What is risk-based conditional access?
According to Microsoft, in more than 60 per cent of data breaches, network access is gained through weak user credentials, default passwords or stolen user information. Faced with that statistic, Enterprise Mobility Management (EMM) vendors such as MobileIron and Microsoft have implemented ‘conditional access’ features to improve the security management capability of their platforms.
Conditional access is a series of definable controls to restrict or allow access to corporate data based on device type, location, suspicious behaviour, device settings, and a host of other variables.
In the case of Microsoft’s Enteprise Mobility + Security (EMS) suite, this feature combines with Azure Active Directory (AD) and it’s Identity Protection component, to make it reliably safer to allow users to use a wide range of devices to access corporate data at any time and in any location.
Identifying Sign-In Risks
Azure AD Identity Protection is able to detect suspicious behaviour around account sign-ins, determining the likelihood that a sign-in was performed by someone other than the authorised account holder.
Each sign-in is assigned a likelihood of being fraudulent – either no risk, low, medium or high risk. This risk rating can then be used as a condition in your conditional access settings, blocking anyone determined to be a medium risk, or only allowing no-risk sign-ins, for example.
The risk factor can also be used to trigger other sign-in protections, such as Multi-Factor Authentication (MFA). Multi-factor authentication can be set to apply to any user sessions defined, for example, as medium or high risk. This can provide an intelligent way to test their authenticity without automatically blocking a users access to an app or corporate data, resulting in a far less frustrating user experience and potentially saving time and resources in your IT support team.
Network Location Control
It’s also possible to use location controls in a conditional access plan. Within Azure AD, controls can be set to block sign-ins from certain locations or to only allow particular locations. This could be particularly useful for executives traveling to high-risk countries, for example. When overseas in a location designated as high-risk the user could be prompted for an additional security measure (such as Multi-Factor Authentication) but this wouldn’t be required when accessing from a designated safe location.
Locations can be set through regions, countries or IP address groups. Trusted IPs can be set and users on a corporate intranet can be automatically set as trusted. Since Azure AD is frequently re-evaluated (hourly by default), users that switch locations or network will be re-assessed to ensure their continued security.
Because users today demand seamless access to corporate accounts and apps from a wide range of devices, both their own personal devices (BYOD) and those owned by the business, Azure AD provides device management controls which can be used as part of a conditional access scheme.
Access can be granted or denied on the basis of device platform and operating system (OS), including iOS, Android and Windows , to only allow connections from devices that your system can accommodate.
A ‘device state’ setting can also be used to allow automatic access to devices marked as compliant by your business. It’s possible to auto-approve connections from trusted compliant devices owned by your business while still applying controls to external devices like personal tablets and laptops.
Client Application Requirements
Finally, controls can be set to apply to access attempts from certain web browsers or mobile and desktop applications.
These controls are not only useful generally for controlling the platforms used for access but can block access from app types known to cause issues. It’s possible too for IT departments to require managed devices to be used to gain access through certain apps or browsers – useful for blocking apps which require large downloads on unsuited devices, for example.
More information on browser and app control requirements and a list of the client apps you can use in conditional access policies can be found on the Microsoft Azure AD website.
All-in-all conditional access settings can provide your IT administrators with dynamic control and flexibility over who can access corporate data, from where and on which device while ensuring that your end users remain productive and enjoy a great user experience. Contact us if you’d like to know more about how conditional access could help your business to streamline mobile security.
Be sure to check out our ultimate resource for secure device, where we go into detail on the dawn of advanced risk-based conditional access