VMware Workspace ONE Employee Experience Featured

Risk Based Conditional Access from Workspace ONE Access plus Workspace ONE Intelligence

Recent research tells us that the employee experience is critical for organizations to attract the best talent and therefore be at their most competitive, deliver the highest revenue growth and the best customer and employee satisfaction. Delivering the best employee experience by enabling device choice and work from anywhere strategies then has to be matched with an equally forward-thinking approach to security. Zero Trust is being seen as the goal line for modern IT security strategies supporting user flexibility while improving on today’s legacy perimeter-based products and approaches.

At VMworld 2019 and recently at RSAC 2020, VMware laid out a vision for intrinsic security transforming what were points of vulnerability into security controls.

Today, as part of the Workspace ONE path to zero trust, two of the key elements in that path are coming together. Customers with cloud-hosted Workspace ONE Access will be able to integrate Workspace ONE Intelligence risk scores with the authentication decisions made by Workspace ONE Access as the user signs in.

Risk scores can be calculated in Intelligence utilizing data about that user, their devices and behavior including:

• Does this user keep their device OS up-to-date?

• Does this user regularly download apps?

• Does this user download risky apps?

• Does the user keep device security features enabled?

Intelligence can also compare information to other users in their environment – for example, this Windows device is running the OS version 10.0.9926 which is older than 99% of the OS versions on other Windows devices.

This information can then utilized as an authentication condition within Workspace ONE Access. Risk scores are assigned as Low, Medium or High and can be assigned one of three states. Allow Access, Step-Up Authentication or Deny Access. An organization may choose to assign Low to allow access, Medium to step-up authentication and high to deny access.

The Risk Score can then be incorporated into the authentication component of the access policy definition – for example:

If a user’s network range is ALL RANGES

And the user is accessing content from iOS

Then the user may authenticate using MOBILE SSO (for iOS) & Risk Score


Depending on the settings assigned to the high, medium, risk score (allow, step-up, deny) risk will then be factored into the authentication.


You can find more information on how Workspace ONE is making security intrinsic to the platform versus using single tools with silo’s, including integration of Intelligence with Carbon Black in this new blog from Andreano Lanusse. Andreano also has a new video on Techzone digging into more detail on Risk Analytics  Maya Shiran also has a new blog explaining user risk scoring in more detail


And if you’re new to Access you can also download the ebook or start your technical path to Workspace ONE Access through VMware VMware Techzone.