes.
  4. Click Validate risk provider. Verify that you see the The connection to the {risk_provider_name} risk provider has been validated. message. If you receive an error message, then check the values that you changed for the Risk provider URL and Authentication type fields.
  5. Click Save changes.
  6. Confirm the changes.
Deleting a Third-Party Risk Provider

If a third-party risk provider is no longer needed to provide its user risk score, then you can remove it.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Security and then Adaptive security.
  2. In the Adaptive Security page, if the risk provider that you want to remove is activated, then deactivate it. See Deactivating a Risk Provider.
  3. In the Risk providers section, click the Actions menu to the right of the risk provider that you want to delete.
  4. Select Delete risk provider.
  5. Confirm the deletion.