UW–⁠Madison Information Technology
Connecting & supporting our digital campus
People forming the shape of a secured lock with tech icons

Conditional access: a smarter way to protect what matters most

Posted by Whitney Jacobson on September 25, 2025

Moving from one-size-fits-all to risk-based security

Traditional security often applies blanket rules to everyone, regardless of the resource or risk level. That can mean over-protecting low-risk systems—slowing down legitimate work—or under-protecting high-risk data.

Conditional access changes that equation. By using real-time signals, it lets us apply the right protection, at the right time, for the right resource.

What Conditional Access Means

Conditional access is essentially “if this, then that” for cybersecurity. Access isn’t just granted or denied; it’s granted based on conditions being met. Those conditions might include:

  • Is the device healthy and up to date?
  • Is the login location expected or unusual?
  • Is the user behavior typical or indicates a potential risk?
  • Is the connection coming through a secure network (e.g., VPN)?

Importantly, these rules don’t need to be the same everywhere—conditional access can be tailored to each protect surface, applying stronger requirements to high-risk systems while keeping everyday access smooth.

This approach reflects what the CISA Zero Trust Maturity Model calls “dynamic policy enforcement,” a key marker of advancing from basic access controls toward more mature, risk-adaptive security across the Identity, Devices, and Applications pillars.

Where we are today

At UW–‍Madison, conditional access is already in use in a limited way. For example, some services require users to connect through VPN and validate device hygiene before accessing. This ensures an extra layer of protection, but it’s just one condition applied to a narrow set of resources.

Where Smart Access is taking us

The Smart Access program will make conditional access much more dynamic and flexible:

  • More conditions, more nuance: Going beyond VPN to include contextual factors like device health, user behavior, and location.
  • Risk-appropriate controls: Stronger protections for systems handling sensitive research data, health information, or financial records—while everyday systems remain simple and accessible.
  • Continuous verification: If a user or device becomes compromised during an open connection to the protect surface, the system can automatically terminate the connection.
  • Future-ready: Built to adapt as new compliance requirements, research needs, and technologies emerge.

Looking ahead

Conditional access is one of the most visible ways the Smart Access program will bring Zero Trust to life at UW–‍Madison. As we move forward, we’ll continue working with distributed IT and service teams to refine conditions, test policies, and make sure protections are both strong and workable.

The result: a smarter, more resilient way to safeguard what matters most at our university—our research, our data, and our people.