Trying times like these requires organization to put their best foot forward for the safety of their employees and to enable business continuity. Work from anywhere in view of lock down and work from home is new normal. While some organizations had remote work enabled  with defined technologies and polices for some years  and are now just scaling it for all the employees there is another environment which was not prepared for remote work in terms of Technology, Operations and policies.

This new normal is posing challenges like:

• Protecting Identities
• Un-managed personal devices to access Email and sensitive data and information
• Lowering the guards for seamless access to corporate assets to enable remote working
• Enabling multi factor authentication for accessing corporate VPN and remote services.

Bad powers are keenly watching these opportunity and challenges to make their way to targets for monetary/non-monetary gains.

This blog provides an overview of Microsoft Technologies which may help administrators and governance teams to gain the control back. Another advantage is this is cloud based service and do not need touching the endpoint devices for enabling the control.

Establish identity as the control plane

In the above-mentioned scenarios. The only constant is user identity. That’s why the first step to Zero Trust is making identity your security control plane.

Assume every resource is on the open internet

To ensure the security of your corporate data, the next step is to connect all your on-premises and cloud apps along with your user identities and their devices to the cloud. 

Never trust—always verify

Every access must be verified. Azure AD conditional access provides you the ability to verify identity, device, app, data, and risk signals before allowing access

Recommendations:

Enable your users to securely access cloud apps from outside your corporate network

To protect your organization, it’s essential that when you enable access to cloud apps from personal devices and remote locations, it is done securely. If you’re already using Azure AD Conditional Access, you know it can be used to apply security policies to help ensure the right people have access to the apps they need, in line with your organizational requirements. You can extend your policies to protect all your apps, requiring controls like passing an MFA challenge or using a compliant device. For more information about Conditional Access, go here. If you’re not using Conditional Access, Security Defaults can help keep your users and apps secured

If you already have Conditional Access rolled out in your organization, we recommend you examine your policies and ensure they’re not preventing remote access. Policies that block access when off the corporate network are common and would cause problems. You may find that an alternative combination of Conditional Access controls will enable remote work, while still meeting your security requirements.

Provide secure access to your on-premises apps from outside your corporate network

Most organizations are running lots of business-critical apps on-premises, many of which may not be accessible from outside the corporate network. Azure AD Application Proxy is a lightweight agent that enables internet access to your on-premises apps, without opening up broad access to your network. You can combine this with your existing Azure AD authentication and Conditional Access policies to help keep your users and data secured. 

Alternatively, if you’re using Akamai Enterprise Application Access (EAA), Citrix Application Delivery Controller (ADC), F5 BIG-IP Access Policy Manager (APM) or Zscaler Private Access, Microsoft has partnerships to help you provide remote access securely. For more information about Secure Hybrid Access, go here.

The Best thing with App proxy in current situation is you don't need to touch end point and may easily enable remote access securly.

Collaborate with partners

With the given situation, working closely with business partners can become more difficult. Azure AD’s B2B collaboration capabilities can help you use your chosen collaboration app—including SharePoint, Teams, Box, Dropbox, and Google Drive—securely across company boundaries. For more information, go here.

Support bring-your-own-device

While in the situation organizations are leveraging any available devices, but you can enable access to company data on personally owned devices using Microsoft Intune app protection policies combined with Azure AD Conditional Access.

Conclusion:

By enabling the above mentioned controls you may enable quick and safe  remote access to your valuable corporate resources. 

*PS: These are not the only control, Please assess your risk before finalizing Security architecture.

What is Conditional Access

Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity driven control plane.

Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity driven control plane.

Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to perform multi-factor authentication to access it.

By using Conditional Access policies, you can apply the right access controls when needed to keep your organization secure and stay out of your user’s way when not needed.

Conditional Access policies are enforced after the first-factor authentication has been completed. Conditional Access is not intended as an organization's first line of defense for scenarios like denial-of-service (DoS) attacks, but can use signals from these events to determine access.