Digital passwords have been a major source of Cybersecurity concerns ever since they came into existence. According to Dashlane, 80% of security incidents in 2023 happened due to weak, stolen, or reused passwords. Additionally, employees (and many employers) continue to neglect the basics of good cyber hygiene.
The primary factors that make compromised credentials the main cause of data breaches: 61% of workers use the same password for multiple platforms, and 43% shared their passwords with others. Add to that the proliferation of weak, easily cracked passwords, and you might as well do one of two things:
1) Do away with security measures altogether. Why bother if you’re not serious about them?
– OR –
2) Get serious about them.
Access and identity management have become a priority for many organizations, largely due to the rise of cloud usage. Another practice we should all be rid of is letting people access systems by entering only a username and password. Implement Multi-Factor Authentication (MFA).
Cybercriminals who snag an employee’s login credentials can access the account and any data that it contains – regardless of any defenses put in by your IT services. This is especially problematic when it’s an account like Microsoft 365 or Google Workspace, because the entirety of a company’s information is in there, and these accounts can access things like cloud storage and user email.
The smart money is on implementing a conditional access policy – a major component of good Cybersecurity.
What is the best practice of Conditional Access policy?
There are several. Conditional access, also known as contextual access and context-aware access, is a method of controlling user access. Think of it as several ‘if/then’ statements wherein ‘if’ a certain thing is present, ‘then’ do this.
Conditional access allows you to set a rule that would state something akin to: ‘If a user is logging in from outside the country, then we should require a one-time-passcode.’ The same goes with any situation outside of the norm, like a strictly 9 to 5 weekday worker attempting to login to the system remotely at midnight on Saturday.
You can add many conditions to the process of user access to a system by employing conditional access, which is typically used hand-in-hand with MFA. This improves access security without unnecessarily inconveniencing users.
Some of the most commonly used contextual factors include:
IP address
Geographic location
Time of day
The device used
Role or group the user belongs to
Conditional access for Microsoft 365 can be set up with various identity and access management tools including Azure Active Directory. It’s advisable to get your IT support provider to set this up to your specifications, especially if it’s a Managed IT Services provider rather than an hourly rate ‘IT consulting services Guy’. They can help with the setup and conditions that would make the most sense for your business.
What are the benefits of identity access management?
Improved Security
You have more flexibility in challenging user legitimacy by having conditional access in place. It doesn't just grant access to anyone with a username and password, which are often stolen and/or for sale on the Dark Web. Instead, the user needs to meet certain requirements.
Contextual/Conditional access can block any login attempts from countries where you have no employees. It can also present an extra verification question when employees attempt a login from an unrecognized device. It should be set up to be suspicious of any anomalies and set extra hoops to jump through for access.
Automate the Access Management Process
After you set up the ‘if/then’, the system knows what to do and takes it from there, automating the monitoring for contextual factors and taking the appropriate actions, which reduces the burden on administrative IT Services teams. It also ensures that no employee falls between the cracks.
Manual processes are always slower, less accurate, and less reliable than automated processes and also removes the human error factor, helping to ensure that each condition is being verified for every single login.
Enables Restrictions for Certain Activities
Conditional access isn’t just for keeping unauthorized users out of your accounts, it can also restrict the activities that legitimate users can do.
It is to wise restrict access to data or settings based on a user’s role in the system. For example, a loading dock foreman should not have access to the accounting departments data – no need for it. You can also use conditions in combinations such as lowering permissions to view-only. This can be triggered automatically if a user in a certain role logs in from an unknown device.
Better User Login Experience
Studies have shown that as many as 67% of businesses do not use multi-factor authentication, despite the fact that it’s one of the most effective methods to stop credential breaches.
The perception that one of the main reasons it is not more widely used is that it is inconvenient for employees. Complaints that it interferes with productivity or that it makes it harder to use their business applications are commonplace.
Setting your alarm and locking your doors at home is inconvenient, so why not just leave those doors open as well? Then it would be as easy for crooks to steal your silverware and electronics as it would be for hackers to steal your data at the office.
Coupling conditional access with MFA can greatly improve the user experience. For example, you can require MFA only if users are working remotely. You can put extra challenge questions in place predicated on an employee’s role or base them on context. This keeps all users from being inconvenienced.
Enforces the Rule of Least Privilege
The best Cybersecurity practice is using the rule of least privilege, which means you only grant the lowest level of access in a system as necessary for a user to do their work. Once you have roles set up in your identity management system, you can base access on those roles.
Conditional access simplifies the process of restricting access to data or functions. You can base this on job needs, and it streamlines identity management because it contains all functions in the same system for access and MFA rules. Everything stays together, making management simpler.
Frequently Asked Questions
What is the difference between MFA and SCA?
SCA (Strong Customer Authentication) is used in the EU and sets requirements for payments and broader Open Banking and Open Data initiatives. The two terms can be used interchangeably, but the more common is MFA.
How does Conditional Access policy work?
In a nutshell, conditional access policies are ‘if/then’ statements, if a user wants to access a resource, then they must complete an action. For example, if a payroll manager wants to access the payroll application, they are required to use multi-factor authentication to access it. Employees in unrelated departments, like sales, will not be allowed access (if set up correctly).
Does Conditional Access override security defaults?
Not automatically, but it can. You will need to turn off security defaults before you can use Conditional Access policies. For Microsoft, if you have a plan or license that provides Conditional Access but haven't yet created any Conditional Access policies, using the security defaults is a good way to go.
Does Google have conditional access?
Yes. Use ‘IAM Conditions’ to set up conditional access. Google provides a breakdown of how it works HERE.
How secure is your network?
As a longstanding, reputable member of the Charlotte IT Support community, ITFirm.com offers a FREE, no-risk network and Cybersecurity assessment. We perform a non-intrusive scan that allows us to deliver a comprehensive report of the state of your system and its vulnerabilities that is yours to keep. There are no strings attached, and you are under no obligation ever to use our IT services.
The two best defenses are next-generation Cybersecurity to protect your data from theft, and a top-notch Managed Services Provider to ensure continued reliability and defenses against newly emerging threats.
We put our 100% Money Back Guarantee in writing, so there is no risk in trying us out. Because we do not require a ‘hard’ contract, our clients can fire us at any time with 30 days’ notice. We have to be good.
Among the Managed IT services we provide:
IT HelpDesk Service
Onsite IT Support
Cybersecurity
Cloud migration and management
Email migration services
Backup and disaster recovery
VoIP phone systems
IT disposition and recycling
Office moves
White label services (IT to IT)
Planning an Office Move?
We have the experience to ensure a seamless transition. Your employees will arrive at the new location to find their IT infrastructure ready and open for business! For more information, or to receive your FREE no-risk network and Cybersecurity assessment, just fill out the form on this page or call us at:
704-565-9705
