Since identities have replaced individual local networks as the main perimeter of cybersecurity, more and more security strategies are being tailored towards identities rather than network appliances. One special feature present in many identity and access management platforms is that of Conditional Access. Sometimes it is not enough for a user to simply authenticate to a resource. Even if they provide the correct password and second authentication factor, there is always the chance that it is a malicious actor on the other end. Conditional Access factors in specific details when deciding whether or not to grant access. Things like the geolocation of the device requesting access, the time of day, source IP address, and device status can all be factored into the decision on whether to grant or deny access. Conditional Access makes heavy use of Context-Based Authentication, which is the specific technology that gathers metadata about the requesting user/device and uses it in its decision.
Conditional Access has become a core strategy in Zero Trust Architecture. The core principle of "never trust, always verify" is taken to heart. Conditional Access can not only make decisions at initial authentication, but it can continuously monitor user sessions and make decisions based on activity. If suspicious activity is detected during a user session, Conditional Access can freeze the session and require the user to re-authenticate or provide additional authentication factors. This helps ensure that integrity is maintained from the second a user requests access to the second they end a session. Both user and device status can be factored into decisions. Many professional Conditional Access solutions utilize machine learning techniques to study trends and anomalies in user and device activity and factor them into their decisions. These platforms often calculate "User Risk" scores and "Device Risk" scores that help indicate whether or not it is safe to grant access. Organizations can set standards for device security that need to be met before said devices are granted access, similar to Network Access Control.
If your organization uses cloud-based identity and access management, you should consider implementing Conditional Access to enhance your security posture. Below are the different Conditional Access options provided by mainstream identity and access management platforms.
- Microsoft Entra ID Conditional Access: the most popular implementation, supports device compliance checks, risk scoring, MFA enforcement, and geo-location analysis.
- Okta Adaptive MFA/Access: risk scoring, behavior analysis, account and device checks, context based MFA
- Google Workspace Context Aware Access: device trust, IP/geo-location control, user risk, identity signals
- Cisco Duo Policies/Risk-Based Authentication: trusted devices, geolocation/IP analysis, health checks, risk based MFA
