Home Quick Setup Guide Timus Manager Timus Connect App

Tag Management

In this article, you will learn how to use and manage the Tag Management feature

To be able to go to the page Tag Management, you need to follow the Timus Manager -> Settings -> Tags.

Dynamic tags can be assigned to users and devices, and can also be referenced in firewall rules, agent profiles, and user sign-in policies. The assignment of dynamic tags is based on the conditions that have been configured in the tag. In a dynamic tagging system, the tags are created and do not change dynamically based on the content itself or user interactions. However, the assignment of these tags will be continuously reviewed based on the conditional assessments. If the conditions for the assignment of the tags are still valid, the tags will remain applied to their assignees. If the conditions for the assignment of the tags are no longer met, the tags will be removed from them. Administrators may edit any dynamic tags they have created. This can be done at any time, with the description, assigned objects, and references all being able to be changed. Dynamic tagging is a highly specialized and crucial feature for ZTNA technologies. It creates a novel approach to micro-segmentation when utilizing ZTNA policies and firewall rules. With this feature, objects with tagging and all references where the label is used will dynamically affect all users and devices in the system as long as the previously specified conditions are met. Not only will this structure improve network security by enabling firewall rules to be added and removed from objects flexibly and dynamically, but it will also facilitate micro-segmentation and allow a large number of manual operations to be performed by the system in an automated way. You can click on Create New to create a new tag to manage or assign.

Source: This is where the tag is coming from.

Type: This is if it is a static tag or dynamic tag.

Users: This field will show how many users have been assigned to the Tag.

Teams: This field will show how many teams have been assigned to the Tag.

Devices: This field will show how many teams have been assigned to the Tag.

References: This field will show how many Firewall rules have been assigned to the Tag.

Once you click on Create New, you will be able to see the fields below and the Type is selected as Static by default. You can select either Static or Dynamic.

Static Tagging:

Title: This field is required. You can name your Tag by using this field.

Description: This field is not required.

Assign to: You can select User, Team and Device here to assign the Tag, which you are creating.

Once you edit the Static Tag(s), you will be able to see where they have been used.

Dynamic Tagging:

You can assign either Users or Devices.

  • Once you assign to Users and you select the Type as User under the Condition, you will be able to select the Attribute as 2FA Setup. The Operator will be selected as "is equal to" and the Value will be selected as Done or Not Done. This data is fetched by the Timus Manager -> Users & Teams -> Users.

  • Once you assign to Users and you select the Type as Team under the Condition, you will be able to select the Attribute as Title. The Operator will be selected as "is equal to" or "is any of" and the Value will be selected as the title(s) of the teams, which you have created. Plus, a quick reminder that some Teams are created automatically if there is an IdP like Microsoft Entra.

  • Once you assign to Users and you select the Type as Device under the Condition, you will be able to select the Attribute as "Timus Connect - Operating Systems". The Operator will be selected as "is equal to" or "is any of" and the Value will be selected as Windows, macOS, iOS or Android.

  • Once you assign to Devices and you select the Type as Device Posture Check under the Condition, you will be able to select the Attribute as follows:

    • BitDefender - Agent Outdated

    • BitDefender - Agent Product Update Disabled

    • BitDefender - Antivirus Agent Signature Update Disabled

    • BitDefender - Antivirus Agent Signature Outdated

    • BitDefender - Device Infected

    • BitDefender - Malware Detected

    • BitDefender - Disc Encryption

    • BitDefender - Risk Score

    • BitDefender - Agent Installed

    • BitDefender - Operating System

    • Microsoft Defender - Antivirus Engine Updated

    • Microsoft Defender - Antivirus Platform Updated

    • Microsoft Defender - Antivirus Signature Updated

    • Microsoft Defender - Risk Score

    • Microsoft Defender - Exposure Level

    • Microsoft Defender - Antivirus Mode

    • Microsoft Defender - Agent Installed

    • Microsoft Defender - Operating System

    • SentinelOne - Agent Outdated

    • SentinelOne - Device Infected

    • SentinelOne - Disc Encryption

    • SentinelOne - Agent Installed

    • SentinelOne - Operating System

    The Operator will be selected as "is equal to" or "is any of" and the Value will be selected as follows:

    • Other

    • Active

    • Passive

    • Disabled

    • EDRBlocked

    • PassiveAudit

  • Once you assign to Devices and you select the Type as Team under the Condition, you will be able to select the Attribute as Title. The Operator will be selected as "is equal to" or "is any of" and the Value will be selected as the title(s) of the teams, which you have created. Plus, a quick reminder that some Teams are created automatically if there is an IdP like Microsoft Entra.

  • Once you assign to Devices and you select the Type as Device under the Condition, you will be able to select the Attribute as "Timus Connect - Operating Systems". The Operator will be selected as "is equal to" or "is any of" and the Value will be selected as Windows, macOS, iOS or Android.

  • Conditional Tag Assignment: Unlike static tags which are manually assigned and remain constant, dynamic tags are assigned based on predefined conditions. Various attributes of the tagged entities are checked to assess whether these conditions are met. Examples of such attributes could be:

    • Device attributes: Operating system type (Windows, macOS, etc.), Team and Device Posture Check attributes

    • User attributes: 2FA Setup, Team, and Operating system type (Windows, macOS, etc.)

  • Continuous Evaluation: Timus employs a continuous evaluation that constantly monitors the assets against the predefined conditions associated with dynamic tags. This ensures that the tags accurately reflect the current state of the assets.

Benefits of Dynamic Tagging:

  • Automated Access Control: Dynamic tags automate access control decisions based on real-time asset conditions. This eliminates the need for manual configuration changes and reduces the risk of human error.

  • Micro-segmentation: By dynamically assigning tags based on granular asset attributes, Timus facilitates micro-segmentation of the network. This allows for more precise control over user and device access to specific resources.

  • Enhanced Security: The continuous evaluation and dynamic adjustment of access controls based on asset conditions strengthens the overall security posture of the network.

Conceptual usage scenarios:

1- Device attribute-based segmentation:

  • Scenario: An organization wants to segment its network based on device operating system type to enforce different security policies.

  • Implementation: Dynamic tagging automatically assigns tags to devices based on their operating system type (e.g. Windows, MacOS,).

  • Result: The result is the creation of dynamic micro-segments that group devices with similar operating systems, allowing the organization to apply tailored security policies and controls to each segment.

2- User behavior-based segmentation:

  • Scenario: An organization wants to segment its network based on user behavior to mitigate the risk of insider threats.

  • Implementation: Dynamic tagging evaluates user behavior such as authentication patterns, access frequency, and file usage

  • Outcome: By dynamically assigning tags based on user behavior, the organization can create micro-segments of users with similar behavior profiles. This enables the implementation of access controls and monitoring mechanisms tailored to the risk profile of each user segment.

3- Access privilege-based segmentation:

  • Scenario: A healthcare provider needs to segment its network based on user access privileges to protect sensitive patient data.

  • Implementation: Dynamic tagging evaluates user roles, permissions, and access levels within the organization's systems and applications.

  • Outcome: By dynamically assigning tags based on access privileges, the organization can create micro-segments for different user roles (e.g. physicians, nurses, administrative staff). This enables the implementation of role-based access control (RBAC) and ensures that users only have access to the resources required for their role.

Example scenario:

Leveraging Device Posture Check Conditions:

  • Scenario: An organization seeks to enforce security policies based on the risk status of devices seeking access to the network.

  • Dynamic Tagging Implementation:

    • Criteria: Device attribute: “Bitdefender - Risk Score”

    • Condition: If the Risk score is "High"

    • Tag Title: "Risky Device"

    • Outcome: Devices with a high-risk status are automatically tagged with the 'Risky Device' tag, triggering actions such as network quarantine or remediation. This action may include the application of predefined firewall rules that restrict the device's access to network resources to effectively mitigate potential threats.

Real-world use cases:

Healthcare Sector:

  • Scenario: A hospital leverages dynamic tagging to segment its network based on user roles and patient data access requirements.

  • Outcome: Granular access controls ensure that only authorized healthcare professionals can access patient records, mitigating the risk of data breaches and ensuring compliance with healthcare regulations.

Financial Services Industry:

  • Scenario: A financial institution employs dynamic tagging to segment its network according to user privileges and transaction types.

  • Outcome: By dynamically adjusting access privileges based on transaction risk levels, the organization fortifies its security posture and safeguards sensitive financial data from unauthorized access or fraudulent activities.

Educational Institutions:

  • Scenario: A university utilizes dynamic tagging to segment its network based on student, faculty, and administrative roles.

  • Outcome: Micro-segmentation facilitated by dynamic tagging enables the university to enforce role-based access controls, ensuring that academic resources are accessed only by authorized users while minimizing the risk of data breaches or cyberattacks targeting sensitive research data.

PreviousManage SitesNextTrusted Network

Last updated