Gartner believes the next wave of IT security will be based on context. Information security infrastructure must become adaptive by incorporating additional context at the point when a security decision is made.
It's over 10 years since the idea of context-aware security was proposed. In brief, the idea is simple: build a security system that can use factors such as location, device and the information being accessed to decide the type and rigour of the security required.
Now, technology and networks have evolved to the point where such a system is possible and can be sold commercially. But, like any security technology, context-aware security is not a silver bullet. To maximise the benefit from its deployment, organisations will need to implement certain information security arrangements and re-examine some processes.
Businesses should start not by buying the technology but by understanding how and what context-aware security can do to support current and future business. For the approach to deliver benefit, it requires more than buying context-aware firewalls.
Building on Information Security Forum work examining the topic of bring your own device (BYOD), the starting point is to classify information in the business and decide whether data governance and its associated techniques should be introduced. The classification of information should drive the controls required for its protection.
Investment in making the network and the identity and access management infrastructure context-aware will be needed. This may involve implementing approaches such as location awareness (by using GPS to locate a user) network access control (NAC), mobile device management (MDM), placing certificates on devices, and adopting federated identity management.
Furthermore, any solutions chosen will have to be deployed across the smartphone, tablet and laptop estate and should be capable of interfacing with cloud-based business solutions.
These deployments will benefit the business by enhancing the quality of its information and by providing a framework within which new business initiatives can use mobile devices. Other benefits should include better information security (though not necessarily cheaper), an information-centric approach to security and greater responsiveness to changing business demands.
Adrian Davis is principal research analyst at the Information Security Forum (ISF)
This was first published in March 2013