In today’s increasingly decentralized IT environment, the modern security perimeter now extends beyond an organization’s network to include user and device identity. People connect from organization-owned, personal, and pubic devices on and off their corporate networks using various device types on varying platforms. In this environment, security of user accounts is more important than ever. As we discussed in our post “Phishing In Your Company Pond?” passwords, no matter their complexity, used across devices, networks, and platforms, are no longer sufficient to ensure the security of the user account.
Multi-factor Authentication (MFA) is more often used to help safeguard access to data and applications by providing an additional layer of security, using a second form of authentication. This would seem to make it a no-brainer for organizations to adopt MFA, as it is a relatively easy way to counter the high-risk factor associated with vulnerable credentials. However, according to a global survey of global IT administrators conducted by Venture Beat, the single largest impediment to adoption is user perception. Users view adding an additional factor to the authentication process as negatively affecting the user experience and as a potential disruption to their productivity if authentication fails. Admins also pointed to implementing MFA in a “blanket” manner as a lack of flexibility, making it more difficult for remote workers to perform the same authentication process as those within the corporate network.
Regardless, Administrators are ultimately faced with two primary goals:
Empower users to be productive wherever and whenever
Protect the organization’s assets
Enter: Conditional Access (CA). Conditional Access is a tool used by Azure Active Directory that brings signals together (how access is requested), to make decisions (grant full or conditional access, block access), and enforce organizational policies. According to Microsoft, Conditional Access is at the heart of the new identity-driven control plane.
Conditional Access allows administrators to apply the proper access controls when needed to keep the organization secure, and stay out of user’s way when not needed. This allows for a more granular approach to security. See the diagram below for a graphical representation and then read further regarding the various signals, decisions, and policies that are common with CA.
Common signals
User or group membership
IP Location information – whitelist/blacklist IP ranges
Device – specific platforms
Application – attempted access to specific applications can trigger defined CA policies
Real-time and calculated risk detection – can identify risky sign-in behavior
Common decisions
Block access
Grant access – can still require one or more of the following options:
Require MFA
Require device to be marked compliant
Require Azure AD joined device
Require approved client app
Common policies
Require Multi-Factor Authentication for users with administrative roles
Require Multi-Factor Authentication for Azure management tasks
Block sign-in for users attempting to use legacy authentication protocols
Requiring Azure Multi-Factor Authentication registration to be complete
Blocking or granting access from specific locations
Blocking risky sign-in behaviors
Requiring organization-managed devices for specific applications
Administrators know that protecting assets and empowering users are their two primary goals. In a decentralizing environment, using a “one size fits all” approach is no longer viable. Implementing Multi-Factor Authentication with Conditional Access provides the balance of flexibility and security assurance that the modern organization needs.
Click here to contact a Wellforce Azure expert and see if you qualify for a free security assessment and consultation.
Comments