WEBVTT

1
00:00:00.060 --> 00:00:01.290
<v Instructor>In this lesson,</v>

2
00:00:01.290 --> 00:00:04.620
we will learn about conditional access.

3
00:00:04.620 --> 00:00:06.750
Conditional access policies

4
00:00:06.750 --> 00:00:10.410
grant or deny access to resources

5
00:00:10.410 --> 00:00:12.810
based on specific conditions,

6
00:00:12.810 --> 00:00:15.960
such as user identity, device status,

7
00:00:15.960 --> 00:00:18.930
or other contextual factors.

8
00:00:18.930 --> 00:00:23.310
Conditional access concepts include configuration,

9
00:00:23.310 --> 00:00:27.210
user-to-device binding, time-based conditions,

10
00:00:27.210 --> 00:00:30.270
and geographic location conditions.

11
00:00:30.270 --> 00:00:34.500
Configuration requires the setup and customization

12
00:00:34.500 --> 00:00:38.520
of conditional access policies to ensure they align

13
00:00:38.520 --> 00:00:42.180
with an organization's security requirements.

14
00:00:42.180 --> 00:00:46.080
User-to-device binding is a security measure

15
00:00:46.080 --> 00:00:50.790
that links a user's identity to a specific device.

16
00:00:50.790 --> 00:00:54.270
Time-based and geographic location conditions

17
00:00:54.270 --> 00:00:57.000
add additional layers of security

18
00:00:57.000 --> 00:01:00.300
by restricting access to certain times of day

19
00:01:00.300 --> 00:01:03.390
or specific geographical areas.

20
00:01:03.390 --> 00:01:06.270
Let's learn more about configuration,

21
00:01:06.270 --> 00:01:10.140
user-to-device binding, time-based conditions,

22
00:01:10.140 --> 00:01:13.410
and geographic location conditions.

23
00:01:13.410 --> 00:01:16.380
First, we have configuration.

24
00:01:16.380 --> 00:01:18.600
Configuration is the process

25
00:01:18.600 --> 00:01:23.280
of setting up and customizing conditional access policies

26
00:01:23.280 --> 00:01:27.240
to align with an organization's security needs.

27
00:01:27.240 --> 00:01:30.870
Now, this involves defining the rules and parameters

28
00:01:30.870 --> 00:01:35.700
that determine how and when access is granted or denied.

29
00:01:35.700 --> 00:01:38.430
Configuration sets the foundation

30
00:01:38.430 --> 00:01:41.610
for all other conditional access measures,

31
00:01:41.610 --> 00:01:44.220
ensuring that security controls

32
00:01:44.220 --> 00:01:47.100
match the organization's risk profile

33
00:01:47.100 --> 00:01:49.800
and compliance requirements.

34
00:01:49.800 --> 00:01:53.580
During this process, security teams identify

35
00:01:53.580 --> 00:01:57.480
which users, devices, and applications

36
00:01:57.480 --> 00:02:01.080
should be subject to specific policies,

37
00:02:01.080 --> 00:02:04.230
setting up conditions that control access

38
00:02:04.230 --> 00:02:07.320
based on factors like user role,

39
00:02:07.320 --> 00:02:11.940
device compliance, and sensitivity of the resource.

40
00:02:11.940 --> 00:02:16.710
For example, an organization might configure a policy

41
00:02:16.710 --> 00:02:20.940
that only allows access to a financial application

42
00:02:20.940 --> 00:02:24.750
if the user is part of the finance department,

43
00:02:24.750 --> 00:02:27.390
uses a company-managed device,

44
00:02:27.390 --> 00:02:30.810
and is connected to the corporate network.

45
00:02:30.810 --> 00:02:34.230
This type of configuration helps ensure

46
00:02:34.230 --> 00:02:36.720
that only authorized personnel

47
00:02:36.720 --> 00:02:39.450
can access sensitive resources,

48
00:02:39.450 --> 00:02:43.200
reducing the risk of unauthorized access.

49
00:02:43.200 --> 00:02:46.740
This configuration process also includes

50
00:02:46.740 --> 00:02:50.040
setting up exceptions and exclusions,

51
00:02:50.040 --> 00:02:54.420
such as allowing emergency access for key personnel

52
00:02:54.420 --> 00:02:59.190
to ensure business continuity while maintaining security.

53
00:02:59.190 --> 00:03:02.670
Configuration is not a one-time task

54
00:03:02.670 --> 00:03:04.740
but an ongoing process

55
00:03:04.740 --> 00:03:08.280
that needs regular review and adjustment.

56
00:03:08.280 --> 00:03:11.580
As threats evolve and business needs change,

57
00:03:11.580 --> 00:03:16.530
security teams must continuously update access policies

58
00:03:16.530 --> 00:03:18.420
to keep them effective.

59
00:03:18.420 --> 00:03:22.560
Second, we have user-to-device binding.

60
00:03:22.560 --> 00:03:26.190
User-to-device binding is a security measure

61
00:03:26.190 --> 00:03:28.770
that links a user's identity

62
00:03:28.770 --> 00:03:31.890
to a specific approved device.

63
00:03:31.890 --> 00:03:36.570
This ensures that access to resources is only granted

64
00:03:36.570 --> 00:03:39.150
when the user is using a device

65
00:03:39.150 --> 00:03:42.870
that meets the organization's security standards.

66
00:03:42.870 --> 00:03:46.860
The primary goal of user-to-device binding

67
00:03:46.860 --> 00:03:49.740
is to prevent unauthorized access

68
00:03:49.740 --> 00:03:54.060
from unknown or potentially compromised devices.

69
00:03:54.060 --> 00:03:58.350
By tying access rights to specific devices,

70
00:03:58.350 --> 00:04:00.210
organizations can control

71
00:04:00.210 --> 00:04:03.750
where and how their resources are accessed,

72
00:04:03.750 --> 00:04:07.770
reducing the likelihood of security breaches.

73
00:04:07.770 --> 00:04:11.310
An example of user-to-device binding

74
00:04:11.310 --> 00:04:14.250
is when an organization restricts access

75
00:04:14.250 --> 00:04:16.260
to its internal systems

76
00:04:16.260 --> 00:04:20.970
so that only company-issued laptops can connect to it.

77
00:04:20.970 --> 00:04:24.030
Even if a user's credentials are stolen,

78
00:04:24.030 --> 00:04:27.630
the attacker would still not be able to gain access

79
00:04:27.630 --> 00:04:30.600
without the associated device.

80
00:04:30.600 --> 00:04:33.750
This binding can be enforced using tools

81
00:04:33.750 --> 00:04:35.940
like mobile device management,

82
00:04:35.940 --> 00:04:38.430
which ensures that devices are compliant

83
00:04:38.430 --> 00:04:42.750
with security policies, such as having encryption enabled,

84
00:04:42.750 --> 00:04:44.880
the latest updates installed,

85
00:04:44.880 --> 00:04:47.850
and approved security software running.

86
00:04:47.850 --> 00:04:50.700
Implementing user-to-device binding

87
00:04:50.700 --> 00:04:55.230
requires a clear inventory of authorized devices

88
00:04:55.230 --> 00:04:59.790
and a complete management system to enforce compliance.

89
00:04:59.790 --> 00:05:03.840
By combining identity and device security,

90
00:05:03.840 --> 00:05:08.010
user-to-device binding strengthens access control

91
00:05:08.010 --> 00:05:11.490
and enhances organizational security.

92
00:05:11.490 --> 00:05:15.060
Third, we have time-based conditions.

93
00:05:15.060 --> 00:05:19.170
Time-based conditions restrict access to resources

94
00:05:19.170 --> 00:05:21.330
based on specific times,

95
00:05:21.330 --> 00:05:24.180
aligning access with business hours

96
00:05:24.180 --> 00:05:27.000
or predefined time windows.

97
00:05:27.000 --> 00:05:31.050
These conditions help prevent unauthorized access

98
00:05:31.050 --> 00:05:34.830
during off-hours when monitoring might be lower

99
00:05:34.830 --> 00:05:38.670
and unusual activity could go unnoticed.

100
00:05:38.670 --> 00:05:41.940
Time-based conditions are especially useful

101
00:05:41.940 --> 00:05:45.600
for organizations that want to minimize risks

102
00:05:45.600 --> 00:05:48.030
by ensuring access is limited

103
00:05:48.030 --> 00:05:52.200
to times when users are expected to be working.

104
00:05:52.200 --> 00:05:55.830
A simple example of time-based conditions

105
00:05:55.830 --> 00:06:00.660
is a policy that allows access to an internal dashboard

106
00:06:00.660 --> 00:06:03.441
only during standard working hours,

107
00:06:03.441 --> 00:06:06.450
such as 8:00 AM to 6:00 PM.

108
00:06:06.450 --> 00:06:11.010
If a user tries to log in outside of these hours,

109
00:06:11.010 --> 00:06:14.160
access is automatically denied,

110
00:06:14.160 --> 00:06:17.490
reducing the risk of unauthorized activities

111
00:06:17.490 --> 00:06:22.440
during times when the organization may not be fully staffed.

112
00:06:22.440 --> 00:06:25.560
This helps to protect sensitive data

113
00:06:25.560 --> 00:06:29.490
from potential attacks that occur after hours.

114
00:06:29.490 --> 00:06:33.690
Implementing time-based conditions is a straightforward

115
00:06:33.690 --> 00:06:37.650
yet powerful way to reduce security risks.

116
00:06:37.650 --> 00:06:40.230
Additionally, time-based policies

117
00:06:40.230 --> 00:06:43.620
can be tailored to different user groups,

118
00:06:43.620 --> 00:06:46.260
allowing flexibility for employees

119
00:06:46.260 --> 00:06:49.860
who need access outside of typical hours,

120
00:06:49.860 --> 00:06:52.770
such as IT staff on call.

121
00:06:52.770 --> 00:06:56.880
Time-based conditions also provide valuable data

122
00:06:56.880 --> 00:07:01.880
on access patterns, helping to identify unusual activity

123
00:07:02.310 --> 00:07:05.520
that could indicate compromised accounts.

124
00:07:05.520 --> 00:07:10.520
Fourth and last, we have geographic location conditions.

125
00:07:10.860 --> 00:07:14.790
Geographic location conditions restrict access

126
00:07:14.790 --> 00:07:18.780
based on the physical location of the user.

127
00:07:18.780 --> 00:07:23.780
These conditions use location data, such as IP addresses,

128
00:07:24.240 --> 00:07:26.910
to determine whether an access attempt

129
00:07:26.910 --> 00:07:31.110
is coming from an approved or restricted area.

130
00:07:31.110 --> 00:07:35.460
The geographic controls help prevent unauthorized access

131
00:07:35.460 --> 00:07:37.530
from high-risk regions

132
00:07:37.530 --> 00:07:40.590
or locations outside the organization's

133
00:07:40.590 --> 00:07:43.260
normal operating zones.

134
00:07:43.260 --> 00:07:47.490
This measure is particularly valuable for organizations

135
00:07:47.490 --> 00:07:51.720
that need to comply with regional data privacy laws

136
00:07:51.720 --> 00:07:56.340
or want to limit access to certain geographical areas.

137
00:07:56.340 --> 00:07:58.950
For example, an organization

138
00:07:58.950 --> 00:08:02.970
might implement a geographic location condition

139
00:08:02.970 --> 00:08:06.240
that restricts access to sensitive data

140
00:08:06.240 --> 00:08:09.570
only to users within the United States.

141
00:08:09.570 --> 00:08:14.160
So, if an access attempt is detected from a foreign country,

142
00:08:14.160 --> 00:08:16.350
it is automatically blocked,

143
00:08:16.350 --> 00:08:20.460
helping to protect the organization from potential attacks

144
00:08:20.460 --> 00:08:23.610
originating from untrusted regions.

145
00:08:23.610 --> 00:08:26.400
These controls are especially useful

146
00:08:26.400 --> 00:08:29.070
for companies with remote workforces

147
00:08:29.070 --> 00:08:32.280
as they ensure that access policies

148
00:08:32.280 --> 00:08:37.020
align with both security requirements and business needs.

149
00:08:37.020 --> 00:08:41.490
Geographic location conditions provide a clear boundary

150
00:08:41.490 --> 00:08:44.700
that limits where data can be accessed from,

151
00:08:44.700 --> 00:08:48.330
helping to detect and prevent unauthorized

152
00:08:48.330 --> 00:08:51.240
or suspicious access attempts.

153
00:08:51.240 --> 00:08:53.880
Monitoring location-based access

154
00:08:53.880 --> 00:08:57.570
can also help identify trends or patterns

155
00:08:57.570 --> 00:09:01.230
that may indicate potential security threats.

156
00:09:01.230 --> 00:09:05.670
So, remember, conditional access policies

157
00:09:05.670 --> 00:09:08.790
manage who can access resources

158
00:09:08.790 --> 00:09:11.160
based on specific conditions,

159
00:09:11.160 --> 00:09:15.480
aligning access controls with organizational needs.

160
00:09:15.480 --> 00:09:20.040
Configuration is the process of setting up these policies,

161
00:09:20.040 --> 00:09:23.220
defining how and when access is granted

162
00:09:23.220 --> 00:09:25.860
based on factors like user roles,

163
00:09:25.860 --> 00:09:29.790
device compliance, and resource sensitivity.

164
00:09:29.790 --> 00:09:33.870
User-to-device binding links a user's identity

165
00:09:33.870 --> 00:09:38.870
to an approved device, ensuring that access is only granted

166
00:09:38.970 --> 00:09:42.780
when the user is using a trusted device.

167
00:09:42.780 --> 00:09:45.420
Next, time-based conditions

168
00:09:45.420 --> 00:09:48.180
restrict access to certain times,

169
00:09:48.180 --> 00:09:51.540
helping to prevent unauthorized activities

170
00:09:51.540 --> 00:09:55.710
during off-hours when monitoring may be reduced.

171
00:09:55.710 --> 00:09:59.760
And finally, geographic location conditions

172
00:09:59.760 --> 00:10:04.350
control access based on the user's physical location,

173
00:10:04.350 --> 00:10:06.900
blocking access that originates

174
00:10:06.900 --> 00:10:10.383
from unapproved or high-risk areas.