Dynamic Policy Update and CARTA

To complement the zero-trust approach, nZTA supports dynamic policy updates and CARTA (Continuous Adaptive Risk and Trust Assessment) for your end user devices. This framework establishes an approach of continuous assessment and updating of secure access policies on the Ivanti Secure Access Client, without the requirement to disconnect and reconnect to establish an updated authorization posture.

As your policies, applications, and authentication configuration are updated by the administrator on the nZTA Controller, changes are synchronized out to Ivanti Secure Access Client devices dynamically and take effect immediately. Ivanti Secure Access Client ensures that any application updates are applied and any new authentication requirements are met before continuing the session, providing the end user with a seamlessly-updated experience. This method ensures that Ivanti Secure Access Client is always updated at the point of change, and not just when establishing a connection to a nZTA Gateway to access an affected resource.

The CARTA implementation in Ivanti Secure Access Client means that the security posture of the end user is continuously assessed in conjunction with policies configured in the Controller, with allow or deny decisions enforced through dynamic assessment and updating of the current policy set. Where application access is denied or restricted, Ivanti Secure Access Client informs the user of any access restrictions or policy contravention at the point of use. For example, the Ivanti Secure Access Client Home page updates to provide visual cues with applicable error messages whenever a specific application becomes unavailable:

By hovering your pointer over the warning symbol in the inactive application, nZTA provides an explanatory message.

Furthermore, user attempts to access a restricted web resource in a browser trigger a CARTA response with Ivanti Secure Access Client presenting a pop-up resource blocked message:

Ivanti Secure Access Client implements a no-repeat interval for resource blocked messages of 2 minutes, to avoid a user repeatedly seeing the same pop-up message for every browser request for the same restricted resource. While the resource remains blocked to further access attempts, no further messages are displayed by Ivanti Secure Access Client until after 2 minutes has elapsed. You can force Ivanti Secure Access Client to continue hiding blocked resource messages indefinitely by right-clicking the connection in the Ivanti Secure Access Client dialog and selecting Disable Block Messages. To re-enable showing blocked resource messages, select Enable Block Messages.