As companies adopt Microsoft Office 365, I find that most SMB's assume that their IT will be automatically secured without much bespoke configuration regarding who can access what information. However, sadly this is not the case due to malicious or unintentional internal and external threats. The best way to address the risk of unrestricted information access is to set up a 'Zero Trust User Access' system which allows granular as well as automated controls and is thus highly secure.
- by Adriaan Bekker, 11 January 2020
Once organisations realise that they need to specify their own security policies that are unique to their business, this then leads to a longer discussion around who, what and from where they want to allow access. The best practice as recommended by Microsoft and others is to take a Zero Trust approach to access control policies. Further requirements that drive such security behaviour is the need to comply with Cyber Essentials, ISO 27001, contractual obligations, or improve trust and credibility.
Microsoft allows you to control access to your organisation’s cloud via Conditional Access which is part of Azure Active Directory P1 license. Microsoft defines Conditional Access as “the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies.”
To simplify, conditional access is a set of ‘if, then’ statements. This means that if you want to access a piece of data, then you need to meet a number of specified conditions, e.g. your policy is to only allow certain validated users from specified, compliant devices to access certain assets.
The diagram below summarises the Microsoft Zero Trust User model:
Image Source: Microsoft
The immediate question then from stakeholders is where to start. Organisations need to know what to do and how to move this forward. The best place is to understand what the organisation wants to achieve, what resources they want to protect and from where. I recommend getting policies and a strategy in place based on the following criteria:
- Company desktop/laptop devices
- What company devices will you be supporting? Windows 10, MAC OS?
- What is the minimum security you want to enforce on these devices before allowing access?
- Company mobiles
- What mobile device O/S do you want to allow? Android, iOS or both?
- What will be classed as a compliant company device?
- Bring Your Own Device (BYOD)
- Does the company want to allow BYOD?
- If so, protect company data on the mobile by implementing MAM policies
- Other devices
- Block all other devices (non-compliant)
- Company desktop/laptop devices
- Role-based access
- Identify which users need access to what information and what access rights (e.g. read/write/administrator access)
Another further area to clarify is in what instances should access be blocked, e.g. stop users using the native iOS email app by blocking ActiveSync.
This gives you a logical framework for access security which allows you to start building out your strategy and conditional access policies.
Once these policies have been designed and written, the technical team can configure the policies in Azure Active Directory and test the various conditions. During the process, it is critical to identify stakeholders that will be part of the testing process. This process will need to ensure that any security implemented does not interrupt users from working, or make the end-user experience overly cumbersome. In other words, make the new Conditional Access implementation as seamless and frictionless as possible.
To summarise, Conditional Access should be a major aspect of your overall Azure cloud security architecture. If you have not already, I highly recommend that you invest the time and resources to set it up and configure it correctly. This will ensure maximum security and compliance across your digital estate.
This is just a brief overview of what is required and help organisation decide where to start as the security landscape is constantly changing. To learn more, I would recommend watching the Softwerx TechTalk webinar on Conditional Access hosted by Matt Smith.
About the author:
Adriaan Bekker is Technical Director of Softwerx. He has worked with Microsoft and at corporate C-level clients for over 10 years. He is well placed to bridge the gap between technical, commercial and compliance requirements thanks to this experience and his business and IT degree qualifications.
Follow Softwerx on LinkedIn and Twitter for the latest updates:
Back to Blog