Conditional Access Policies to Manage Remote Workers

Written by Chip Bell on March 17, 2021

Share This Article

Supporting remote work is now a part of IT strategy going forward. There is no going back to a world where 100% of end-users are in the office full time. COVID-19 created a world where IT had to quickly pivot to learn how to support and manage a global workforce and a global customer base – who were all working from home so many decisions seemed appropriate at the time, but it’s not time to put in long term IT policies.

Now that remote work is here to stay, it’s time to implement policies that prepare for IT’s future in a world where there are no physical headquarters, or at least with the understanding that your workforce will be hybrid with some people in the office and some out of the office.

Building security for the headquarters is a much different strategy compared to a remote workforce. There are many variables when designing for the headquarters that were easy to count on from a security perspective. IT could easily monitor incoming IP addresses as the first step for login credentials – now, that’s not possible unless everyone works from a VPN connection at all times. So how can IT build a secure foundation for remote workers? Let’s look at how it can be done without impacting productivity. 

There are some key considerations that IT could be planning for to build strong security policies for remote work: 

  • Verifying user identities
  • Verifying trusted devices
  • Verifying that users are on an approved network. 

All of these policies make up what is known as Conditional Access. Conditional Access provides another layer of security on top of your existing environment by verifying specific conditions users have to meet before they gain access to IT resources — independent of what they are already authorized to access via their credentials. 

Conditional Access is based on a Zero Trust security model. A Zero Trust security model assumes that users, devices, networks, and other resources are all untrusted. This means users must verify their identities – or the conditions that indicate they are in a secure situation – to gain access to whatever resource they need at that time, instead of just providing the appropriate credentials.

Verifying User Identities

Verifying a user’s identity is a critical first step in securing the remote employee. It’s not enough just to use a strong password, though. With Conditional Access, you get to manage all forms of credential control, including multi-factor authentication. 

Multi-factor authentication provides a potent weapon against phishing attacks if credentials are compromised, since it practically eliminates the potential for a malicious actor to use credentials from any location. However, if you can verify the location of a user that is on your network, you may not feel the need to force that additional layer of security to gain efficiency. With Conditional Access, you can force remote workers to enter their MFA credentials, but let onsite employees bypass it.

You can also require multi-factor authentication for specific groups accessing organizational resources, but not others. For example, you might let the customer service team bypass MFA prompts for accessing their devices since they just use them to email and respond to customers, but everyone else in the organization must use MFA at the device level to protect potential exposure to software or systems that are critical to the business.

Verifying the Device

The Device Trust components ensure that employees only access company resources from company-owned and secured devices. When users access company resources from trusted devices, IT teams can implement policies that allow for fewer prompts for MFA. Conditional Access Policies are triggered when employees are using personal devices (BYOD) to access company resources because they are untrusted devices. 

Conditional Access can also prevent employees from having access to company resources from untrusted devices. Let’s say that you only want employees to access corporate documents on a trusted device and not their personal iPhone or iPad. Conditional Access can give IT control over which devices can access which company resources. You could also allow employees to check email on an untrusted device but have no further access outside of that task.

In a world where almost every device can access email and the web, Conditional Access lets an IT department control which device has access to which resources according to company policy.

Verifying the Network

The final piece of a Conditional Access policy for remote work is a network trust policy. Now that organizations are using remote work for the foreseeable future, ensuring employees are on a secure network is imperative.

Network Trust via Whitelisted IPs

The safest way to ensure network trust is with a list of known IP addresses within a range of addresses to allow employees to access corporate resources while on their home network or using a corporate VPN. Using a network trust policy prevents employees from accessing sensitive corporate resources on insecure networks at coffee shops or hotels, but gives full access when on their home network that IT has helped set up for them or via the company VPN.

In practice, however, this can quickly become a management challenge if the remote user base becomes very large, or your workforce is apt to change their home office more regularly. This can work well for smaller businesses or ones that have a smaller, fixed group of employees that regularly work remotely. Instead, network trust can be used to relax certain policies when workers are connecting via a secure, IT-managed network.

Conditional MFA

For example, you can use network trust to work with your MFA policy. You can limit MFA prompts when on a whitelisted IP range (like the office network), but then require MFA credentials if not using an IP address inside the range. 

Geofencing

And, if managing an IP whitelist is challenging simply due to the nature of your business, IT can still ensure employees are where they say they are from a security perspective. Suppose an employee lives in Arkansas but is trying to access corporate resources from Europe. In that case, a network trust policy, Geofencing, will keep resources from being accessed by someone that shouldn’t, despite which credentials they are using. 

Conditional Access Policies for Remote Employees

By leveraging Conditional Access Policies inside JumpCloud’s Directory Platform, an IT team can better control employee access while still providing a great end-user experience. The fundamental tenets of Conditional Access — grounded in Zero Trust principles — can help you ensure that trusted devices are only accessing your company’s resources in authorized locations and by authorized personnel. When they aren’t, you can provide additional ways for employees to access resources if they can verify their identity by means of multi-factor authentication prompts. 

Conditional Access in a Zero-Trust environment isn’t just about creating a yes/no policy for access. It’s about having a holistic view of security and recognizing that organizations have to be vigilant with security in a remote-first world but have the flexibility to relax policies when specific parameters are met. Conditional Access allows IT organizations to limit access from unmanaged devices and insecure networks while still enabling the right employees with full access when proper security parameters are met. 

Evaluate JumpCloud Free Today

If you’re new to JumpCloud and interested in learning more about the platform and how to achieve stronger security practices, evaluate JumpCloud today! JumpCloud Free grants admins 10 devices and 10 users free to help evaluate or use the entirety of the product. Once you’ve created your JumpCloud account, you’re also given 10 days of Premium 24×7 in-app chat support to help you with any questions or issues if they arise.

Continue Learning with our Newsletter