Think back to the last fraudulent call or email that made it past your spam filter. How could you tell it was fake? Maybe they called at a weird hour, or the name in the email address didn’t match the signature, or you didn’t recognize the area code. Or maybe your car doesn’t actually have an extended warranty.
Whatever the reason, your spam filter didn’t catch the fraud, but you did. Why?
Humans are great at picking up on contextual clues. Computers don’t do so on their own; they have to be programmed to recognize them.
That’s how conditional access policies work. They use a set of contextual clues — like what locations and devices are considered “normal” for a login — to apply the appropriate amount of contextual security to a login attempt. This means more security for suspicious attempts, and less friction for typical and expected ones. Essentially, conditional access automates the human intuition that enables you to spot suspicious activity and applies it to the authentication process.
Let’s dive deeper into how they work and explore some of the most common examples and use cases of conditional access policies.
How Conditional Access Policies Work
Conditional access policies use contextual information to apply the most appropriate level of security to a login attempt. Typically, conditional access policies increase security measures for suspicious or irregular login attempts and decrease security measures for routine and trustworthy login attempts. This makes conditional access essential for striking a balance between security and the user experience: it reduces friction where it’s safe to do so and boosts security with intelligently applied policies.
The Zero Trust security model, which assumes that all devices, users, networks, and resources are untrustworthy until verified, underlines all conditional access policies. Users and groups are thus required to verify their identities by meeting specific conditions over and above their credentials that grant access.
What Are Some Examples of Conditional Access Policies?
In their simplest form, conditional access policies consist of an if/then statement in the format:
If Condition A is met, then complete Action A, else Action B.
Let’s explore some of the conditions and actions that appear in conditional access policies to form a blueprint for how they’re commonly built.
Common Conditions
Conditional access policies can check a login attempt against several conditions. These conditions are flexible and have a wide range of options; the following are common conditions for examining the security of a login attempt.
- Correct username and password input. While no longer the most secure form of authentication, passwords can be the first step in an MFA-based login.
- Location of login.
- Login is from a device associated with the user.
- Device complies with company standards.
- Network complies with company standards.
Common Actions
The actions in conditional access policies specify how to proceed based on the conditions above. Actions typically either improve or reduce security measures, based on the security of the login attempt conditions. Some of the most common actions include:
- Present a multi-factor authentication (MFA) challenge.
- Bypass an MFA challenge.
- Deny access.
Conditional Access Policy Examples
By combining conditions and actions in the if/then/else template above, you can create policies like:
- If employees log in with a device that’s assigned to them and on a company-compliant network, then they may bypass MFA.
- If employees log in with a device that’s assigned to them and not on a compliant network, then they must complete an MFA challenge.
Note that you can apply policies to some groups and not others. For example, an organization might choose to never apply a policy that bypasses MFA to users in its super admin group.
Common Conditional Access Use Cases
In general, conditional access policies deliver simultaneous security and usability wins. More specifically, companies use them to uphold certain security and usability standards, including:
- Prohibiting unapproved devices from accessing resources.
- Preventing employees from accessing resources from untrustworthy networks, like public Wi-Fi.
- Improving the user experience by reducing friction in predictable and secure environments. This can include home Wi-Fi networks for a better remote work experience.
- Securely streamlining the experience for specific users and groups, like executives who require resource access via their phone.
JumpCloud’s Revolutionary Approach to Conditional Access
JumpCloud empowers IT admins to implement conditional access policies with the flexibility to choose from a wide range of conditions and actions. This allows admins to create a holistic security policy by combining trust elements.
JumpCloud can also automatically apply certain policies to ensure security: for example, if more than one policy is applied to certain users and groups, JumpCloud will automatically enforce the strictest ones. Admins can also configure a global policy that’s enforced in the event that no policy applies to a user. This is an essential tool to ensure baseline security coverage for the organization by default.
These conditional access policies can be enforced through all IT environments regardless of what client apps, operating system, or vendor they use. And it’s all managed through JumpCloud’s cloud directory platform, keeping identity, device, network, and conditional access policy management all in one place.
Intrigued? Try JumpCloud today! With your trial of JumpCloud, you can evaluate our full platform with access to all Premium features.