Conditional access policies are described as a set of context clues. They are a way to apply contextual security when someone tries to log in to a system or app. Conditional access is an automation of the human intuition we would otherwise use to spot activities that were potentially suspicious.
The use of conditional access in remote work is important right now, and we’ll detail what to know about the concept below.
How Does a Conditional Access Policy Work?
A conditional access policy will use contextual information to then apply the right level of security to an attempted login.
Conditional access policies can improve security measures when there’s an irregularity in login attempts or anything that could be viewed as suspicious. Conditional access policies can also decrease security measures for login attempts viewed as routine or trustworthy.
The use of these access policies helps bring about a balance between a user’s experience and security, reducing friction when it’s safe and boosting security when needed.
In a Zero Trust model of cybersecurity, there’s the assumption that any device, network, user, or resource isn’t to be trusted until it’s verified. That is key in all conditional access policies. Users and groups, as a result, have to verify identities by meeting particular conditions beyond their credentials to gain access.
Examples of Policies
We can describe a conditional policy as an in-then statement. If a certain condition is met, then the next action is taken. If the condition isn’t met, then a second action should occur.
Conditional access policies check attempted logins against several conditions in most cases. The conditions have different options and are flexible.
For example, some of the conditions that might be used to assess the security of an attempted login include:
- The correct username and password
- Login location
- Logging in from a device associated with the user
- Distance and time between the last login
- Device compliance with company standards
- Network compliance with company standards
- Login time
Actions in policies of conditional access then provide a specification on how to proceed based on the conditions listed above. An action can improve or reduce the security measures, depending on the security of conditions for the attempted login. Actions can include presenting a multi-factor authentication challenge, bypassing the MFA challenge, or access denial.
Conditional Access and Remote Work
Now that remote work is the norm following two years of the pandemic, IT has to prepare for a world without physically defined workspaces or, at a minimum, a hybrid workplace.
IT can’t monitor incoming IP addresses as their first step in the login credentialing process like they once could, so they have to figure out how to create a secure foundation for remote work, but it has to balance against productivity requirements.
Conditional access adds another security layer to an existing IT environment through the verification of specific conditions a user will have to meet before they can get access to IT resources. This is outside of what they’re authorized to access with their credentials.
To secure remote employees, verifying their identities is a crucial first step. With conditional access, you’re going beyond requiring the use of a strong password. Instead, you’re managing all aspects of credential control, including the implementation of multi-factor authentication (MFA).
With multi-factor authentication, there’s protection against phishing attacks in the event that someone’s credentials are compromised.
In a conditional access situation, you might require your remote workers to use MFA credentials, but then set it up so that your employees working onsite can bypass it. Another option is to require MFA for some groups but not all.
Device trust components of conditional access are a way to make sure employees are only accessing organization resources from devices owned and secured by the company. If an employee is using a personal device under a bring-your-own-device situation, then the conditional access policies might be triggered.
The third component of conditional access policies is network trust policies.
It’s important in the modern environment to make sure employees are on a secure network.
Network trust policies can block employees from accessing certain sensitive data and information on a network that’s insecure, but the requirements may become less stringent when an employee is connecting through an IT-managed, secure network.
With the use of conditional access policies, IT teams can get better control over employee access but still maintain a good end-user experience. The key premises of conditional access can help companies make sure only trusted devices are able to access company resources.