Trust Scoring Calculation
A conceptual overview of the Trust calculation, a part of Cloud Secure Edge’s Granular Trust Scoring feature
Trust Calculation Overview
Trust Scoring is the calculation of a device’s Trust Level. The calculation takes into account all Trust Factors applied to a device as well as the Trust Effect assigned to each Trust Factor. The result of this evaluated information is a single Trust Level, which describes the device’s overall security posture.
Each Trust Factor applied to a device has an admin-assigned Trust Effect. The Trust Effect determines the impact on a device’s Trust Level when the applied Trust Factor is not satisfied.
In the Trust Scoring calculation, Trust Effects are not weighed equally; the most restrictive Trust Effect takes precedence over all other Trust Effects. The order of Trust Effect restrictiveness (from most restrictive to least restrictive) is as follows:
-
Always Deny: device is denied access to all Cloud Secure Edge (CSE) services
-
Low Trust Level: If this factor is not satisfied, the device’s Trust Level will be set to low.
-
Medium Trust Level: If this factor is not satisfied, the device’s Trust level will be set to medium.
Therefore, the most restrictive Trust Effect of an unsatisfied Trust Factor determines the output of the Trust Scoring calculation.
Trust Factors that do not apply to a device
Some Trust Factors apply only to certain operating systems. For example, the Device Geolocation factor does not apply to mobile (iOS and Android) devices.
When a Trust Factor does not apply to a device because of the factor’s OS applicability, CSE does not fail that factor — failing a device against a factor it cannot be evaluated on would be unfair. Instead, CSE ignores the non-applicable factor and evaluates the device against the remaining applicable factors in its Trust Profile.
If a Trust Profile contains no factors that apply to the device, CSE has nothing on which to evaluate the device’s trust. In that case the device is assigned the Low Trust Level. CSE cannot grant a higher Trust Level to a device whose trust was never evaluated, because doing so would let devices reach resources without any device-trust evaluation — a security gap.
The failure condition is a profile with no applicable factors — not a factor “failing” for lack of support. A non-applicable factor is skipped, not failed. The device drops to Low Trust only when every factor in its Trust Profile is inapplicable to it, leaving nothing to evaluate.
Example. A Trust Profile’s only factor is Device Geolocation, which does not apply to mobile devices. An Android device assigned to that profile therefore has no applicable factors and receives the Low Trust Level. This is not the Geolocation factor failing — the factor simply does not apply, and the profile has nothing applicable left to evaluate.
To avoid unintentionally assigning a Low Trust Level to mobile (or other) devices, make sure every Trust Profile that can be assigned to those devices includes at least one Trust Factor that applies to them.
Trust Calculation Example
Example: An admin applies 3 Trust Factors to a device: Firewall, Auto Update, and Disk Encryption. The admin then assigns a Trust Effect to each of these applied Trust Factors, as follows:
- Auto Update: Trust Effect = Medium Trust Level
- Disk Encryption: Trust Effect = Always Deny
- Firewall: Trust Effect = Low Trust Level
Case 1: The device satisfies the requirements of Auto Update and Disk Encryption but does not satisfy Firewall.
Input 1: Auto Update (satisfied) – Effect: Medium = TS stays High
Input 2: Disk Encryption (satisfied) – Effect: Always Deny = TS stays High
Input 3: Firewall (NOT satisfied) - Effect: Low = TS is set to Low Trust Level
Output: Low Trust Level
Case 2: The device satisfies the requirements of Auto Update, but does not satisfy Disk Encryption and Firewall.
Input 1: Auto Update (satisfied) – Effect: Medium = TS stays High
Input 2: Disk Encryption (NOT satisfied) – Effect: Always Deny = TS is set to Always Deny
Input 3: Firewall (NOT satisfied) - Effect: Low = TS is set to Always Deny
Output: Always Deny
Our Recommendations
- By default, all Trust Factors have an Effect of Low Trust Level.
- If you require a Trust Factor to be mandatory, the recommendation is to set the Effect to Always Deny.
- If you’re testing a new Trust Factor, and you want to see the which devices satisfy the Trust Factor without impacting access, the recommendation is to set the Effect to No Effect.