VMware Workspace ONE Delivers Improved MFA & Conditional Access

According to the recent Global Incident Threat Report from VMware Carbon Black, we are currently witnessing a “renaissance in cybercrime.” The report goes on to note that the rapid shift to remote work has expanded corporate perimeters into employee’s homes, which has contributed to the development of the new threat landscape. As a result, almost a third of respondents see this distribution as the biggest challenge to effective Incident Response, leading to overworked security and IT staff.

Top of the list when it comes to hacking tactics—once again—is the use of stolen or brute forced credentials which account for 80% of all breaches classified as hacking according to the 2020 Verizon Data Breach Investigations report. The report details how organizations are experiencing sustained credential stuffing attacks highlighting this with an example of a honeypot environment that had suffered more than 2 billion attacks. 37% of all breaches either used previously stolen credentials or actually stole credentials in the process of the attack.

One of the most effective tools to reduce the risk of stolen credentials or credential stuffing being successfully used in an attack is requiring all access to use multi-factor authentication (MFA). By now, I think anyone reading this blog will have a full understanding of the what and the why of MFA, but the how of MFA has greatly improved.

Verify in Intelligent Hub multi-factor authentication now globally available

Last summer I wrote a blog describing how multi-factor authentication was being included directly into Workspace ONE Intelligent Hub. Hopefully you signed up for VMware TestDrive and took a look at what a great user experience this integration is.

We are excited to announce that Verify in Intelligent Hub is now generally available to all Workspace ONE Access SaaS customers in all Access tenants.

A key benefit to Verify in Intelligent Hub is that it integrates MFA and employee experience (catalog, workflows, people, etc.) into a single application. This delivers a number of advantages:

One less app to deploy and maintain—a frequent customer complaint about standalone MFAs
Ease of onboarding for the user—only one place to go for their applications and authentication
Enforcement of biometric based authentication across managed and registered devices
No phone number required to register the device for MFA
Faster enablement of secure remote work

You can find more information on the use and configuration of Verify in Intelligent Hub MFA in this great Tech Zone video by Peter Bjork.

The use of multi-factor authentication is just one part of VMware’s broader approach to security, Intrinsic Security. The Intrinsic Security approach utilizes your infrastructure as points of data and points of control and can be the basis to deliver the increasingly popular Zero Trust model as outlined in this commissioned study conducted by Forrester Consulting on behalf of VMware.

Workspace ONE support for Duo MFA

In some instances, organizations may already have an existing multi-factor authentication provider. Workspace ONE has always provided support for third party MFA solutions through RADIUS, SAML and native integrations for RSA and VMware Verify. From today, Workspace ONE now also supports native integration with Duo, now part of Cisco. This integration not only enables organizations to take advantage of the many authentication capabilities within Duo, but also delivers an improved user experience presenting the MFA options within the Workspace ONE Intelligent Hub authentication screen. You can find details of the integration by VMware’s very own Steve the Identity Guy in this blog

It’s time to graduate to conditional access

To further reduce the risk of attack, multi-factor authentication can be combined with the extensive conditional access capabilities of Workspace ONE with Workspace ONE Access .

Conditional access strengthens your access policies by defining conditions which must be met before access is granted (apologies if that’s obvious!).

Workspace ONE can make conditional access decisions based on 4 major factors:

Who is the user? Contractor, executive, team manager, IT staff etc.
Where are they connecting from? Inside the corporate network or from home?
What device are they coming from? What OS, is it managed, unmanaged, etc.?
What app are they trying to access? Internal, external, high security, etc.?

Workspace ONE Access is able to take this information, and combine it with information from Workspace ONE UEM including:

Is the device encrypted?
Does it have a passcode set and is it of sufficient complexity?
Does it have up to date OS and application patches?

Overview of the comprehensive conditional access options in Workspace ONE Access.

When the user tries to log in, a determination is made on the type of authentication that is required from the user. Additionally, a device may be required to be enrolled to the organizations Workspace ONE environment before the user can get access. Here’s a couple of examples of policies. A good way to think about these policies is in an IF THEN construct. Let’s take a simple user scenario first:

IF the user is an employee, AND on the LAN AND device is managed, up to date, and has password set, THEN use certificate authentication.

As the user is already authenticated into a managed device and has passed through the physical security to gain access to the building, and they are connected to the LAN, we can be confident in certificate authentication and deliver a great user experience.

But this doesn’t stop us from adding higher security if the user tries to access confidential information. So, we can add a step-up authentication requirement to this policy:

IF application is high security, THEN require multi-factor authentication.

Alternatively, in today’s work-from-anywhere environment, we may have a user that has had to go and buy a new device. The policy could look like this:

IF the user is an employee AND out of network AND device is unmanaged, THEN begin device enrollment.

This policy will bring the device under management and enable the user to access their apps from Workspace ONE Intelligent Hub. We could then apply a policy of:

IF user is an employee AND out of network AND device is managed, up to date and has password set, THEN require multi-factor authentication.

As you can see, working through the many different combinations within Workspace ONE provides a very powerful conditional access engine that’s critical for protecting you work from anywhere workforce.

Learn More

Learn more on the integration with Duo from VMware’s own @SteveIDM; Verify in Intelligent Hub in this Tech Zone video; this guide on how to enable Zero Trust security with Workspace ONE; and a recent economic analysis by analyst group ESG of hosting Workspace ONE Access in the cloud.

Verify in Intelligent Hub multi-factor authentication now globally available

Workspace ONE support for Duo MFA

It’s time to graduate to conditional access

Learn More

Related Articles

Introducing Omnissa, the former VMware End-User Computing business

Conditional access with Workspace ONE integrates seamlessly with Microsoft Entra ID and Google’s Context-Aware Access for macOS

Preparing for the digital evolution: Insights from the 2024 Gartner Digital Workplace Summit

Creating custom macOS security baselines with the macOS Security Compliance Project and Workspace ONE

Introducing enhanced integration between Cisco ISE and Workspace ONE Unified Endpoint Management