The static security policy decisions are over. Is your firewall still only a dumb IP based firewall that allows or blocks access based on IP addresses? What about contextual information such as: identity, location, data transferred and behaviour of the traffic?
The context-aware security is not a new concept, however, when the initial discussions about it happened 10 or so years ago, the technology could not support it well.
Today, the contextual information is used in some security decisions and these better support business processes.
For example, with more employees using non-company managed devices, contextual information; such as device compliance, location and identity; is used to make decisions whether an access is granted, denied or indeed, limited. However, more is needed to do in this area.
The context-aware security model is still not fully supported by security technology suppliers.
Take the following example: Should an application transferring data from a server in a secure zone be allowed to send the company invoice number 201342 to a user in financial department who is using her own laptop, but with virtualised company desktop, while she is in the USA? But wait, her HR records show she is currently on a business trip in Japan!
READ MORE ON CONTEXT-AWARE SECURITY:
This kind of security policy decision-making takes into account several attributes of network, host, application, data and identity information, is not available today. But should we give up? Absolutely not! We need to drive security suppliers to update their roadmaps to support dynamic, standardised and externalised security decisions.
I also see a platform as a service (PaaS), yes, most likely a public Cloud platform, which collects contextual information and outputs policy decisions. A firewall, database or web application could use these services to enforce the policy. Let’s work together to make this happen.
The ultimate question is: how will this support your business? The security people will finally be less rigid and more understanding of business processes and use cases. The development of security policy definitions will become so flexible (read: natural), that business managers will be able to define them (read: less expensive security).
By that time, the security professionals, as we know them today, might cease to exist. Adapt or die, as they say; static security is dead, long live business-aware security.
Vladimir Jirasek, director of research, UK chapter Cloud Security Alliance (CSA)
This was first published in March 2013