Context-based security is not new – there are academic papers from 2003 and stateful inspection firewalls apply a degree of context to the routing of packets – but what is new is the continued increase in regulatory compliance requirements, coupled with the massive growth in powerful mobile devices which people want to use not only outside the office, but also within it.
Some of these devices will be bring your own device (BYOD) ones, others will be company supplied, but in all cases people will want to use them for work, and in novel ways. Therefore, there is a tension between regulatory needs and the use of smart mobile devices – and BYOD only serves to increase that tension.
Context-based access control (CBAC) as a technology is maturing, bringing into play the context of an access and combining it with a user’s identity and their defined access role.
Identity-based access control has been with us since year dot, and in its simplest form is just a user name and associated password.
Role-based access control has been with us for some time, and adds certain rights to a user once they have successfully authenticated to a network. For example, if a user's role has been assigned as sales, they can only see and use sales-related files and applications, but not the files or applications of the human resources group.
Adding context to user access controls
What adding context does is control what a user can see and/or do, once they have successfully authenticated to a network, based on how they are accessing the network.
For example, if a user has accessed the network from a PC on-premise and intimately connected to the network, they can see and execute all functions assigned to their defined access role. But should that user be mobile, accessing through a smartphone or tablet, their view may well be restricted to just their email and calendar, and possibly one or two very specific applications, particularly if the device is company-supplied.
MORE ON CONTEXT AWARE SECURITY
If that user were mobile but using a company-supplied laptop, they may well have access to a larger subset of their role's files and applications, but should they be accessing from a known and trusted point outside of the office, home for example, they might have full access to all files and applications allowed to their role.
To summarise, the growth in regulatory requirements coupled to a large and increasing growth in mobile devices, home working and BYOD will fuel the need for context-based security and, specifically, CBAC.
The good news is that computing power continues to grow, while at the same time, the price/performance ratio continues to fall. So while there are CBAC products on the market, the next six months or so should see more entrants to that market space, bringing more innovation and better pricing to the user organisation. Exciting times ahead.
Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.
This was first published in March 2013