We’re around two years into a world where remote work has been the majority since the start of the pandemic. Some offices may reopen in 2022, but it’s not necessarily seeming like employers or employees are rushing toward that. Even when some offices do open up, it’ll likely be a different scenario from what we’re used to.
Around 70% of companies recently said they’d offer a remote option indefinitely, even in the post-pandemic world.
The result is that organizations need to deliver secure environments but not compromise the experience of users, which is where conditional access can become relevant.
An Overview of Conditional Access
Conditional access requires users to meet certain criteria and conditions before gaining access to the company’s resources. The idea of conditional access is that it evaluates login attempts against the conditions set by your IT admins.
In situations where the login conditions are not as secure, then the verification parameters become more rigorous.
The advantage of conditional access is real-time protection, with automatic blocking of access to any user and a device or network not meeting the conditions for secure access.
Under conditional access, users might have to meet all conditions or at least one condition.
Conditions could include user group, managed device, or IP address. It could also include the geolocation when there’s an attempted login.
The biggest goal of conditional access is to empower users and help them be productive no matter where they are while simultaneously protecting data and assets.
If-Then Policies
Conditional access can follow a format of if-then. This means that conditions could be set up so that for example, if a known user wants to log in from a compliant device and the IP address is allowed, they might be able to go past multi-factor authentication.
Another example is if a user tries to log in remotely and they aren’t using a VPN, then access is altogether denied.
A third example of a conditional if-then policy might be if a known user attempts a login from a device that’s unmanaged, but the IP address is whitelisted, which case they have to complete the multi-factor authentication challenge.
Another way to look at a conditional access setup might be based on the data or network a user is attempting to access. You could break down your conditional access policies based on less sensitive, more sensitive and very sensitive data.
The Implications Of Conditional Access
There are many reasons for organizations to care about conditional access right now.
One of the big ones is the fact that it’s an integral part of Zero Trust security. Zero Trust is a model of cybersecurity operating under the assumption that any device, network, or the user shouldn’t be trusted until reliably verified. The concept of Zero Trust was developed as a way to respond to the shortcomings of traditional perimeter-based security. In a perimeter-based model, there’s not the ability to adequately protect against threats in a hybrid or remote work environment.
In hybrid and remote work environments, only the Zero Trust philosophy of trusting nothing and verifying everything is adequate.
MFA is a core component of Zero Trust as a means of verification.
Conditional access then builds on this through the use of context to determine the security of an environment being used for logging in.
We touched on this above, but conditional access is also important for user experience. More than 80% of organizations are currently using MFA to some extent as part of their login process, but this can be a burden to users. Conditional access eliminates the need for the multi-factor authentication challenge in all situations. Instead, it’s used where needed, making for a more efficient user experience. Admins will find there’s more satisfaction for them in how they do their job as well, thanks to automation and reliability in security.
Organizations can take advantage of the benefits of conditional access by using a cloud directory platform that includes it, along with MFA and single sign-on. Then, you can use your specific conditional access policies to verify trust. Policies become flexible but also intuitive with the right solution.
Mobility and convenience are essential for employees and customers, and there’s going to be a growing amount of access coming from outside the perimeter, yet no one expects that should impact their experience.
In hybrid-remote and also bring-your-own-device environments, Windows is no longer the default, and you should look for solutions that let you purchase everything in one package.
Suggested Read: Work from home Over? How to stay disinfected at workplace during Covid 19 situation?