Achieving Zero Trust with Conditional Access

Written by Daniel Fay on November 4, 2020

Share This Article

What does it mean to achieve Zero Trust?

Before we as admins can achieve a Zero Trust model, we must first get into the mindset of “trust nothing, verify everything.” By creating a blanket statement of “trust nothing” you have already taken the first step towards implementing a strong security posture. 

A running joke in the security admin space is the most secure system is a powered-off one. Although this light-hearted approach is comical and true to a point, it does hit on this very fundamental concept of Zero Trust. By disabling access to all resources you’re creating a trust-nothing approach. 

The next step is configuring granular scopes, rules, and conditions of access where only certain users, groups, devices, or networks are granted permission to company resources. Segmenting access to the different resources improves security whilst shrinking potential attack vectors. By starting with a deny-all then specific-allow rules, this works towards securing resources in a much more controlled manner. 

Implementing Device Trust, admins create a scoped workflow where critical applications may only be accessed by users granted permissions on the devices that have been added to the trust condition. Pairing with IP Lists, the trusted devices must also be connected on a network that has been granted access via configured IP list rules. In tandem, both of these conditional access policies help admins quickly and effectively achieve a Zero Trust security model. 

For added visibility and telemetry, enabling Directory Insights gives admins comprehensive views of events around resources, users, applications, and more within the directory. Security isn’t a “set it and forget it” practice. Continual monitoring, management, and improvements should be made along the way to ensure that the company remains compliant and secure. 

What is Device Trust & Network Trust?

Companies utilize a suite of applications that contain sensitive or confidential information. With JumpCloud, admins can consolidate and secure SSO application access and present these apps to allowed User Groups. Users who are bound to these user groups are presented the specified applications through the User Portal. 

Conditional access policies add another layer to the authentication workflow by ensuring access is only granted if users are on a trusted device or network on the configured IP list. This added layer on the authentication workflow secures the User Portal and bound applications by creating restrictions around the origin of access. 

Device trust is a powerful tool where policies restrict access to the User Portal and bound applications. JumpCloud currently manages devices through the JumpCloud Agent and system-level security policies such as full disk encryption, lock screen, and more for Windows, MacOS, and Linux devices. The upcoming Conditional Access policies restrict User Portal access to specified managed devices within your JumpCloud platform. This eases the stresses of ensuring that access is restricted and scoped to specific workflows and only accessible on specific devices configured by the company IT admin. 

Securing access to apps and the User Portal can also be restricted based on originating IP or network address. These new policies will allow admins to enable network trust security practices across their organization. By enforcing a Network Trust security approach, granular IP lists ensure that only users on trusted networks can gain access to the User Portal’s critical applications containing sensitive data. In the current remote-work environment, many employees are using their own home WiFi networks to access critical applications and information. Without a VPN or business-tier network configuration, there is a higher potential risk. 

Using a corporate VPN, admins could instantiate conditional access rules and policies to restrict the User Portal where remote employees must route through the VPN. This not only guides users to use the VPN more frequently, but also ensures that all traffic from the device to the resource is fully encrypted. Although VPNs are not necessary to use JumpCloud’s Directory-as-a-Service, there is no doubt that VPNs are another great tool to ensure that compliance is easily met and data is fully encrypted when in flight. 

What does Conditional Access do for me? 

Implementing security can sometimes be a challenge depending on the amount of resources, endpoints, systems, and applications you’re managing. Some basic security measures would be to enforce strong passwords, multi-factor authentication (MFA), group based access controls, and setting access in a least-privilege method

Conditional Access is another layer of security that uses specific conditions users have to meet before they gain access to resources. Conditional Access can be thought of as policies governed by rules which help build security practices such as Device Trust and Network Trust.

Diving deeper into this concept, think of locking down access to an application that contains confidential information, like cardholder or medical information, that is used by specific teams. With JumpCloud, you can easily ensure that the application is only accessible by users within the specific user groups in your organization and ensure MFA is required on these applications. 

By adding Conditional Access, you can augment your access control policies by requiring users to be on trusted devices or networks outlined in IP lists within JumpCloud before being able to access the applications. Then, users can only access the User Portal and critical applications if they’re bound to the allowed User Group, their issued device is being managed by JumpCloud, and they’re on a network specified within an IP list. 

Configuring Conditional Access, appropriate permissions, MFA everywhere, strong password settings, and implementing a least-privilege practice, admins can begin to build a Zero Trust working model. Introducing stronger security practices doesn’t have to be a burden, nor add unwonted complexities. Bringing your company into a Zero Trust model might be easier than expected leveraging JumpCloud.

Evaluate JumpCloud Free Today

We’re hard at work creating this new feature within the JumpCloud platform. By the end of the year, admins will be able to enable and configure different access rules, conditions, and policies upon their users, devices, and to guard the User Portal. 

If you’re new to JumpCloud and are interested in knowing more about the platform and how to help achieve stronger security practices, evaluate JumpCloud today! JumpCloud Free grants new admins 10 systems and 10 users free forever to help evaluate or use the entirety of the product. Once you’ve created your organization, you’re also given 10 days of Premium in-app chat support to help you with any questions or issues if they arise. Sign up today for your free account!

Daniel Fay

Daniel Fay is a Product Marketing Manager at JumpCloud.

Continue Learning with our Newsletter