Risk Scores
Discover how risk scores help you measure and manage security impact across your cloud resources
Last updated
Documentation and Guides
Discover how risk scores help you measure and manage security impact across your cloud resources
Last updated
A risk score is a rating that indicates the potential security impact of a resource and its entitlements. These scores provide an efficient way to evaluate and manage access risk across your cloud infrastructure by assessing both resource sensitivity and permission levels.
Risk scores fall into one of three levels.
High (7-9)
Access that has the potential to cause significant business impact
Medium (4-6)
Moderate daily activities with limited business impact
Low (1-3)
Typically, read-only access with little or no business impact
You can use these scores to build access flows with appropriate controls and maintain a robust security posture across all cloud environments:
Set appropriate access controls
Require multi-factor authentication
Define administrative approval workflows
Shorten access durations
By default, Apono uses best-practice security criteria to calculate a risk score.
You can work with your Apono representative to tailor the criteria of the risk score calculation to meet your specific business needs.
Resource Sensitivity
Considers what is being accessed
Apono determines the sensitivity of a resource by analyzing the following information:
Resource names: Keywords such as Customer, Production, or Sensitive
Cloud-sourced tags: Tags such as PHI (personal health information)
Environmental context: Location in sensitive or production environments
Permission Level
Considers the level of access granted
Apono uses the following guidance to rank the permission level of a role:
High: Administrator, owner, full access permissions
Medium: Contributor, edit permissions
Low: Read-only, viewer permissions
For example, a production database with full administrator access would receive a High combined risk score. Conversely, a sandbox environment with read-only access would likely receive a combined Low risk score.
Follow these steps to view the resource risk level:
On the Inventory page, click the row of a resource. The Entitlement Details panel opens.
Click the Resource Details tab. In the Risk Level row, the resource risk is displayed.
Follow these steps to view the risk level of each entitlement:
On the Inventory page, click the row of a resource. The Entitlement Details panel opens.
Click Entitlements. In the Risk Score column, the entitlement risk is displayed.
Follow these steps to build a risk score access flow:
On the Inventory page, filter the list of resources by Resource Risk Level, Permission Risk Level, or both.
Click Use in access flow. The Select Access Flow for Scope popup window appears.
Click Create New Access Flow. The Create Access Flow page appears with the access flow pre-populated.
(Optional) Set multi-factor authentication.
Continue to build a Self Serve access flow.
Consider a critical incident response scenario where your team needs to investigate performance issues across multiple customer-facing production databases and their supporting infrastructure. This troubleshooting effort requires administrative access to ten high-risk resources, including production databases, authentication services, and API gateways.
Without risk scoring, coordinating secure access to these critical systems would require managing multiple separate permissions, each with its own approval process and security controls. This fragmented approach could delay incident response and create security gaps.
By leveraging risk scores, you can quickly identify the relevant high-risk entitlements, create a single access scope, and implement a unified access flow with appropriate security guardrails:
Require multi-factor authentication for all access attempts
Limit the access duration to a 4-hour troubleshooting window
Enforce administrative approval before granting access
Automatically revoke all permissions when the time window expires
