If you are new to the security world, it is fair to ask yourself, “Isn’t access to data and systems always conditional? Isn’t it always granted to someone who has access to the credentials (ID and password)?” True enough, but in totality, the approach to managing access encompasses a broader spectrum of privacy policies. These policies include a mix of different strategies that can be applied based on an organization’s security vulnerabilities.
Conditional access is one such security management practice that many companies have opted for. The shift to smart mobile devices and cloud has made it necessary to ensure conditional access. Further, this has become imperative, as remote working is here to stay. With several companies making announcements about permanent work-from-home policies, a zero-trust model of conditional access has become crucial. IT security teams must be prepared to both validate and verify devices and users with a set of automated policies.
IT teams could easily monitor incoming IP addresses as the first step for identifying credentials. However, growing use of VPNs coupled within a remote working environment is making that impossible, thus rendering organizations more vulnerable to threats. Therefore, to ensure secure remote work, a different strategy is required.
Provided below are a few insights that your organization can use to set up conditional access.
Key Considerations for Conditional access
IT department can focus on and incorporate several key considerations into their existing security checks to build a strong and resilient security system. These include:
- Verified user identities
- Usage of trusted devices
- Allowing access to users on an approved network
Together, these elements form conditional access. As a practical example of how this works, Microsoft’s conditional access policies enable an organization to examine various sources and factors while deciding whether to give a user access to a particular folder in Microsoft’s 365 cloud. Azure active directory also evaluates factors such as user location and devices to allow user access to a particular application or data, as compared to simple security check policies.
Implementing a zero trust strategy
Given the restrictions imposed by the coronavirus pandemic and the impending uncertainty surrounding in-person work, it’s best to view zero trust access policy as a must for companies. Its successful implementation hinges on a large set of components working together in a verifiable manner.
Here are the seven basic tenets of zero trust, as interpreted from the NIST specifications:
- Designating all resources, including multiple classes of device, by identifying all data sources and computing services.
- Encrypting and securing authentication for all communication.
- Authorizing access to enterprise resources on a per-session basis.
- Allowing security and access policies to dynamically change based on client needs and current perceived risk.
- Monitoring and measuring security and integrity of all assets.
- Enforcing dynamic and strict nature of authentications.
- Maintaining visibility into the security of the entire network.
Configuring conditional access policies
A combination of rules can be applied, and pre-defined access polices can be created by an IT engineer or a team based on a company’s security needs. For instance, there could be different conditions that need to be considered before connecting user-owned mobile devices to the organization’s mobility management tool. These situations could be where mobile is
- Managed and is in full compliance with the organization’s IT policies,
- Managed using an outdated operating system that is not in line with the compliance policy of the company, or
- Not managed by the company’s management system.
In each of these conditions, the security protocols would be different depending on the status and sensitivity of the system and the data.
Configuration basis on severity of data
Based on the sensitivity and potential risk to an organization, there could be many possible access policies and configurations.
- Two-factor authentication (2FA): Used to manage devices – compliant or non-compliant – that contain minimal to moderately sensitive data.
- Multi-factor authentication (MFA): This is a layered authentication approach which creates an extra step to verify the identity of a person who wants to gain access to servers and databases. It provides access only after presenting two or more proofs of identity.
- Privileged access management (PAM): This typically involves the use of repository, logging, and administrative account protection. It works by having administrators go through the PAM system and check out the account which will then be authenticated and logged. When the account is checked back into, the credential will be reset, so the administrator will be forced to check the account again in order to use it.
No single privacy strategy works for every organization, and this must be customized and worked around one’s privacy needs. Conditional or informed access provides a scalable solution to address various scenarios in which a device can be used. The outcome of each access attempt can be dynamically determined by monitoring individual sessions on a real-time basis. Further, applying access policies prevents employees from accessing sensitive corporate resources or insecure networks unless a private corporate VPN is in place.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.