001: Design Conditional Access posture
Overview
Establish a high level security posture for the organization. This will drive how a cohesive set of conditional access policies will look like, as opposed to individual, disjointed policies in isolation. A Zero Trust policy set should include:
- User Authentication Method Strength controls
- Device posture controls
- User / Sign-In risk
Another key aspect when designing the policy the strategy to target them. Examples of a structured rollout/targeting strategy.
- By "targeting rings": Target policies based on cohorts of users (e.g. by region, or by department, specific teams, etc.) and roll out gradually.
- By resource sensitivity: Catalog resources based on criteria, and associate policies to them (e.g. High business impact, medium business impact, low business impact)
- By persona category: Catalog resources based on criteria, and associate policies to them (e.g. Guests, Executives, Information Workers, Front line workers, etc.)
The lack of a structure targeting results in complexity to predict expected behavior, thus increasing security risk.