Conditional Access policies utilizing Context-Based Authentication and Behavioral Analytics SHOULD be implemented on all cloud-based digital identity platforms used in the business environment.
Since identities have replaced firewalls as the main perimeter of cybersecurity, more and more security strategies are being tailored towards identities rather than network appliances. One special feature present in many identity and access management platforms is that of Conditional Access. Sometimes it is not enough for a user to simply authenticate to a resource. Even if they provide the correct password and second authentication factor, there is always the chance that it is a malicious actor on the other end. Conditional Access factors in specific details when deciding whether or not to grant access. Things like the geolocation of the device requesting access, the time of day, source IP address, and device status can all be factored into the decision on whether to grant or deny access. Conditional Access makes use of Context-Based Authentication, which is a specific access control strategy that gathers metadata about the requesting user/device and factors it into its decision.
Conditional Access has become a core strategy in Zero Trust Architecture. The core principle of "never trust, always verify" is taken to heart. Conditional Access can not only make decisions at initial authentication, but it can also continuously monitor user sessions and make decisions based on activity. If suspicious activity is detected during a user session, Conditional Access can freeze the session and require the user to re-authenticate or provide additional authentication factors. This helps ensure that integrity is maintained from the second a user requests access to the second they end a session. Both user and device status can be factored into decisions. Many professional Conditional Access solutions utilize machine learning techniques to study trends and anomalies in user and device activity and factor them into their decisions. These platforms often calculate User Risk and Device Risk scores that help indicate whether or not it is safe to grant access to the requesting party. Admins can set standards for device security that need to be met before said devices are granted access, similar to Network Access Control.
If your organization uses cloud-based identity and access management, you should consider implementing Conditional Access to enhance your security posture. Below are the different Conditional Access options provided by mainstream identity and access management platforms.