October is Cybersecurity Awareness Month, and this year’s theme is See Yourself in Cyber, which focuses on the individual’s role in cybersecurity. While cybersecurity can feel complex and inaccessible to the average person, the reality is that everyone has a role to play in security, from executives, to the IT team, to end users. To help you empower everyone in your organization to do their part regarding cybersecurity, we’re resurfacing this article, Conditional Access Policies to Manage Remote Workers. Read on to find out how conditional access provides security for your company, and efficiency for remote employees.
Supporting remote work is an integral part of every IT strategy in today’s distributed workplaces. There is no going back to a world where 100% of end users are in the office full-time. COVID-19 forced IT admins to quickly learn how to support and manage distributed workforces and customer bases – who were all working from home. In the instability of the pandemic, many IT departments were merely in survival mode, reacting to new challenges without longterm plans in place. Now that remote work is here to stay, however, it’s time to implement policies for a future of no (or, at least, far fewer) physical headquarters, with employees doing work from anywhere.
Building security for a remote workforce requires a very different strategy than designing security for physical office spaces. For example, in physical locations, admins can easily monitor incoming IP addresses as the first step for login credentials. In remote environments, however, that’s not possible unless everyone works from a VPN connection at all times.
So how can IT build a secure foundation for remote workers without impacting productivity? There’s three key considerations:
- Verifying user identities: ensuring everyone who logs in is who they say they are.
- Verifying trusted devices: ensuring the laptop, tablet, or phone the user logs in from is secure.
- Verifying that users are on an approved network: ensuring the wireless network the device is connected to is secure.
These policies make up what is known as Conditional Access. Conditional Access is an additional layer of security on top of your existing environment. It specifies conditions that users, devices, and networks must meet before they gain access to IT resources — independent of what they are already authorized to access via their credentials. Conditional Access is based on a Zero Trust security model, which assumes that users, devices, networks, and other resources are all “untrusted”. Credentials alone aren’t enough; users must verify their identities (or conditions indicating they are in a secure situation) to gain access to company resources.
Verifying User Identities
Verifying a user’s identity is a critical first step in securing the remote employee. It’s not enough just to use a strong password, though. With Conditional Access, you can use all forms of credential control, including multi-factor authentication.
Multi-factor authentication (MFA) provides a potent weapon against phishing attacks. Instead of just requiring a user ID and password, MFA also requires an additional verification step – like a one-time code or push notification to a secondary device – to verify a user’s identity. A malicious actor may obtain a user’s password, but without the secondary verification, they’ll be unable to access the account, practically eliminating the potential for compromised credentials.
MFA is always a good idea. But in certain circumstances – like when an employee is working from the company office space and is securely connected to your internet – you may not feel the need for this extra layer of security. Conditional Access is all about creating policies based on the circumstances, so you can require remote employees to use MFA, but allow in-office employees to bypass this extra verification step.
You can also require multi-factor authentication for specific groups accessing organizational resources, but not others. For example, you might let the customer service team bypass MFA prompts for accessing their devices since they just use them to email and respond to customers, but everyone else in the organization must use MFA at the device level to protect potential exposure to software or systems that are critical to the business.
Verifying the Device
The device trust certificate ensures that employees only access company resources from company-owned or verified personal devices (BYOD). When employees are using personal devices, Conditional Access policies are triggered, because they are considered “untrusted” devices. When they’re using trusted devices, however, policies can be implemented to allow for fewer MFA requirements.
Conditional Access can also prevent employees from having access to company resources from untrusted devices all together. Let’s say that you only want employees to access corporate documents on a trusted device and not their personal iPhone or iPad. Conditional Access can give IT control over which devices can access which company resources. These policies can be application specific, too. You could also allow employees to check email on an untrusted device but not access any other company resources, for example.In a world where almost every device can access email and the web, Conditional Access lets an IT department control which devices have access to which resources.
Verifying the Network
The final piece of a Conditional Access policy for remote work is a network trust policy. Now that organizations are implementing hybrid and remote working options permanently, ensuring employees are on a secure network is imperative.
In theory, the safest way to ensure network trust is with a list of known IP addresses that allows employees to access corporate resources while on their home network or using a corporate VPN. Using a network trust policy prevents employees from accessing sensitive corporate resources on insecure networks, like at coffee shops or hotels, but gives them full access when on their home network that has been secured with the help of their company admins.
In practice, however, this approach can quickly become a management nightmare – especially if you have a large remote user base, or your workforce is apt to frequently move locations. Instead, network trust can be used to relax certain policies when workers are connecting via a secure, IT-managed network. For example, you can use network trust to work with your MFA policy, where MFA prompts are limited when on a whitelisted IP range, but required for less verifiable IP addresses. If managing an IP whitelist isn’t practical for your business, geolocation can help you ensure employees are where they say they are. You can set parameters by state, by country, or any other location requirements. For example, suppose an employee lives in Arkansas but is trying to access corporate resources from Europe. You’ve set up geolocation that only allows user logins from the United States, so the Conditional Access policy will automatically deny them access.
Conditional Access Policies for Remote Employees
By leveraging Conditional Access policies inside JumpCloud’s open directory platform™, an IT team can better control employee access while still providing a great end-user experience. The fundamental tenets of Conditional Access — grounded in Zero Trust principles — ensure that trusted devices are only accessing your company’s resources in authorized locations, and by authorized personnel. When they aren’t, employees can access resources after verifying their identity with MFA.
Conditional Access in a Zero-Trust environment isn’t just about creating a yes/no policy for access. It’s about having a holistic view of security and recognizing that organizations have to be vigilant in a remote-first world, but can relax policies when specific parameters are met. Conditional Access allows IT organizations to limit access from unmanaged BYOD devices and unsecured networks, while still enabling the right employees with full access once verified.
Evaluate JumpCloud Free Today
If you’re interested in learning more about how to achieve stronger security practices, evaluate JumpCloud today! JumpCloud is free for 10 devices and 10 users. Once you’ve created your JumpCloud account, you’re also given 10 days of Premium 24×7 in-app chat support to help you with any questions or issues that arise.