How Azure AD Conditional Access Strengthens Cloud Security and Compliance
How to strengthen cloud security and compliance
With the rise of the cloud, big data and the proliferation of mobile devices, IT compliance and security needs to be a priority for businesses of all sizes, across every industry.
This post will provide an outline of the challenges for compliance and security as businesses transform their processes from an on-premises, fixed-cost IT model to the flexibility that the cloud brings. It will explain how Microsoft’s Azure Active Directory Conditional Access can help organisations meet compliance requirements and improve security by managing Office 365 access.
Compliance and security in the cloud
Compliance is the governance and implementation of policies and procedures to ensure a business adheres to a set of rules and regulations, usually set out by a third party. This includes requirements set by industry standards bodies, by governments or by clients. If a company offers any kind of goods or service, they will most likely have to meet national, international or local standards to sell in that market.
Some industries are more regulated than others, such as banking (to protect the public from volatile market changes) or energy (to protect the environment). But the cost of falling short of compliance is hugely significant for all businesses. This can include:
- Fines for breaking the law or failing to meet industry standards
- Reputational damage and the loss of customer trust
When it comes to IT compliance and security, we have seen an increase in regulation to protect the privacy of customer information and sensitive data, especially in recent years. This includes the EU’s General Data Protection Regulation (GDPR), which has vast implications for organisations.
But compliance also refers to internal requirements set by a company to ensure that everything is run the right way – for instance, establishing stringent security measures around permissions so that only users with secure devices can access sensitive information.
Compliance in the cloud
The cloud has brought about a wide range of benefits, transforming the way we work and how the modern workplace functions. Here’s a selection of ways the cloud is enabling business to thrive:
- Lowering running costs
- Allowing better scalability
- Improving collaboration
- Boosting productivity
- Providing flexible working for employees
A 2018 survey indicates just how popular the cloud is becoming, suggesting that 83% of workloads will be run in the cloud by 2020 (incl. public, private and hybrid cloud).
However, the cloud has also introduced new challenges for CIOs and their teams to overcome. The same survey also found that the biggest challenges for organisations using the cloud were:
In the next section of this post, we will address several challenges that have arisen in the era of the cloud.
Cloud compliance and security: the challenges
The cloud brings with it many benefits and can drive changes in a business that have real, lasting effect. It also brings with it significant challenges that must be dealt with. Let’s look at some of these challenges:
Stricter Data protection laws, e.g. GDPR
The UK’s Data Protection Act (DPA) was created in 1998 – before the advent of the cloud and big data – and is no longer fit for purpose. Companies now generate and store a volume of data that would have been unimaginable back then.
Often included in this content deluge is sensitive data, such as personally identifiable information (PII). The new legislation gives citizens more rights over their data and stricter regulations businesses must comply with. If not, they risk much harsher penalties; fines which can reach up to €20 million or 4% of annual global turnover.
The emergence of the multi-cloud
It’s not just the size and type of data that’s creating challenges, but also the fact that this data is often stored across multiple cloud services. Many organisations utilise a variety of cloud services from multiple vendors. By moving from a centralised on-premises infrastructure to a multi-cloud one, organisations have gained flexibility and scalability, yet now have a complex web of services to manage.
When data is generated across different SAAS products, organisations must avoid information siloes, as being able to access data quickly is essential for compliance. Fortunately, many cloud services are built with compliance and security in mind and are updated regularly to meet the latest requirements or security threats. But, remember that your company is always responsible for compliance, not the vendor. Reports suggest there’s some confusion here, with only 39% of respondents saying they thought they were “ultimately responsible”.
The proliferation of apps and devices
Employees today use the latest apps and devices at home and expect the same at work. This has led to companies introducing Bring Your Own Device (BYOD) and Bring Your Own Apps (BYOA) policies. New devices and enterprise apps have the potential to revolutionise how we work by improving communication and collaboration, as well as taking care of menial tasks which can free employees to concentrate on work of greater value.
However, this is harder to manage, security- and compliance-wise. It’s harder to make sure employees avoid doing things they aren’t supposed to. The other option is to implement strict rules on what is allowed, but then shadow IT becomes an added risk.
The risk of flexible working
Thanks largely to the cloud, flexible working is on the rise, with 70% of workers saying a job offer is more attractive if it includes flexible working options. Allowing employees to work where they want and when they want may seem like a good move for organisations, as a recent study by HSBC suggests that it’s great for productivity, too.
However, when workers are out of the office it becomes harder to check they are following IT policies and keeping company data protected. Some key concerns include sharing sensitive data or accessing important files when using public networks, which are more vulnerable than the secure networks in the office.
The threat of cybersecurity
The cybersecurity landscape has changed a lot in recent years. There has been an increase in high-profile cyberattacks, such as the WannaCry attack in 2017, which demonstrates just how vulnerable organisations are. Every business needs to make sure security is as strong as ever.
The threat isn’t going away any time soon. It only takes one employee to click on a malicious link and unleash a virus on the company’s network. Part of this involves training employees to do the right things at the right times, but, because human error is inevitable, strict cloud security and compliance are a must. Permissions management, for example, ensures that only the correct people have access to sensitive data.
Azure AD Conditional Access strengthens security and compliance
CIOs and IT departments have two problematic and often opposing issues to attend to:
- How to unleash the potential of the cloud
- How to adhere to increased compliance and security requirements
Microsoft’s Azure AD Conditional Access solves this by providing greater control over how authorised users access Office 365 and other SaaS services. This allows a business to be confident that its assets and data are secure, while allowing its employees to use the apps and devices they need to work in the cloud.
What is Azure Active Directory?
Azure AD manages identity in the cloud, powering functions like single-sign on and making sure the right people are accessing the right places quickly, easily and securely.
What is Azure AD Conditional Access?
Conditional Access is the capability in Azure AD which allows organisations to control how authorised users access apps in the cloud based on specific conditions. The benefits of this are as follows:
As we have seen earlier, employees tend to use lots of different devices and log into lots of different applications. What’s more, they may be trying to access an app from home, during their commute, in a coffee shop, on a flight or in the office. This user is authorised to access the application, but perhaps the IT department wants to create some conditions to ensure that all security and compliance requirements are met. For instance, an employee may be logging in on a new device that has not been issued by IT or may be trying to gain access from an unsafe network or location. You may only want to allow users access when in the office or you may want to restrict access to users using certain devices, such as Android devices.
Azure AD Conditional Access works by letting you set up a series of conditions and controls to create the rules for what is allowed and what isn’t.
- Conditions can be thought of as “when this happens”
- Access controls can be thought of as “then do this”
E.g. When a user attempts to access Office 365 using an Android device, then deny access.
The condition is: “a user attempts to access Office 365 using an Android device”
The access control is: “deny access”
This is how Azure AD Conditional Access helps organisations manage access to Office 365 applications. It provides the ability to improve cloud security and compliance by letting you create robust rules around access to data and applications. Azure AD is pre-integrated with many non-Microsoft applications, including Salesforce and Box, so that organisations can have the same levels of control across all the SAAS services used by their employees.
Make a success of the cloud with Azure AD
Cloud technology has the potential to revolutionise how work is done, but CIOs and their IT departments must find the right balance between unleashing the potential of the cloud and the need for more stringent compliance and security measures.
What’s needed is a robust approach that makes use of Azure AD Conditional Access.
To find out more about using Azure AD Conditional Access to enhance and bolster cloud security and compliance at your organisation, get in contact with Content and Code today.
EMS E3 vs. E5 Guide
Deploying a sophisticated security solution like Microsoft Enterprise Mobility + Security (EMS) is now crucial for organisations of almost any size. This eBook will explore the different aspects of EMS and how you can successfully implement the technology within your organisation.
Download your copy today.
The UK’s largest communications regulator, provide oversight of broadband, home and mobile phones, television, radio and the postal service. This includes radio spectrum, privacy and fraud protection, content standards, competition, advice, and complaint departments....read more
Overview: Client: McCann Worldgroup and MullenLowe Group Project type: Microsoft Teams Pilot, Office 365 Adoption and Change Management Location: Global (Initial UK Based) of users: 25,000 users globally Industry: Global marketing services and communications Part of...read more
For any team that is tasked with managing the security of an organisation, making sure staff adhere to best practice can often be a challenge. If you’ve moved to the cloud, or in the process of moving to Office 365 there is one key requirement: to make sure your...read more