黑料海角91入口

Get Zero Trust Ready with 黑料海角91入口 Conditional Access

Written by Dave Madrid on December 16, 2020

Share This Article

As the world moves to remote work, the perimeter of security has drastically changed. More and more employees are relying on home networks or personal devices to connect to corporate resources. People are now accessing resources from any device and from anywhere outside of their corporate domain. This activity has given rise to the domainless enterprise鈥攁 central cloud directory service, which serves as the hub for securely connecting users and their devices to the IT resources they need to accomplish their jobs. 

As we evolve  how we work, we also need to change how we secure the IT environment. Zero Trust is the concept of 鈥渢rust nothing, verify everything,鈥 and it fundamentally shifts how security is implemented in an organization. With a Zero Trust model, access is granted when:

  1. The user is verified based on their identity.
  2. The device that they鈥檙e using is known to the organization and, thus, deemed safe and secure.
  3. The network they鈥檙e accessing resources from is known, and is verified as safe and secure.

The process of continuous verification can be complex and time-consuming. 

Using Conditional Access to Enable Zero Trust

With the release of Conditional Access, 黑料海角91入口 customers now have an easier path to implement the core foundations of a Zero Trust model. By managing identities, networks, and devices all from a single cloud directory platform, 黑料海角91入口 empowers admins to verify three key access points: a user’s identity, the network they鈥檙e on, the device they鈥檙e using. By establishing trust of these key elements, IT admins can then establish flexible verification rules through 黑料海角91入口鈥檚 new Conditional Access Policies:

  • : Verify users based on their identity, role, and group. Enforce or relax multi-factor authentication (MFA) requirements based on users鈥 group membership. 
  • : Verify the authentication requests are from a secure location. Create IP Allow/Deny lists that dictate what networks users can access resources from. 
  • : Verify users are accessing resources from secure devices. Combine 黑料海角91入口鈥檚 device management with new certificate-based trust to restrict access to resources at the device level.

Conditional Access Policies enable IT admins to customize their approach to access and security by combining these steps into different policy levels.

How do I use Conditional Access Policies in my organization?

Conditional Access allows admins to combine individual policies into global access verification schemes for your organization or can be applied at a group level. Here are some of the use cases we鈥檝e heard from our customers.

  • Allow remote work, but require MFA when employees aren’t in the office.
  • Require MFA for specific groups (i.e., contractors) accessing the organization鈥檚 applications.
  • Prevent access coming from personal devices.
  • Allow personal devices for specific user groups, but require each user to enter MFA.
  • Disable prompts for MFA for my warehouse workers when they鈥檙e accessing applications from the internal network.
  • Require all admins to enter MFA because they have higher privileges and can do the most harm.
  • Allow CEO or other C-level executives to enter without MFA when coming from a trusted device.

How exactly is a device determined to be trusted?

At 黑料海角91入口, a device is considered a user鈥檚 gateway to all access. To provide secure access through devices, admins install the 黑料海角91入口 agent on any devices that are required to be managed and controlled by the organization. Through the agent, admins can distribute security configurations (policies), manage user accounts and their credentials, and apply core security settings such as enabling full disk encryption and MFA. 

With these procedures performed by the agent, 黑料海角91入口 can verify trust through the automatic installation of a 黑料海角91入口-issued certificate. This certificate verifies the machines that are known and trusted by the organization and are part of the organizations鈥 conditional access verification requirements when authenticating to resources. 

To distribute certificates to your devices, go to Conditional Policies > Settings > Conditional Policies Settings > Device Certificates and toggle Global Certificate Distribution to ON. With certificates in place, the admin can configure Conditional Access Policies by specific user groups if desired. When a policy applies to a user, 黑料海角91入口 will verify that the user logging into the User Portal matches the user in the certificate, then the device is considered 鈥渢rusted.鈥 

How are Conditional Access Policies enforced?

黑料海角91入口鈥檚 Conditional Access allows an admin to combine a set of trust elements (identities, devices, and networks) into an 鈥淎ccess Policy.鈥 For example, if a user is accessing their User Portal from a known IP address and a device with a 黑料海角91入口-issued certificate, they鈥檙e allowed access without MFA. However, in the case where there鈥檚 more than one policy that applies to a user, 黑料海角91入口 will enforce the strictest policy. Here鈥檚 the order from the most strict to the least:

  1. Deny access to the User Portal.
  2. Allow access to the User Portal with MFA.
  3. Allow access to the User Portal and all SAML/SSO applications without MFA.

What if no policies apply to a user?

In the case where no policy applies to a user, 黑料海角91入口 offers a Global Policy to provide broad coverage as a default. This is a policy that takes effect when no other policy applies. By default, it鈥檚 configured to respect the configuration in the 鈥淢ulti-Factor Authentication Settings鈥 section of the User – Details page for each user.

As this setting is user specific, you may want to configure the Global Policy to override the setting by choosing one of the three other options. To do this, you need to go into the 鈥淐onditional Policies Settings鈥 page, go to 鈥淐onditional Policies鈥 and select the Settings button:

From here, choose one of the following:

  • Allow authentication into resources Users will be allowed into the User Portal without being prompted for MFA.
    • Require MFA 鈥 Users will be allowed in with MFA required.
  • Deny access Users will be denied access.
  • (Legacy) Allow authentication and require MFA based on the individual user setting 黑料海角91入口 will honor the configuration in the 鈥淢ulti-Factor Authentication Settings鈥 section of the User – Details page for each user.

What happens when a policy requires MFA, but the user hasn鈥檛 configured MFA yet?

If you鈥檙e an existing customer, you may have experienced a situation where a user was locked out unless they were in an enrollment period. This often resulted in admin intervention. Now, when a Conditional Access Policy requires MFA and the user has not set up an MFA factor, the user will be denied access, but allowed to self-enroll in any of the enabled MFA factors.

What鈥檚 next with Conditional Access?

Conditional Access has been a top request from customers, making the launch of 黑料海角91入口 Conditional Access an important milestone. You can also look forward to more features coming soon such as:

  • Group exclusion The ability to exclude user groups from a policy (e.g., all users except admins can access UP without MFA).
  • Policy enforcement by application Create a policy requiring MFA to specific applications and relax MFA for others.
  • Geofencing Restrict access from specific countries.

Test Drive 黑料海角91入口 

If you don鈥檛 already have a 黑料海角91入口 account, you can , manage up to 10 users and 10 devices, and test drive the full platform, including Conditional Access. You can follow the guided simulation to get started with Conditional Access. Use 10 days of premium, in-app 24×7 chat support with our support engineers to get the most out of your new account.聽

Dave Madrid

Dave is a Senior Product Manager at 黑料海角91入口 with over 25 years experience building great products. When not in the office, you'll find him in the mountains, hiking, fly fishing, and camping.

Continue Learning with our Newsletter