Manage risk profiles

This topic explains how to manage ACE advanced risk capabilities using custom risk profiles.

ACE policy risk analysis is based on risk profiles which contain sets of criteria and logic used to inspect the rules in the policy. These profiles help identify potential risks in the network setup, flagging a wide range of issues and their severity levels. To provide more accurate risk detection, we consider the traffic allowed by the rules and the routing configuration.

AlgoSec’s Standard Risk Profile is based on established industry best practices, core network security principles, and regulatory frameworks such as PCI. These foundations remain relatively stable over time, so frequent updates are not required. The profile is reviewed and revised as needed when there are significant changes in industry frameworks, compliance standards, or security best practices. Custom risk profiles allow you to extend the Standard Risk Profile, enabling alignment with your organization’s specific network security requirements.

ACE supports two types of risk profiles:

  • Standard risk profile: The baseline set of rules ACE uses to inspect the security policies and configurations. The Standard risk profile is always active; however, you can suppress individual risks to prevent them from appearing in your system, or suppress specific risk triggers to hide them only for a particular rule. View details of the Standard risk profile here: Standard Risk Profile (credentials required).

  • Custom risk profiles: Custom risk profiles allow you to extend the Standard risk profile:

    • Customize permitted traffic: Define allowed traffic between your networks and specify the risk severities for the unauthorized traffic.

    • Customize zones: When calculating zone-related risks by the Standard risk profile, ACE takes into account that RFC1918 networks are classified as an Internal zone while all other networks are External zones. Using custom risk profiles, you can make changes in the default zone definition and assign networks to one of three zones: Internal, DMZ, or External. For more details see User-Defined Network Zone Definitions: Enhanced Risk Accuracy.

    Note:

    • ACE supports custom risk profiles for AWS SG, Azure NSG, and Azure Native Firewall only.

    • If you assign different risk profiles to different accounts and you have the same risk definition in two risk profiles, both risk definitions will share the same risk ID.

    • After making changes to risk profiles or the associated account, the updated risks will only appear after the next risk analysis cycle, which may take several hours to complete.

View Risk Profile page

To access the Risk Profile page, click RISK PROFILE from the main menu on the left.

The Risk Profile page appears.

The page displays the following details and options:

Risk Profile Name

Name of the risk profile.

Note: Custom risk profile names are set by the user when they are added. For more details, see Manage risk profiles.

State

Indicates the role of the risk profile when calculating risks on accounts.

3 possible values:

Default: New accounts onboarded to AlgoSec Cloud Enterprise will be assigned to this profile. To change the default, see Set the default risk profile.

Always active: The Standard risk profile is Always active. This indicates that accounts use the Standard profile to calculate risks unless they are assigned to a custom risk profile. For details, see Assign / Unassign accounts to a risk profile.

Empty: Custom risk profiles that are not assigned as the Default profile have an empty state.
Assigned Accounts

Number of accounts associated with the risk profile. For details assigning / unassigning accounts, see Assign / Unassign accounts to a risk profile.
Creation Time The date and time the risk profile was created.
Description Description of the risk profile. For more details about setting a custom risk profile description see Manage risk profiles and Update a custom risk profile.
Actions Menu

Hover over a risk profile to display the menu icon. Click the icon to see a menu of context-specific actions available for the risk profile.

From the Risk Profile page, you can do any of the following:

Create/Add a custom risk profile

Note:

  • AWS SG: The capability to define network zones is available in Early Availability.

  • Azure Native Firewall: You can define network zones Internal, DMZ and External in the custom risk profile to improve risk assessments and risk accuracy.

For more details, see User-Defined Network Zone Definitions: Enhanced Risk Accuracy.

Note: To define risks for all traffic that allows a specific service, see Define Risks for All Traffic Allowing a Specific Service.

In the custom risk profile, you only need to include the risks you want to change or add. Everything else will be inherited from the Standard profile.

Do the following:

  1. On the Risk Profile page, click Download template to download an Excel spreadsheet template for creating a risk profile and update the template with your custom risk profile information.

    Note:

    • For detailed instructions on how to use the template, see Customize risk profiles.

    • If you already have custom risk profiles created for ASMS, you can upload that template file instead.

  2. Click + Add Risk Profile.

    The Add Risk Profile dialog appears.

  3. Enter a name for the risk profile in the Risk Profile Name field.

    Note:

    • Only alphanumeric characters are permitted in the profile name.

    • The profile name must be unique and not match the name of any other risk profile.

  4. Click Upload and select the risk profile Excel spreadsheet you created from the template.

  5. (Optional) Add a note in the Description field. You can enter a maximum of 500 characters for the description.

  6. Click Add.

    The new risk profile appears in the list of risk profiles with the date and time it was created.

    Important: For ACE to begin using a new custom risk profile:

Update a custom risk profile

You can modify the risk calculations and description of a custom risk profile. The Standard risk profile cannot be altered.

Do the following:

  1. On the Risk Profile page, download the speadsheet of the existing custom risk profile that you want to edit and then modify it as needed. See Download a custom risk profile.

  2. Open the Update Risk Profile dialog by doing one of the following:

    • Click the name of the custom risk profile that you want to edit.

    • Hover over the row of the custom risk profile. Click the icon that appears on the right, and then from the menu that appears select Update Profile.

    The Update Risk Profile dialog appears.

  3. Click Upload and select the modified custom risk profile Excel spreadsheet from Step 1.

  4. (Optional) Add a note in the Description field. You can enter a maximum of 500 characters for the description.

  5. Click Save to update the custom risk profile.

Important: The time it takes to recalculate risks after switching between risk profiles can be a lengthy process due to the need to recalculate the entire system.

Set the default risk profile

You can set a default risk profile for calculating risks on accounts. Any new accounts onboarded to ACE will be assigned to this profile. Existing accounts assigned to risk profiles other than the default will continue to calculate risks based on their assigned risk profile.

Do the following:

  1. On the Risk Profile page, hover over the row of the risk profile that you want to set as the default.

  2. Click on the icon that appears on the right and then from the menu that appears select Set as default.

    A confirmation dialog appears.

  3. Click Set as default to confirm the new default risk profile.

    Default appears in the State column to indicate the newly activated profile and the profile moves to the top of the list of risk profiles.

    Note:

    • You can only have one default risk profile active at any time.

    • The time it takes to recalculate risks after switching between risk profiles can be a lengthy process due to the need to recalculate the entire system.

Assign / Unassign accounts to a risk profile

Assign and unassign accounts to a specific risk profile for calculating risks.

Do the following:

  1. On the Risk Profile page, hover over the row of the risk profile for which you want to assign or unassign accounts.

  2. To open the Assign Accounts dialog, either:

    • Click on the number or dash in the Assigned Accounts column, or

    • Click the icon that appears on the right and then from the menu that appears select Assign accounts.

    The Assign Accounts to Risk Profile dialog appears.

    The dialog displays the following information:

    Column Description
    Account Name Displays the vendor icon (AWS, Azure, Google Cloud) and name of the account / subscription / project.
    Current Risk Profile The name of the risk profile the account is assigned to.
    Account ID

    The Account ID is the unique ID generated by the vendor that identifies the account / subscription / project.

    Hover over the icon to see a popup with the Account ID.

    Tip: To copy the Account ID, hover over the icon. In the popup that appears, click Copy.

  3. Select the checkboxes next to the Account Name you want to assign to the risk profile. Deselect to unassign them.

    (Optional) Use the Search and Cloud Providers filters to narrow the results to locate specific accounts.

    Note: When unassigning accounts, the Standard and Default risk profiles ensure accounts are always assigned. Accounts removed from a custom profile automatically move to the Default profile. If unassigned from the Default profile, accounts are assigned to the Standard profile.

    Important: Assigning or unassigning accounts will irreversibly replace the current risks data with those calculated by the new profile.

  4. Click Save to update the account assignments.

    The next data collection cycle will calculate risks in the account based on the updated risk profile.

Download a custom risk profile

You can download custom risk profiles to view the sets of security risk items and their security levels. Custom risk profiles can be modified and then used to update custom risk profiles. For detailed instructions on how to modify the downloaded custom risk profile, see Customize risk profiles.

Note: The Standard risk profile cannot be downloaded.

Do the following:

  1. On the Risk Profile page, hover over the row of the risk profile that you want to view or edit.

  2. Click on the icon that appears on the right and then from the menu that appears select Download.

Note: For instructions on how to update a custom risk profile using a modified spreadsheet, see Update a custom risk profile.

Delete a custom risk profile

You can delete custom risk profiles that are no longer needed.

Note:

  • Risk profiles with accounts assigned to them cannot be deleted.

  • In order to delete the default risk profile, you need to first assign a different risk profile as the default. For details see Set the default risk profile.

  • You cannot delete the Standard risk profile.

Do the following:

  1. On the Risk Profile page, hover over the row of the risk profile that you want to delete.

  2. Click on the menu icon that appears on the right and then from the menu select Delete.

  3. Click Delete again to permanently delete the risk profile.