Risk Scores

Discover how risk scores help you measure and manage security impact across your cloud resources

A risk score is a rating that indicates the potential security impact of a resource and its entitlements. These scores provide an efficient way to evaluate and manage access risk across your cloud infrastructure by assessing both resource sensitivity and permission levels.

Inventory page with risk scores

Risk scores fall into one of three levels.

Level (Score)
Description

High (7-9)

Access that has the potential to cause significant business impact

Medium (4-6)

Moderate daily activities with limited business impact

Low (1-3)

Typically, read-only access with little or no business impact

You can use these scores to build access flows with appropriate controls and maintain a robust security posture across all cloud environments:

  • Set appropriate access controls

  • Require multi-factor authentication

  • Define administrative approval workflows

  • Shorten access durations


Score Calculation Defaults

By default, Apono uses best-practice security criteria to calculate a risk score.

Risk Score Criteria
Description

Resource Sensitivity

Considers what is being accessed

Apono determines the sensitivity of a resource by analyzing the following information:

  • Resource names: Keywords such as Customer, Production, or Sensitive

  • Cloud-sourced tags: Tags such as PHI (personal health information)

  • Environmental context: Location in sensitive or production environments

Permission Level

Considers the level of access granted

Apono uses the following guidance to rank the permission level of a role:

  • High: Administrator, owner, full access permissions

  • Medium: Contributor, edit permissions

  • Low: Read-only, viewer permissions

For example, a production database with full administrator access would receive a High combined risk score. Conversely, a sandbox environment with read-only access would likely receive a combined Low risk score.


View risk scores

Resource Risk Level

Resource Details tab

Follow these steps to view the resource risk level:

  1. On the Inventory page, click the row of a resource. The Entitlement Details panel opens.

  2. Click the Resource Details tab. In the Risk Level row, the resource risk is displayed.

Entitlement Risk Level

Entitlements tab

Follow these steps to view the risk level of each entitlement:

  1. On the Inventory page, click the row of a resource. The Entitlement Details panel opens.

  2. Click Entitlements. In the Risk Score column, the entitlement risk is displayed.


Build a risk score access flow

Follow these steps to build a risk score access flow:

  1. On the Inventory page, filter the list of resources by Resource Risk Level, Permission Risk Level, or both.

  2. Click Use in access flow. The Select Access Flow for Scope popup window appears.

  3. Click Create New Access Flow. The Create Access Flow page appears with the access flow pre-populated.

  4. Continue to build a Self Serve access flow.


Use Case: High-Risk Entitlements

Consider a critical incident response scenario where your team needs to investigate performance issues across multiple customer-facing production databases and their supporting infrastructure. This troubleshooting effort requires administrative access to ten high-risk resources, including production databases, authentication services, and API gateways.

Without risk scoring, coordinating secure access to these critical systems would require managing multiple separate permissions, each with its own approval process and security controls. This fragmented approach could delay incident response and create security gaps.

By leveraging risk scores, you can quickly identify the relevant high-risk entitlements, create a single access scope, and implement a unified access flow with appropriate security guardrails:

  • Require multi-factor authentication for all access attempts

  • Limit the access duration to a 4-hour troubleshooting window

  • Enforce administrative approval before granting access

  • Automatically revoke all permissions when the time window expires

Last updated

Was this helpful?