Implementing Adaptive Zero Trust with User Risk Scoring
This article discusses Cloudflare's implementation of User Risk Scoring within their Cloudflare One SASE platform, enabling adaptive zero trust network access (ZTNA) policies. It highlights how continuous risk assessment based on user behavior and external signals can make security decisions smarter and more dynamic, moving beyond static authentication. The system architecture involves a risk engine that aggregates telemetry, calculates scores, and integrates with access policies and third-party security tools.
Read original on Cloudflare BlogThe Shift from Static to Adaptive Security
Traditional corporate access models have historically been binary, granting or denying access based solely on credentials and device health at the point of login. This approach fails to address the fluid nature of identity and the evolving risk posture of a user throughout their session. The article introduces a system design paradigm shift towards adaptive access, where security decisions are continuously informed by a user's real-time behavior and risk profile. This allows for more granular and dynamic enforcement of security policies, moving away from a 'Whac-A-Mole' incident response approach to proactive prevention.
Architectural Overview of User Risk Scoring
Cloudflare One's User Risk Scoring system is built around a centralized risk engine that ingests and processes various telemetry data. This engine is critical for calculating a continuous risk score for each user. The architecture can be broken down into several key components:
- Telemetry Ingestion: The risk engine gathers internal signals from Cloudflare Access (e.g., login attempts, geographic context) and Cloudflare Gateway (e.g., malware hits, risky browsing, DLP triggers). It also integrates with third-party security partners like CrowdStrike and SentinelOne to ingest external telemetry, such as device posture attributes.
- Risk Behavior Definition: Administrators configure which specific risk behaviors (e.g., impossible travel, DLP violations, multiple failed logins) are relevant and assign them risk levels (low, medium, high).
- Deterministic Calculation Logic: The engine identifies all triggered risk events for a user and assigns a score based on the highest risk level of any active behavior during a period. This logic ensures consistent and transparent scoring.
- Policy Enforcement: The calculated risk score is directly integrated into ZTNA policies, enabling automatic adaptive actions. These actions can include revoking access to sensitive applications, enforcing step-up multi-factor authentication (MFA), or even terminating active sessions.
Design Consideration: Real-time Data Processing
A key challenge in building such a system is processing telemetry in near real-time to ensure risk scores are always current and policies can react swiftly. This often involves stream processing technologies and highly optimized data pipelines to handle continuous data streams from various sources and perform rapid evaluation against predefined rules.
Integration with Ecosystems
The system emphasizes interoperability by sharing risk signals with external Identity Providers (IdPs) like Okta via the Shared Signals Framework. This ensures a consistent security posture across different parts of the enterprise's security ecosystem, restricting user access not just within the network but also at the SSO login front door.