Application visibility and control

Application visibility and control (AVC) allows you to create a policy where you control access to web applications. You can define default policy behavior or create a policy that is based on risk level, acceptable use policy (AUP) categories, category operations, applications, or specific operations for an application. You can select the users and groups that can access a web application and perform specific operations in the application.

With this feature, you can control the use of shadow IT and unsanctioned applications by identifying and blocking applications based on risk score and limiting application operations.

You can use AVC with any of these ETP setups:
  • ETP DNS. If ETP Proxy is not enabled, you can still control access to applications based on the application’s domain and IP address.
  • ETP Secure Web Gateway. If ETP Proxy is enabled, you can control access to applications based on URLs, domains, IP addresses, and other attributes.
A policy for AVC is divided into these components:
  • Default action. Defines the action for traffic that’s not classified by ETP or found in any ETP list such as a custom list, AUP category, or ETP Threat Intelligence. If no specific action is defined in the policy for traffic, the default action is applied.
    The policy action you select also determines configuration of the proxy:
    • Bypass. Indicates that traffic bypasses ETP Proxy and is directed to the origin. However, if ETP detects that this traffic is risky, it’s directed to ETP Proxy for analysis.

      This option enables the selective proxy.

    • Classify. Indicates that traffic is directed to ETP Proxy where it's analyzed and assigned a category. ETP Proxy applies a policy action based on the assigned category.

      This option enables the full web proxy.

    • Block - Error Page. Indicates that traffic is blocked and users are shown an error.

    For more information, see Default action.

  • Risk. Defines the risk levels for a web application. Each level indicates whether the application is a security risk that can result in a data breach, data loss, or other threats.
    Icon Level Description
    		Critical Indicates the application is known to be malicious and a security risk.
    Important: As a best practice, make sure you set the critical risk level to the block action.
    		Very High Indicates the application is extremely at risk for data loss or a security breach. These applications allow users to perform high-risk actions such as sending or sharing files and making remote connections that can bypass enterprise security.
    		High Indicates the application is moderately at risk for data loss or a security breach. These applications allow users to create and send data such as documents, multimedia content, emails, messages, voice communications, and more.
    		Medium Indicates the application is slightly at risk for data loss or a security breach. These applications allow users to perform slightly risky actions such as voting, rate scoring, text searches, translation, and more.
    		Low Indicates the application has the lowest amount of risk for data loss or a security breach. These applications allow users to perform low-risk actions such as viewing content, listening to music, downloading files, and more.
    		Unknown Indicates that no risk level is currently associated with the category.

    You can click the total number of applications to view a list of applications that are associated with each risk level. You can remove a risk level from the policy configuration and assign an action to any risk level that you want to define. The actions you select in this area overrides the default action.

  • Category. Acceptable use policy (AUP) and application categories that you want to assign to this policy.

    You can click the total number of applications to view a list of applications that are associated with each category. You assign a policy action to a category. The action you select in this area overrides the risk level action if there is a conflict.

  • Category operations. Operations for AUP and application categories. Category operations are detected and shown in a policy if ETP Proxy is enabled for a policy.

    You can click the number of associated applications to view a list of applications that support a particular operation. The configuration you set in this section only applies to applications that support the selected operation. The action you define in this area overrides the category and risk level action if there is a conflict.

  • Applications. Specific web applications as well as the operations that apply to them. Operations appear for an application as long as the application can be identified by ETP Proxy and the operation is supported by the application. If ETP Proxy is not enabled, application operations are not listed. If the application does not support an operation, it's not listed. When the proxy is not enabled, you can configure access control only for applications that ETP can identify by hostname.

    You assign a policy action to a specific application and an application operation. The action or actions you select in this area override the category operations if there is a conflict.

As you define each level in this policy, the detailed levels you configure take precedence over more general settings. For example, the policy action you apply to an application takes precedence over an action that’s applied to its corresponding category or category operation.

The proceeding graphic shows the priority of these components in a policy. The default action is shown as a more general setting that has the least priority as administrators define other levels of the policy. However, the default action applies if there is no configuration in place elsewhere in the policy for traffic.

Consider these examples:
  • If you define a block action to a high risk level and you select an allow action for a high risk category such as Sales and Marketing, web applications in this category are still allowed. The risk level setting still applies for other traffic that's not specifically defined at the category level of the policy.
  • If you select the block action to a File Transfer (Collaboration and Online Meetings) category operation and allow the file transfer operation in a specific application such as Slack, the allow action for transferring files to Slack takes precedence over the block action in the category operation.
Note: ETP may update the list of applications, application operations, and categories in a policy. If an application, operation, or category is discontinued, a message appears to notify administrators about this update. After an administrator confirms the message, ETP removes the unsupported settings from the policy. Administrators must then redeploy the policy. For more information, see Updated list of access control applications.

Policy actions

Depending on the component that you are configuring in the policy for AVC, these actions may be available.
  • Bypass. Traffic bypasses ETP Proxy and is directed to the origin.
  • Classify. Traffic is directed to ETP Proxy where it's analyzed and assigned a category. Based on the category, a policy action is applied.
  • Monitor. Traffic is allowed and an event is logged.
  • Allow. Traffic is allowed and directed to the origin. If ETP Proxy is enabled, this traffic is scanned by the proxy.
  • Block. Traffic is blocked and users are shown an error page.

    If the proxy is not enabled in a policy, you can select to show an error page or have traffic directed to a custom response. This option is available for risk levels, categories, category operations, applications, and application operations. For more information about custom responses, see Custom response.

Note that not all these actions are available in each area of the policy for AVC.

Also, for some applications, the bypass action may not be available. This occurs if the application cannot be identified by domain and is only detected by ETP Proxy through a URL.

User and group exceptions

If you select the block action in the risk, category, category operations, and applications area, you can define any user or group that are exceptions to the block action.

You can select users and groups when the following policy configuration is in place:
  • An Optional or Required authentication mode is set in the policy. For more information, see Authentication policy
  • An identity provider is associated with the policy. As part of an identity provider configuration, you’ll associate the directory that contains users and groups. For more information, see Identity providers.

With this configuration, the selected users and groups can access the content you block.

Analytics

ETP shows AVC data in the following reports:

  • Access Control. Contains events for violations to AVC, data loss prevention (DLP), and blocked file types. For AVC, you can filter events based on category, risk level, operation, and application.
  • DNS Activity. Contains data on DNS traffic. For AVC, you can filter activity by category, risk level, and application.
  • Proxy Activity. Contains data on ETP Proxy traffic. For AVC, you can filter activity by risk level, operation, and application.
ETP also offers dashboard widgets that generate information specific to AVC. To track risky applications, machines, and users, administrators can add these widgets to their Enterprise Center dashboards.
  • Top Risky Applications
  • Top Risky Machines
  • Top Risky Users

For more information about the dashboard, see Enterprise Center dashboard.