Only 11% had a Multi-Factor-Authentication (MFA) solution enabled, as of January 2020, Microsoft said. My opinion is that any organization on the planet needs to use a conditional access baseline. Those organizations tell me often that starting and maintenance is a challenge. In other words, start your Conditional Access baseline journey today!
Conditional Access rules are available since the introduction of Azure Active Directory, when do you improve them?
Real-world fact – 99% of the attacks can be stopped as soon as a conditional access baseline is implemented.
The bullet list below is an overview of thoughts about why any organization must use a Conditional Access Baseline.
- Your co-workers don’t use a unique password. They admit using equal passwords for multiple services like their e-mail account and the business account. Second authentication factor(s) stop attackers even when a password is compromised.
- Phishing messages looking legit nowadays. A good example I’ve seen is where employees tempted to fill in their credentials to start the mailbox migration. The timing of that event was perfect because we just changed the MX records.
- Nowadays organizations migrate their data to the Cloud. Using any cloud services without the implementation of a Conditional Acces baseline is a big risk. Attackers only need a password to have access to (sensitive) data.
- Branch specific regulations like ISO and NEN7510 standardizations.
- The majority of the attacks are executed by script kiddies who try to guess passwords via tooling. Many of those tools don’t work when they must use a second authentication factor.
What is an MFA verification factor for me?
Enterprise organizations migrating their data towards Cloud services. Therefore the (on-premises) network equipment has less added value to protect resources. The new protection layer is identity. Additional verification methods help to determine if the authentic users authenticate or someone else. Examples of additional verification methods are;
- Phone-call / SMSM
- Authentication app
- A managed and compliant workplace
Nowadays employees expect that they can work independently of location and device. Because of this, it’s a challenge to support both the BYOD and C/HYOD workplace scenarios and guarantee data integrity. Often an organization’s security baseline describes that company-data can only be accessible from managed and compliant workplaces. Therefore, the managed workplace is an MFA-verification factor me. A benefit of using the managed workplace an MFA authentication factor is that the user does not notice it during authentication.
This is the first blog of a series about Conditional Access which of course includes MFA. The next blog describes how you can implement a conditional access baseline via code (published April 2020). Remember it’s a journey towards a new security posture that helps you protect the employees and the organization’s valuable assets.
In summary, create your first Conditional Access Policy today and increase the security-maturity level of your organization.
- WorkplaceAsCode.com – Insights in privilege accounts via workbooks
- Microsoft – Learn about Conditional Access and Intune
- ZDNet – 9.9% of compromised accounts did not use multi-factor authentication