Photo by Jeffrey Dungen on Unsplash

Photo by Jeffrey Dungen on Unsplash

Azure AD with Conditional Access

Is It Real?

Article from ADMIN 70/2022
Trust is good, but controls are better. As more flexible working models become widespread, the boundaries of the classic perimeter are blurring and softening existing models of trust for adopting cloud software and data storage or running domain controllers or core applications in the cloud.

Terminal devices increasingly reside outside the corporate network and can be reasonably trusted on there to access applications and resources – if they use VPNs, multiple-factor authentication (MFA), and certificates. However, if the application, parts of the infrastructure, or the data itself are not on the internal network, a VPN is not a very elegant approach, to put it mildly.

The catch is that the VPN configuration is installed once only – presumably along with a certificate – on a user's smartphone or PC to provide the return channel to the corporate network. Does anyone actually check whether the certificate matches the device, if it has been sniffed, or even if the device is still in use by the user who originally commissioned it? The same applies to the intended use of VPN tunnels: Does the tunnel follow the intended route or does the process have anomalies?

Defining Trust

If all of your devices, users, apps, and resources operate in the cloud, anomalies are easier to detect, and checking for the normal state is simpler. A learning process that can reliably certify correct and trusted access or identify risks is thus possible. You need to be able to verify that certain conditions for access are met, depending on what object is to be accessed, before you can allow, say, a mailbox to be opened by an email client on a computer outside the corporate network. The mindset behind this is "zero trust," and it follows the approach of looking closely at a person's access context and making a decision according to the results of the check: The mailbox is then either opened or it remains locked.

Numerous aspects can be checked in the process: Whether the user is known and has completed MFA at login, whether the device is familiar or even considered "healthy," whether the user and device can be matched to a region that corresponds to the work location by IP

Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.