- 22 Sep 2022
- 2 Minutes to read
Resource Access Control
- Updated on 22 Sep 2022
- 2 Minutes to read
With device and user trust established, and threats and risks properly managed, you can now confidently restrict access to sensitive company data to trusted entities only.
A layered security approach requires that these trusted users and their devices only have access to the specific apps and resources they need, and nothing else. This inherently limits the exposure of sensitive data an attacker is able to exfiltrate in the event a user and/or their corporate device ends up compromised in an advanced attack.
While identity providers play a role here in terms of role-based and user-based app access policies, the end goal of Trusted Access is to prevent sensitive applications from being discoverable – let alone reachable – from any entity on the Internet, except authorized users and devices. In other words, your sensitve applications should be "dark" or "stealth" from the the perspective of the general internet. This is known as App and Infrastructure Cloaking.
For this approach to be tenable to end users and IT administrators alike, the technology enabling this network access must be easy to use, seamless, fast, and effectively invisible to end users. This is where the Jamf Security Cloud, specifically Jamf Private Access comes in, delivering a high performance, layer-three cloud-native connectivity experience in a product that is straightfoward to configure, deploy, and use.
Private Access is built upon a rich contextual policy engine that makes real-time network-level access decisions based upon user, device, risk level, and more. Since this policy is applied within the network, it applies to any TCP or UDP application and protocol.
Major SaaS application providers, such as Microsoft and Google, provide a conditional access framework that limits access to their apps to managed devices only. Leveraging this access control strategy allows for granular controls within that SaaS provider's application, but doesn't support 3rd party apps, or in some cases, all endpoint platforms or browsers.
As a result, we recommend blending API/Partner-based strategies with Network-based strategies to cover the entirety of your organization's apps.
You will need to start with Enabling Access for Trusted Devices to provide secure routing for your authorized endpoints to access resources, no matter where they are.
Then, starting with your most sensitive data resources and expanding appropriately over time, you will want to Restrict Access for Anonymous Devices such that only those trusted devices with a secure route can reach your devices.