SSO, MDM, Conditional Access – Where do we start when planning?

In a mobile first world, with users having unlimited information at their fingertip, remote access to company resources is not only crucial but competitively necessary in some industries.  

However, there are also many challenges and risks involved in accessing devices and data from different locations and networks. How can one choose the best tools for handling these hurdles effectively and securely? How can we manage or add Single-Sign on, Conditional access, or MDM?  

Safeguarding Remote Work

During the pandemic companies were forced to handle remote work in scale regardless of preparedness. If your company is transitioning to a cloud-centric workforce, whether you’re looking to finalize your roadmap or simply figuring out where to begin, join me as I break down the key questions you should ask to ensure you’re fully prepared. 

You’re probably familiar with older concepts like VPN or remote desktop. When I started my career, managing “Server 2000 boxes” tucked away in random closets, the thought of Microsoft moving away from AD branding and adopting new conventions like Entra would have been laughable. But here we are, and it makes sense—companies are realizing that the traditional methods alone aren’t enough to secure and manage today’s workforce, which operates from anywhere. 

Zero Trust

With a Zero Trust mindset, modern security requires more advanced tools, like Single Sign-On (SSO), Conditional Access, and Token-based authentication, to provide users with a seamless yet secure experience. Even if you’re using two-factor authentication (2FA) or multi-factor authentication (MFA), your data can still be vulnerable—especially with the rise of Pass-the-Cookie attacks. So, it’s time to consider evolving your approach to meet the demands of today’s mobile, cloud-first environment. 

As a security professional, you’re constantly balancing usability and stability with the ever-present risks of cyber threats. You know that employees may resist changes, especially if those changes impact their workflow or productivity. At the same time, you want to provide new users with a seamless, secure experience that instills confidence, while also avoiding unnecessary headaches for your existing team. That’s why your goal is to build a system that not only protects your data but also evolves with changing threats, all without compromising the user experience. 

So, before we start introducing vendors with the best solutions, who have hundreds of sales pitches ready to show you, what questions should we ask? 

Questions: 

– What kind of devices and platforms are involved?  

– Are their devices personal or corporate-owned? 

– What kind of data and applications need to be accessed?  

– How often and for how long does remote access need to occur and what role base access is needed?  

– What are the security and compliance requirements?  

To help you choose the optimal solution for your corporate ecosystem, expanding these questions should help clarify your goals, needs, and preferences. These questions will also help us understand the current state of your ecosystem and the challenges you are facing. By answering these questions, you will provide your team with valuable insights that will guide you in the decision-making process. 

What kind of devices and platforms are involved?  

These factors significantly impact the security and compatibility of your remote work solutions. While I won’t dive into a platform-by-platform comparison (you can find plenty of those on Reddit), anyone who’s worn the administrator hat has likely dealt with supporting hardware they’d rather avoid. The primary objective is to clearly understand your current device landscape and the level of support required for each platform. Not all solutions can manage every platform equally well, so during this assessment, you might need to adjust your policy’s scope. For instance, you may decide to filter out End-of-Life operating systems, certain mobile devices, or older, less secure hardware. 

If you’re working with both Windows and Apple devices, ensure the platform you choose can manage both seamlessly. While it’s possible to use different MDM solutions for different OSs, simplicity and scalability are often better achieved with fewer, more unified tools. Many MDM administrators managing multiple platforms would likely prefer consolidation for easier management. 

Are their devices personal or corporate-owned?  

One of the key issues in device management is the ownership of the devices. Are they provided by the organization or are they the personal property of the employees? This distinction has significant implications for the level of control, security and support that can be applied to these devices. In this paper, we will not delve into the pros and cons of each ownership model, but rather focus on the question of whether we should support these devices at all. This decision depends on various factors, such as the business needs, the user preferences, the legal and regulatory requirements, and the available resources. 

What kind of data and applications need to be accessed?  

For example, some common ones are email, files, databases, CRM, ERP, etc. You also need to check if these vendors or platforms support SSO (SAML as a standard), auto provisioning, and other modern integrations. These features can help you streamline the authentication and authorization process for your remote workers. Additionally, you need to assess the security of these platforms that are storing your data. If they are not safe, you should plan to retire or replace them with more secure alternatives. You should also consider if your company has a vendor risk assessment process to ensure that all new vendors you work with have these features or plan to have them before you introduce them into your environment. This will streamline the process of adding new applications to your environment to follow the new standard that you have put in place. It may be time to also talk internally about the discussion of systems or protocols that may be dragging you down. That one product that can only use LDAP or that one product that doesn’t support proper SSO may need to be on the chopping block.

How often and for how long does remote access need to occur and what role base access is needed?  

You need to estimate the frequency and duration of remote access sessions, and how they may vary depending on the role, location, and time zone of your employees. Software can only go as far as the policies and procedures you have in place. Outlining all your current employees’ titles, roles and reasonability is such a valuable tool when provisioning. That does not mean roles will not change over time but making sure you have a good baseline will make sure you know the requirements in the software you pick to enforce these “roles”. 

In the final question, we must specify what settings we want to verify and enforce before network. What are the security and compliance requirements?  

Do we want to mandate encryption, security software, lock screens, etc. for all devices? The more safeguards we put in place the more we can strengthen our overall security program. Let’s look at just one of the requirements we have as an organization, Device Encryption. All desktops, laptops, mobile devices should be encrypted before accessing the corporate network, right? Having a product that can set encryption is great but having a product that can use conditional access to check the machines encryption before granting access is really going to be your safeguard for your environment. This is just one example of a requirement you may have in your policies or requirements for your compliancy, but every rule needs to be enforced and checked in some fashion to make sure it is compliant all year and not just around compliancy season. 

Thank you for taking the time to read this article. We hope it has provided valuable insights and sparked ideas for your own security projects and initiatives. While this is not an exhaustive guide, we aim for it to serve as a helpful starting point for further exploration and planning. If you have any questions or would like to discuss your security challenges in more detail, the Zyston team is here to support you. We’re committed to helping organizations like yours make informed, effective decisions to strengthen your cybersecurity posture.