It is more than 10 years since context-aware security was proposed. The idea is simple: build a security system that can use factors such as location, device and the information being accessed to decide the type and rigour of the security required.
In theory, technology designed to use situational information – such as identity, location, time of day, device type, business value of data and reputation – would enable security decisions that are more effective, efficient and accurate.
A decade on, technology and networks have evolved to the point where such a system is possible and can be sold commercially. But judging the uptake of context-aware technologies is difficult because it is not one platform or one application, says Adrian Davis, managing director, Europe for (ISC)².
"We are seeing more suppliers offering context-aware products and some are already offering integration platforms, such as Cisco’s pxGrid," he says. "But on the enterprise side, adoption seems to be slow, as other initiatives such as bring your own device (BYOD), cloud and cyber defence take priority and the lion’s share of limited budgets. Additionally, these technologies may require significant investment and alterations in network infrastructure."
More security articles
Popularisation of context-based security
While BYOD and cloud initiatives may take budgets away from context-based security in some organisations, they are driving its adoption in others. The reason is that context-based information security is becoming more important as cloud and mobile computing erase network perimeters that were previously rigid.
Also, advances in data generation, collection and analysis are allowing networks to respond more intelligently to fast-moving or unexpected situations. This is helping companies and banks that have access and identity management systems to track anomalous behaviour so they can distinguish potential data theft or fraud.
The algorithms underpinning these systems are improving, and larger amounts of historical data are allowing for more finely calibrated context decisions, says Dave Clemente, a senior research analyst with the Information Security Forum (ISF). "However, this is not just a technical issue and the human element is a core part of the problem and the solution. After all, a human must decide what constitutes anomalous behaviour and design algorithms accordingly," he says.
A recent ISF report addresses this challenge and looks at methods for moving employees beyond basic security awareness and towards behavioural change. "As well as improving general security behaviours, one recommended action in particular – making systems and processes as simple and user-friendly as possible – will improve context-based information security by reducing the number of false positives generated when people circumvent security procedures to more easily accomplish daily tasks," says Clemente. "Context-based security is here to stay, and more intelligent networks are a natural response to growing complexity."
Clemente believes information security professionals need to think about what systems their organisation needs and invest accordingly.
But when it comes to deploying context-based security technologies, (ISC)²’s Davis recommends enterprises first gain understanding of the business and security benefits of context-aware security. Next, they need to agree criteria for success, plan the integration of the technologies and identify a suitable pilot project to trial the technologies. The impact of adopting context-aware security on the current IT and security architectures should be considered. "It may require that one or both architectures need to be revised to gain the greatest benefit from adoption," says Davis. "As the (ISC)² Common Body of Knowledge states, the architecture provides the means to ensure that the implementation of security controls is correct and verifiable."
The advantage of context-based access
A context-based access solution adjusts a person’s access rights for an enterprise network, based on the device used and from where access is being initiated. For example, someone accessing a corporate network from a corporate-owned PC located in corporate office space is likely to have full role-based access to that network and the data held within it. But if that person used their own smartphone from a coffee shop, a context-based access solution would restrict access to email only. If the smartphone were equipped with one of the newer sandbox technologies, though, and access were from the person’s home, a context-based access solution might offer them a richer view of the network and services.
Sandbox applications keep corporate data and applications separate from personal content, allowing for freer use of BYOD. These apps, alongside company policies governing where a device can be used, will further impact the take-up of context-based access technologies. But the situation will only change if the corporate body decides the current access mechanisms do not offer sufficient granularity of control. These will need to be risk-based, taking into account the degree of mitigation that can be offered by various context-based access solutions and sandboxing technologies. But the question remains as to whether the body corporate is ready to assess the risk of their data and information.
Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.
Barriers to success
Once the trial is underway, the performance and success of context-aware technologies can be measured and compared against the success criteria. But long-term success rests on whether or not a system is deployed with sufficient management buy-in from the required departments, says Robert Newby, an analyst and managing partner at KuppingerCole UK.
Success, he believes, also requires an understanding of the processes a new system will be required to integrate with, the overhead of deployment and management, and the long-term costs.
"Tools can be useful if part of a wider project, but this has to come as the result of a need, a set of requirements from across the business. Without this buy-in, a tool just gets left on the shelf," says Newby.
Assuming all these requirements are met, he says the business still faces the challenge of measuring the effect of a security system. For this, the first requirement is good governance. “This is often underestimated or misunderstood, but it is the cornerstone of enterprise security,” says Newby.
"If you have a baseline you can reference consistently, risk management and metrics suddenly become repeatable and meaningful, and the executive buy-in you were lacking to start your project is ingrained in policy," he says.
However, Newby cautions that metrics do not just measure the effectiveness of technical controls, but of processes and people-based controls, such as awareness and training. Again, he says, these should not be underestimated, as they are the mechanisms for reporting back to the executives who have sponsored your security projects.
Once again, it comes back to the human factor. "Security could be described as managing human behaviour, which may include context if the behaviour is expected," says Newby.
But the hype around context-based security is focused on context rather than this behaviour, he
says. "The marketing is technology-based, around the ability to create the required contexts,
without knowing whether they are required or not."
Newby believes suppliers are scrambling to create technology that solves a problem which may not yet exist: "The processes and people do not yet require the tools, and they will not require them until governance is in place to change behaviour."
>Some enterprises are good at applying governance, measuring risk, implementing change in line with operational requirements, measuring control effectiveness and feeding this back into governance, but most are not, he says: "Unfortunately for context-based security, it does not consider the business context of security, just the context of the users."
Until this can be fully integrated into workflows and business process, via governance, he believes context-based security will remain a useful marketing point without a proper set of requirements. Despite all the technological advances since context-based security was first mooted, the vital element of business context is still missing.
This was first published in April 2014