The remote work model has proven to be advantageous to organizations and many have offered their workforce the option to work from home currently. As remote users are more susceptible to cyberattacks, strict security measures like multi-factor authentication (MFA) need to be enforced to prevent mishaps. But applying a stringent organization-wide access policy like MFA might have adverse effects on the user experience. While two or three-factor authentication can secure remote logins, it might be an unnecessary hassle for on-premise users already secured within the perimeter of the office. A more efficient approach is to apply access policies based on context. ADSelfService Plus' Conditional Access feature helps achieve this. The feature aids organizations in:
Conditional access implements a set of rules that analyze various risk factors, such as IP address, time of access, device, and the user's geolocation, to enforce automated access control decisions. The decisions are implemented in real time based on user risk factors to avoid unnecessarily strict security measures imposed in no-risk scenarios. This ensures an enhanced user experience without affecting security.
Some of the common scenarios and the corresponding security measures that can be applied using conditional access:
Before learning how conditional access work, let us look at the basics of building a conditional access rule:
This includes the list of factors that may make or break the security of your organization. ADSelfService Plus enables you to configure conditions based on the following risk factors:
After configuring the conditions, a criteria can be devised using operators like AND, OR, and NOT. It is this criteria that is associated with the access policy.
The criteria is then associated with a preconfigured access policy, referred to in ADSelfService Plus as a self-service policy. IT admins can create self-service policies and enable specific features for users belonging to particular domains, organizational units (OUs), and groups.
Once a conditional access rule is built, here is what happens:
In our example, consider that on-premises users make up 50 percent of your organization's workforce. Another 20 percent are remote users. The remaining 30 percent are users that alternate between remote and on-premises work models as required. We will have to enforce MFA for users who login remotely. Leveraging conditional access for this scenario involves:
(NOT trusted IP addresses) AND selected locations
Here is how this conditional access policy will work:
When a user tries to log into a machine, the user's IP address and geolocation are analyzed. If it is not a trusted IP address, and a selected geolocation, the criteria is satisfied and the user is assigned the self-service policy that enforces endpoint MFA. When the conditions aren't satisfied, any other self-service policy that applies to the user is assigned.
Enterprise applications are often used to process and store sensitive user data. Since most of these applications are now deployed in the cloud and outside the security perimeter of your network, they are a favorite target for cyber attackers. They use phishing and other attack techniques to gain access to the applications and exfiltrate data remotely. With conditional access, you can allow only users who have a domain-joined computer to access important applications that contain sensitive data. You can go one step further and permit only a list of trusted IP addresses to access critical applications, ensuring that attackers can't have access to these applications even if they steal your users' credentials. Here is an example for configuring a conditional access rule for this scenario:
Trusted IP addresses AND Selected computer objects
Here is how this conditional access rule will work:
When a user tries to login to an enterprise application through SSO, the device IP address and type are analyzed. If it is a trusted IP address, and the computer object belongs to the AD domain, the criteria created is satisfied. Then, the self-service policy associated with the criteria is assigned to the user. This enables the user to access enterprise applications using SSO.
Fortify access management with risk-based contextual authentication.Download a free trial now!Request demo
Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console.
Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus!
Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.
Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more.
Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.