Implement requirements for access based on the sensitivity of the resources and the known security state to manage risk levels appropriately. These policies can range from allowing only corporate-managed devices to requiring certain versions of patched software, encryption, or step-up authentication based on user behavior. By enforcing policies that evaluate risk based on attributes like location, user role, and device type, you can have more dynamic control over who and what can access certain applications allowing only the minimum amount of access required for a user to do their job.
|