By now, you’ve probably terms like conditional access and zero trust plenty of times. They’re all over the IT industry, and we’ve written about them, too.
Today. I want to do two things. First, write down our canonical definition so that we have something to point to. Second, I want to explain why conditional access / zero trust is the most important trend in end user computing since mobile devices and cloud apps came along.
What is zero trust / conditional access?
We came from a world where access to resources was often based merely on being in the right group, connecting from the corporate network, and having a username and password. This was fine when we all had Windows PCs and all our apps were on premises; and we made it work with laptops using VPNs.
But this old model really started to break down in the last 10 years. Devices got a lot more diverse and more mobile—you couldn’t count on them being a Windows laptop on your network. Cloud apps were obviously not on our corporate network either. And thanks to trends like consumerization, IT often had no control (or sometimes didn’t even know this was happening).
Fortunately, we’ve come a long way since then. Mobile devices and apps have management APIs that we can control via enterprise mobility management software. We can easily control cloud apps, thanks to identity standards and IDaaS platforms. This is a big deal—we can now fully manage cloud and mobile!
But really, this doesn’t get us all the way to where we need to go. You can have EMM and IDaaS in place, but what good is it if users can still sign in to SaaS apps like Salesforce from any random device they pick up?
This is where conditional access comes in: You cross reference the EMM and IDaaS policies so you can have more control. A very basic form of conditional access involves making sure that users are accessing SaaS apps only from managed devices. There are several ways of doing this, and they’ve been around for a couple of years now. For example, you can:
- Use MDM to distributed certificates, which are in turn required to authenticate to SaaS apps.
- Use APIs to have your IDaaS do a device compliance check with your EMM.
- Use integrated IDaaS/EMM platforms, like when AirWatch was integrated with VMware Identity Manager.
Another way that we talked about the conditional access and zero trust concept early on was by treating all of your users as remote users, even when they’re in the office. Instead of the security perimeter being the distance that your corporate Wi-Fi stretch, it’s at the actual resources.
How conditional access and zero trust expands
Beyond simply checking that a device is under management, there are a million ways that conditional access and zero trust can get more nuanced and more powerful.
First, authentication is getting smarter, stronger, and easier. EMM helped certificates replace cumbersome usernames and passwords on many mobile devices, and mechanisms like authenticator apps, biometrics, and Yubikeys are spreading. We know that two-factor is essential, but soon we’ll have systems that can authenticate users by many factors, such as their overall behavior. In the future, authentication could be continuous (and hopefully recede into the background).
Next, we’re getting a much more nuanced and close view of risk. We can ask how strongly the user has been authenticated; we can look at the type of device and its security stance; and we can look at the content in the app (in real time). For example, we can see if a user has been downloading tons of files or tried to log in from the other side of the world. Plus, we can pull in data from external threat and information feeds.
With these things in place, we can change authentication techniques, app delivery methods, and data access in real time.
For example, if everything looks normal, let a user session in a low-risk app go on for a while. Say, during the course of a day at your desk, you only have to enter your password once in the morning. But if something looks odd, like there’s a new location or device or odd behavior in the app, then do a step-up authentication, alert an admin, or even cut off access.
Or, if a user is on a corporate device, let them access a native app or web app. When they’re on a personal device, serve them the same app but in a virtual desktop or remote browser, and apply DLP policies so they can’t download or copy/paste any data.
Conditional access also helps enable lots of different endpoint management management models. For example, with a mobile device, you could:
- Require full MDM enrollment.
- Not worry about the device, but stipulate the use of an app with built-in security features (like an enterprise email client versus native ones).
- Have a mobile threat defense agent examine the state of the device.
- Or just build logic into your app that verifies the device encryption, OS, and root/jailbreak status.
Similar concepts can be applied to Chromebooks, Windows, Macs, tablets, Android, iOS, personal devices, corporate devices, partner devices—you get the idea.
And all this isn’t just for cloud apps—you can run the access controls and authentication for your traditional on-premises apps through an IDaaS, as well.
Doing conditional access and zero trust—especially with all the bells and whistles described above—does require a few building blocks to be in place.
You need a good unified endpoint management strategy, you need to be doing modern identity management, and you often need to think about having client apps for many different platforms.
Furthermore, you need a very powerful policy engine. This is a practical place where machine learning might be able to help us soon. There are so many variables that you can’t hand-build policies for all of them, but some ML and other types of automation will help get the job done.
To see how important these policies have become, look at VMware Workspace One Intelligence or Citrix Analytics. These are the conceptual descendants of management consoles that have been around for years, but now they’re getting their own dedicated branding, product management, and modern infrastructure to power them.
Many other vendors in EUC, identity, and security are retooling their messaging, products, and approaches around this concept, as well.
What’s in a name?
Conditional access and zero trust concepts have been around for a few years now, but one big issue is that we haven’t settled on a name. Here are all the terms that I could think of, with a few notes on each:
- Conditional access: Microsoft EMS seems to be owning this term, but I believe it’s the one that will win out.
- Zero trust: This one has more security-focused connotations, and is used by many vendors. (Plus, our SEO expert Kyle said that it’s currently the most popular term.) Some people don’t like it, because technically, we do put some trust in users and devices at times, as described above. It’s just that we verify the trust a lot, and the scope of what we trust is much more focused.
- Post-perimeter security: Used by Lookout. I like that it’s descriptive.
- BeyondCorp: Based on Google white papers.
- CARTA: A Gartner acronym for continuous adaptive risk and trust assessment.
- Contextual access: Used By Citrix, Google Cloud Identity, and a few others.
- Device trust: Used by Okta and some SaaS apps.
Why this is so important
It should be evident by now—either from watching all the moves that our industry has been making, or by reading this—that conditional access and zero trust are just the way end user computing should work. This is how we make the “any-any-any” vision we’ve been talking about work securely. I’m excited to see how this develops, because I truly believe that these concepts are the most important thing in our industry since mobility and the cloud.