In looking at context-aware security, it is worth briefly summarising the technology. It is over ten years since context-aware security was proposed. In brief, the idea is simple: build a security system that can use factors such as location, device and the information accessed to decide the type and rigour of the security required. Now, technology and networks have evolved to the point where such a system is possible and can be sold commercially.
Judging the uptake of context-aware technologies is difficult, because it is not one platform or one application. Certainly, we are seeing more suppliers offering context-aware products and some are already offering integration platforms such as Cisco’s pxGrid. On the enterprise side, adoption seems slow, as other initiatives such as BYOD, cloud and cyber defence take priority and the lion’s share of limited budgets. Additionally, these technologies may require significant investment and alterations in network infrastructure.
Initially, enterprises should pilot these technologies to gain an understanding of the business and security benefits of context-aware security, creating success criteria, planning the integration of the technologies and then identifying a suitable pilot project to trial the technologies. The impact of adopting context-aware security on the current IT and security architectures should be considered: it may require one or both architectures to be revised to gain the greatest benefit from adoption.
As the (ISC)2 CISSP Common Body of Knowledge states, the architecture provides the means to ensure the implementation of security controls is correct and verifiable. Once the trial is underway, the performance and success of context-aware technologies can be measured and compared against the success criteria. If the trial proves a success, planning for an enterprise roll-out can be drawn up.
Adrian Davis is managing director EMEA for (ISC)2
This was first published in March 2014