Risk assessment

In this topic, you will learn how continuous risk assessment evaluates the security posture of devices and users, ensuring that access is granted only to trusted, uncompromised endpoints.

The risks behind network and application access

In this section, you will learn about the potential risks when a device attempts to connect to a network or applications, and the possible security consequences if these risks are exploited.

Devices get compromised more easily than you might think. Sometimes, a simple misclick can install malware on a computer or mobile device. It could also be as easy as plugging in an infected USB stick or connecting to a rogue network cable. Once compromised, attackers can leverage everything the device has access to, including its security certificate that grants network or application entry.

This is why organizations need to assess multiple security conditions dynamically based on their risk tolerance. Some examples include:

  • Ensuring the device has up-to-date system patches and antivirus software, firewalls, encryption, or verifying it only runs approved software and necessary security services.

  • Confirming the device is enrolled in a UEM/MDM solution and actively managed, enabling continuous oversight of its security posture.

  • Detecting whether the device blocks installations from untrusted sources or, for mobiles, isn’t jailbroken/rooted with elevated privileges that weaken security.

  • Considering the device’s geographic location, such as blocking access if detected in high-risk or hostile countries, which can also indicate theft.

Granting access to a device, even when the user is authorized and a certificate is present, without evaluating these security conditions severely weakens the organization’s overall security. It only takes one vulnerable entry point for a major breach to occur, a lesson many organizations have already learned the hard way.

Continuous risk assessment with Portnox AgentP

In this section, you will learn how Portnox’s optional software, AgentP, helps assess and mitigate security risks, as well as what options are available if you prefer not to use AgentP.

The most reliable way to gather accurate security risk information from a device is by installing a secure agent on it. Portnox provides its own trusted agent, AgentP, which delivers all the essential functions an endpoint needs to fully utilize Portnox Cloud and ZTNA:

  • Continuously assesses the security posture of the device in real time

  • Enforces security policies and configurations on the endpoint

  • Requests, installs, and manages digital certificates for authentication

  • Communicates securely with Portnox Cloud for risk evaluation and access decisions

  • Provides detailed endpoint telemetry for centralized visibility and reporting

If you prefer not to install an additional agent on your devices, you can leverage Portnox’s integration with Microsoft Intune or Jamf to continuously monitor the security posture of your devices. These UEM/MDM systems perform ongoing security assessments and collect detailed device information.

Using the risk data provided by Intune or Jamf, Portnox Cloud and ZTNA can make access decisions based on whether a device is flagged as risky or secure. Although this method doesn’t offer the same depth of detail as the Portnox AgentP, it still allows effective risk-based control without adding extra software to your endpoints.

Integration with Intune and Jamf also enables you to request and install certificates on your devices through these UEM/MDM systems. However, you can also use many other UEM/MDM systems for that purpose, provided they support the SCEP protocol for certificate requests. Note that Portnox as of now does not provide risk assessment using other UEM/MDM software.

Enforcement actions based on risk

In this section, you will learn what types of access enforcement actions can be taken based on the results of risk assessment and what happens after risk is remediated.

Portnox Cloud and ZTNA offer different enforcement actions based on risk results. These actions control access at both the network level (like 802.1X) and application level (through ZTNA). Options include blocking network access completely, limiting access to certain VLANs or network parts (for example, a quarantine VLAN), restricting access to some applications, or allowing access but sending alerts.

The enforcement actions can be adjusted depending on the policy settings for the user’s group, the application, and the organization’s security rules and risk level. Some organizations block users or devices with any risk, others limit access to only safe networks or apps. Some just send warnings to admins but allow full access. This lets organizations be flexible depending on the situation. For example:

  • Full access denied – for networks, the device cannot access the network at all. For apps or resources, access is fully blocked.

  • Limited access – for networks, the device can only access certain VLANs or parts of the network like the Internet or low-risk networks. For apps or resources, access is only to those that are low-risk.

  • Access granted with warnings – the device and user can access networks and apps, but admins get alerts about the device’s risk level.

If a user is denied or has limited access, once the risks are fixed and the user or device tries again, Cloud will check the policies again and restore access. Cloud can also take automatic remediation actions to fix some risks on the device using AgentP, like turning antivirus back on.

Risk management for unmanaged devices

This section explains how Portnox Cloud assesses and manages the security risks posed by unmanaged devices, such as contractor or BYOD devices that are not enrolled in a UEM/MDM system.

In many organizations, employees are allowed to use their own devices (BYOD), and there are often external workers such as contractors, auditors, consultants, or temporary staff who bring equipment managed by other companies and need to connect to local networks. These unmanaged devices can pose unique security challenges.

Portnox Cloud provides a baseline solution by allowing such devices to connect via a guest network and captive portal, as well as through contractor accounts (see: Secure networks). Since devices connecting this way are not covered by risk assessment, administrators typically grant them minimal privileges needed to maintain network security. Risk assessment is not possible unless the device is enrolled with the company’s Intune/Jamf or has AgentP installed and enrolled.

For corporate users with BYOD devices, the user can quickly install AgentP and enroll using their regular corporate account. AgentP then monitors risk on the BYOD device just like on corporate-managed devices, allowing access only to resources deemed secure according to the group’s policies and risk level. This enables organizations to securely support BYOD usage, giving users the flexibility to use their own devices such as private mobile phones.