Fortifying Access Management while Working Remotely
With more businesses opting for their workforce to work from home, there has been an exponential increase in remote user-focused cyberattacks. As IT teams scramble to deploy strict security measures like multi-factor authentication (MFA) to prevent any possible security event, the user experience of remote employees ends up taking a hit. A stringent organization-wide access policy like MFA, although secure, can leave users fatigued and can result in decreased productivity.
While two or three-factor authentication and secure remote logins might be an unnecessary hassle for on-premise users already secured within the perimeter of the office. A more efficient approach is to apply access policies based on context.
Applying access policies based on context and factors can aid organizations in:
- Implementing access controls without IT administrator intervention.
- Improving an organization’s security posture without affecting the user experience.
Automating Access Decisions with Conditional Access
Conditional access is the process of protecting access to IT resources based on predefined conditions. By creating access policies based on users’ device types, time of access, IP addresses, or geolocation, you can strictly control access to your network and data. Conditional access provides added security and helps prevent attackers from gaining access to IT resources.
Conditional access can be used to implement a set of rules that analyze various risk factors to enforce automated access control decisions. These decisions can be implemented in real time based on user risk factors to avoid unnecessarily strict security measures imposed in no-risk scenarios. This will ensures an enhanced user experience without affecting security.
Some of the common scenarios and the corresponding security measures that can be applied using conditional access:
- Mandating biometric authentication during IT admin logins.
- Allowing access from authorized machines only to important applications through single sign-on (SSO).
- Enforcing three levels of authentication for password reset requests from untrusted IPs, or from computers that are not joined to the domain.
Predefined Access Conditions
A condition is a user-related factor, such as device type, IP address, or geolocation. You can enable any one or multiple conditions as per your requirement.
- IP address: Controls access based on the IP address of the user. You can configure static IPs, proxy server IPs, and VPN IPs. You can either opt to trust or to not trust the configured IPs. Trusted IPs will be allowed access, while untrusted IPs will be denied access.
- Device: Controls access based on the computer object and the platform (Windows, macOS, Linux, mobile web app, and mobile native app) they run on.
- Business hours: Controls access based on business hours or non-business hours.
- Geolocation: Control access based on the location from where the request originated.
Risked-based Conditional Access Policy is being widely adopted by organizations to ensure that access to resources is regulated securely, all while not compromising on end-user experience. However, such an access policy workflow cannot be set up in an Active Directory environment using the native tools available.