Ever feel like your conditional access policies are a tangled mess you can’t make sense of? Whether you’re just starting or have been in the game for a while, this guide is here to help you simplify access policies. Let’s keep things straightforward and effective so you can quickly grasp what each policy does without any mental gymnastics.
We’ll dive into a simple naming approach to make your life easier and your policies clearer. However, before we get into it, remember there’s no one-size-fits-all method for structuring these policies. They’re driven by security and business needs, but we’ll save that for another time. Let’s get started!
Why Simplify Access Policies?
What do conditional access policy names have to do with overall performance and operations? How challenging is it to keep track of these policies mentally? Complex policy names can significantly impact deployment and troubleshooting efforts. So, how can an administrator preserve simplicity, even amidst multiple layers of conditional access controls? This concern is critical in cybersecurity, where clarity and efficiency can make a significant difference in securing an organization’s assets.
Common Aggravation
Conditional access policies can be inherently complex – yes, we know this. Any administrator can easily become overwhelmed by the sheer number of policies along with arbitrary names. This is precisely why we’ll start at the most basic level — simplify access policies with clear naming conventions.
Prior to diving into naming standards, let’s first touch on a best practice. Your security controls ideally should ALWAYS (where possible) be separated into distinct conditional access policies. Furthermore, avoid trying to combine more than one requirement (or use-cases) into a SINGLE conditional access policy containing multiple controls. This is a recipe for future trouble. Break these requirements out in their own policy. For instance, the following four CISO requirements should receive their own conditional access policies. This not only avoids complexity, which will inevitably prove challenging to grasp, but more importantly will help troubleshoot efforts.
CISO Requirements (Use Cases): Block legacy client authentication, including prohibited countries for B2E users, restrict risky sign-ons for all users and allow access for high-risk users requiring MFA and password change.
Conditional Access Policies (business controls):
- Block – Legacy Authentication
- Block – B2E User – Prohibited Countries
- Block – All User – High & Medium Risky Sign-ons
- Grant – All User – High-Risk Users with MFA & Password Reset
The rule is: Distinctly separate controls into different policies. Never try to add or overlap more than one control into a single policy. It can sometimes require two or more policies to accomplish what you’re trying to achieve.
Introduction to Naming Conventions
Adopting naming conventions for conditional access policies can significantly simplify your management process. Traditionally, when administrators do not adopt naming conventions, the result is a chaotic and confusing environment where policies are difficult to manage, troubleshoot, and understand. This often leads to increased errors, longer resolution times, and overall inefficiency. Here are three straightforward naming conventions administrators should consider adopting to drastically simplify access policies:
Key Action to Simplify Access Policies
- Key Action: Define the key action that your policy performs, such as Grant or Block access control or whether it is a session control.
Applicability to Simplify Access Policies
- Applicability: Define who or what the policy primarily applies to. Incorporate this into your conditional access policy name. For example, does the policy apply to a user, guest, group, privileged role, device, application, or a particular condition (risky user, sign-in risk, etc.)?
Required Action to Simplify Access Policies
- Required Action: Include what is being required, such as Legacy MFA, Authentication Strength: phishing resistance, trusted device (aka: hybrid joined or compliant), require password change, etc.
The excellent news about conditional access policy names is they support up to 128 characters. make your names a descriptive as your heart desires. However, the bad news is Microsoft has yet to implement a conditional access policy description field — perhaps in the future.
Adopting clear and consistent naming conventions for your conditional access policies offers several key business benefits. However, this is not an effort to sprinkle fairy dust on an already complex design. Although these recommendations may not fit your business perfectly, above all, adopt a standard naming convention that works for your business, where others are able to understand policies at a glance.
Examples to Simplify Access Policies
- Grant – Device Registration – Auth Strength: MFA
- Grant – Security Registration – Trusted Network & Auth Strength: MFA
- Grant – Privileged Role – Auth Strength: Phishing-resistant
- Grant – B2E User – Hybrid & Compliant Device
- Session Control – International Travel – Sign In Frequency: 24 hours
Best Practices for Simplifying Access Policies
- Separate Use Cases: Always distinctly separate different use cases into individual policies to avoid complexity.
- Clear Naming: Use clear and descriptive names for each policy to ensure that their function is immediately apparent. Adopt a standard.
- Regular Review: Periodically review and update policies to ensure they remain effective and aligned with business needs.
Positive Payoff
By adopting these naming conventions, businesses can significantly simplify access policies, making them easier to manage and troubleshoot. Moreover, administrators will find it simpler to understand and deploy these policies, leading to more efficient operations and improved security. Clear and concise policy names help reduce errors and enhance overall security posture.
Conclusion
In summary, keeping conditional access policies simple and well-organized through clear naming conventions can alleviate a lot of common frustrations and improve security operations. By distinctly separating controls into different policies and clearly defining their purpose, businesses can ensure smoother deployment and troubleshooting processes.
If you found this article helpful, consider subscribing to our newsletter for more insights and best practices on cybersecurity. Also, share this article with your colleagues to help them streamline their conditional access policies too! For specialized IT and Security solutions, contact DTS Inc today.