ΒΆ What is Conditional Access?
Elevate your security measures with Exium SASE's Conditional Access solution, strategically combined with multi-factor authentication (MFA) to fortify defenses against cyber threats aiming at exploiting MFA vulnerabilities. When leveraging Exium's cutting-edge technology, the traffic dynamics shift significantly through the encryption of connections by the Exium Client to the Exium Cybermesh. This encryption process conceals corporate egress IP addresses, presenting only the designated "Egress IP" associated with Exium's Cybernode to cloud/SaaS applications and Identity Provider (IdP) platforms.
Conditional Access creates a software-defined perimeter (SDP), which is based on the relatively simple idea of throwing a virtual barrier around cloud/SaaS applications.
To optimize security efficacy, it is recommended to integrate Exium's Cybermesh IP addresses into your existing IP allowlisting practices for conditional access purposes. Moreover, reinforcing your authentication protocols with robust MFA mechanisms provided by your IdP further strengthens your defense mechanisms, creating a comprehensive shield against potential cyberattacks.
ΒΆ Enhance security with unique egress IP addresses
Unlike managing your own security infrastructure with unique IP addresses, the transformation to SaaS-based security often provides a shared IP address pool. To avoid misuse of shared IP addresses, dedicated egress IP addresses provided by Exium are unique to you.
Exium Cybermesh is the worldβs largest, highest-performing, and most connected security private cloud and powers the real-time, inline, and out-of-band security services of the Exium Security Cloud. Exium dedicated egress IP addresses can be implemented in any of the Cybernodes.
ΒΆ Key Use Cases of exclusive egress IP addresses
Strengthen your application and cloud security with exclusive egress IP addresses:
|
Ensure secure SaaS/IaaS connectivity: |
Prevent unauthorized access: |
Enhance reputation management: |
Tailored cloud security management: |
|---|---|---|---|
| Safeguard access to vital business apps and cloud services exclusively from dedicated egress IPs for heightened security protocols. | Shield business-critical cloud resources by blocking compromised or unauthorized access attempts from outside designated egress IP addresses. | Opt for unique egress IPs to avoid shared IP pools, mitigating reputation risks and potential inclusion in blocklists. | Elevate your cloud security measures by leveraging dedicated egress IPs, ensuring more robust access controls for SaaS applications and fortified customer security through distinct source IPs. |
ΒΆ Key Features and Benefits
Enhance security to applications and cloud services with dedicated egress IP addresses:
|
Feature |
Capabilities |
Benefit |
|---|---|---|
| Dedicated Egress IP Addresses | Specific static and unique egress IP addresses assigned to your tenant to enhance company SaaS/ IaaS / hosted secure access. |
Enhance SaaS/IaaS access security. Only allow access from unique, static dedicated egress IP addresses to your business-critical applications and cloud services. |
| Block compromised credentials | Prevent compromised or shared access credentials from IP addresses outside your dedicated egress IP addresses to business-critical cloud or hosted resources. | Phishing and fake logins continue to compromise credentials; block these access attempts from IP addresses outside your dedicated IP addresses. |
| Avoid shared reputations | Dedicated egress IP addresses ensure business continuity avoiding shared reputations and blocklists associated with shared IP address pools. | By default, SaaS security solutions use shared IP address pools where other customers can impact the IP reputation and inclusion on IP block lists. |
| Deliver a superior digital experience | Fast low-latency traffic on-ramps, full compute Cybernodes at the edge as close to users as possible. | Provide a secure and fast user experience for hybrid workers and offices with Cybermesh, the worldβs largest, highest performing security private cloud. |
ΒΆ Activating Conditional Access in Exium Portal
You can configure conditional access in the centralized admin console by following the steps described in Traffic Steering in Exium's SASE Platform.
ΒΆ Configuring Conditional Access to Salesforce
Learn how to safeguard your organization's sensitive data by implementing IP address restrictions in Salesforce. Read the article on "Restricting Login IP Addresses in Profiles."
ΒΆ Configuring Conditional for Microsoft Cloud Apps (M365)
For details, please refer to Microsoft Entra Conditional Access documentation.
ΒΆ Step 1. Create Named/ Trusted Location
- Go to your Microsoft Entra admin center β Protection β Conditional Access β Named Locations
- Name and Create an "IP ranges location"
- Mark the location as trusted if you like
- Enter the Exium IP ranges (subnets). If you have a single dedicated IP, enter just the IP.
- Save
ΒΆ Step 2. Create a Conditional Access Policy
- Protection β Conditional Access β Policies
- βNew Policyβ
ΒΆ Step 3. Provide Conditional Access Policy Details
- Select the Users, Target Resources (examples: all cloud apps, O365 etc.)
- Conditions β Locations
- Under locations, select Include βAll Locationsβ and Exclude a specific βNamed Locationβ or βall trusted locationsβ.
- Under Grant, select βBlock accessβ. This will block access from all locations but the Trusted or Named location(s). Since you have defined the Trusted or Named location as Exium IP ranges, this means that you will be given access when you are connected on Exium and coming from the Trusted or Named location (Exium IP ranges). Otherwise, you will be denied access.
- Select βOnβ under βEnable policyβ
- Save
After a few minutes, try to login to your Microsoft Cloud apps. If you are connected on Exium SASE and have configured the IP ranges correctly, you will be given access. If you are not connected on Exium, you will get a web page that looks as below:
To learn more about implementing SASE for your organization and explore tailored solutions that meet your unique requirements, contact Exium at partners@exium.net for a consultation or demonstration. If you are ready to get started, check out our testing and onboarding process.