Moving away from Legacy Authentication to Modern Authentication
Legacy authentication has been historically used for application development to utilize application-specific identity and access management. With the onset of cloud applications, more modern use of authentication has been implemented with the help of identity providers. With this new modern authentication, we have additional capabilities to allow and enforce policies to protect identities, applications, and data. Conditional Access policies enforce additional verification actions based on a signal that a user or device may be potentially compromised. The foundation of Conditional Access policies is the zero-trust methodology. So, before we discuss planning and implementing Conditional Access, let’s discuss the main points of zero-trust.
As we have moved to cloud providers, such as Microsoft, the responsibility for securing the physical infrastructure for cloud services is provided by these cloud providers. If we are adhering to a defence in depth security posture, Microsoft is responsible for the physical first layer of defence, making the first layer that we are responsible for as a company is the identity and access layer. Therefore, the statements of “identity are the new perimeter” and “identity is the new control plane” have become extremely important in securing cloud infrastructure. Therefore, the concept of the zero-trust methodology becomes the core concept that a company should adhere to when securing identity and access.
The zero-trust methodology is a process of continuously requiring someone on the network to verify who they are. The concept seems to be straightforward, but if you were to constantly ask users to enter their username and password, they would get frustrated. To avoid this frustration, zero-trust implementation utilizes various signals that alert potential anomalous behaviour, leaked credentials, or insecure devices that trigger the need for a user to re-verify their identity. These signals lead to a decision on what is needed to provide access to applications, files, or websites. This workflow is shown in figure 1.
The solution within Microsoft that enforces the zero-trust methodology is Conditional Access. As you will notice in figure 7.20, the flow from signal to decision to enforcement is the same. The policies that we determine for our company is what then enforces these Conditional Access requirements.
A key aspect to putting Conditional Access policies in place is to properly plan and understand how they would potentially affect the user experience. There is a balance that a company should attempt to maintain between the enforcement of policies to secure and protect data, and the ability for a user to have access to the applications and data that they need to be effective at their required tasks.
The use of Conditional Access Policies with modern authentication provides a consistent user experience and enforced security across your hybrid application infrastructure.