Putting security in context

How should organisations approach context-aware security technologies and what business benefits can they deliver?

  • Business benefits
  • https://searchsoftwarequality.techtarget.com/tip/Agile-process-Time-to-incorporate-security-testing

    Context-based access control

    How should organisations approach context-aware security technologies and what business benefits can they deliver?

    The information security industry’s response to each new type of threat in the past 30 years has spawned a plethora of point solutions, but these are failing in the face of multi-stage, multi-channel attacks aimed at stealing key data without detection.

    The time is ripe for a change in approach.

    This change has already begun, with the emergence of next-generation information security technologies that are more adaptive than their predecessors by being more context-aware.

    This means they are designed to use situational information – identity, location, time of day, device type, business value of data and reputation – to make more effective, efficient and accurate information security decisions.

    Business benefits

    One of the biggest business benefits, apart from improving security, is that operational savings can be made through a reduction in response times and an increased likelihood of the correct decision being made during an incident. A next-generation intrusion prevention system, for example, can use the vulnerability context of a system to tune its rule set more accurately, reducing both the system load and the chance of a false positive. Similarly, context information, such as current firewall rules and the business value of an asset, can reduce hundreds of security alerts to only a few vulnerabilities that represent the highest risk.

    And while signature-based security systems will not block an attack that uses a phishing email containing a link to a targeted attack download, a secure web gateway that looks at the embedded link’s reputation, which is a form of context, will prevent infection if the link’s reputation is low. User profiles In the era of context-aware computing, it is not only important who the users are, but also what they are requesting, how they are connected, when they are connecting, where they are connecting from and why. “With that in mind, companies can present different approaches to different people, through different channels,” says Ramsés Gallego, international vice-president of the Information Systems Audit and Control Association (Isaca).

    Context is also an important element in helping organisations to identify “normal” interactions on their networks because most are unable to distinguish “normal” from “abnormal” behaviour due to complexity. This is the business value of next-generation security information and event management (Siem) systems which are increasingly context-aware, says Ross Brewer, vice-president and managing director for international markets at LogRhythm.

    Context-based access control

    The idea of context-aware security is not new, but many in the security industry believe security technologies have finally evolved to a level where such systems are viable. At the same time, the very evolution of information technology is further fuelling the need for context-based security, particularly the increasing computing power of mobile devices. In the face of the mobile revolution in the enterprise, exacerbated by the increased use of user-owned consumer devices for example, context-based access control (CBAC) is maturing as a technology.

    Context information can reduce hundreds of security alerts to a few vulnerabilities that represent the highest risk.

    CBAC brings into play a user’s identity and their defined access role to control what a user can see or do once they are authenticated, based on how they are accessing the network. In other words, a user who accesses the company network from their personal smartphone will be more restricted in what they can see or do than someone who accesses the network from a company-owned laptop.

    “The growth in regulatory requirements, coupled with a large and increasing growth in mobile devices, home working and bring-your-own-device (BYOD), will fuel the need for context- based security, and specifically CBAC,” says Peter Wenham of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management. “The good news is that at the same time that computing power is growing, the price/performance ratio continues to fall. So while there are CBAC products on the market, the next six months or so should see more entrants to that market space bringing more innovation and better pricing to the user organisation,” he says.

    Intelligent security

    Another driver of the need for context-aware security in the light of technological innovation is that traditional one-size-fits-all security policies and controls are no longer adaptive and granular enough to deal with the multitude of different devices connecting into and between corporate networks.

    “Nowadays, broader application intelligence needs to integrate with context-aware security infrastructure to provide security unobtrusively while still allowing user mobility,” says Adrian Wright, vice-president of research at the UK Chapter of the Information Systems Security Association (ISSA). The ability to trace what is happening from the mobile endpoint to the datacentre at the application level, and also have visibility of the identities and status of devices connecting into the network, he says, are all key factors in being able to thwart increasingly sophisticated attacks.

    Companies can present different approaches to different people, through different channels.
    Ramsés GallegoIsaca

    So, in addition to basic context of who, what, where, why and how, Wright says true context-aware and adaptive security must also take into account real-time threat information, levels of relative trust, as well as risk, based on the assets being accessed and used. “The question of whether and how we can accumulate and compile such a compendium of security intelligence is, for me, the most crucial one to address,” he says. Wright suggests that, in answering the questions, businesses should begin by asking themselves if the scale of mobile computing, the spread of BYOD, and the levels of inherent risk exposure all combine to justify the probable costs of building and operating a context-aware security infrastructure.

    Businesses should also verify their capability to compile and maintain currency of the detailed inventory of devices and information on users, roles, applications, risk levels and trust needed to make security controls granular and adaptive enough to justify the outlay. “If so, business benefits will come from improving user mobility and ease of use, while at the same time protecting valuable information and reducing security administration overheads,” he says.

    Begin the transformation

    According to Gartner, the business benefits of context-aware security systems are ultimately about reducing risk and enabling the business by reducing the chance that information security mistakenly blocks something legitimate, and increasing the chance that advanced attacks are detected.

    “Organisations should begin the transformation to context-aware and adaptive security infrastructure now, as they replace static security infrastructure, such as firewalls, and web security gateway and endpoint protection platforms,” says Gartner analyst Neil MacDonald. “They also need to demand specific roadmaps from security suppliers for application, identity and content awareness, as well as the ability to incorporate other types of context into their policy enforcement decisions,” he says.

    Technology and beyond

    Like all the security technologies and approaches that have gone before, the context-aware model is not about technology alone, according to the Information Security Forum (ISF) “To maximise the benefit from its deployment, organisations will need to implement certain information security arrangements and re-examine some processes,” says Adrian Davis, principal research analyst at the ISF.

    The growth in regulatory requirements will fuel the need for context based security.
    Peter WenhamBCS Security Forum

    “Businesses should start not by buying the technology, but by understanding how and what context-aware security can do to support current and future business. For the approach to deliver benefits requires more than buying context-aware firewalls,” he says. Businesses should approach context-aware technologies by making strategic technology replacements in line with upgrade paths, according to Peter Bassill, member of the Isaca cyber security board and managing director of Hedgehog Security. “Next, businesses should identify process bottlenecks, where context-aware technologies can streamline business operations and identify areas of intensive data analysis, where context-aware technologies can speed up reaction times without reducing effectiveness,” he says.

    According to the ISF, the starting point is to classify information in the business and decide whether data governance and its associated techniques should be introduced. “The classification of information should drive the controls required for its protection,” says Davis. Investment in making the network and the identity and access management infrastructure context-aware will be needed, he says, which may involve implementing approaches such as location awareness, network access control (NAC), mobile device management (MDM), placing certificates on devices, and adopting federated identity management.

    “Furthermore, any solutions chosen will have to be deployed across the smartphone, tablet and laptop estate, and should be capable of interfacing with cloud-based business solutions,” says Davis. Human input required Another important thing to consider is that context-aware security is unlikely to eliminate the need for information security professionals who are familiar with the IT environment, warns Ionut Ionescu, a member of the (ISC)2 European Advisory Board. “The trouble is that all such tools have to be configured by a specialist with prior knowledge of the environment, so a human has to understand the context before the tool can,” he says. There may be number-crunching advantages coming from a clever and well-configured tool, but Ionescu says they should not be overestimated. Even when a tool has a reasonable level of context built in and is able to suggest reasonable courses of action, he says, understanding the business workflow and complexities still require further analysis, to derive the right risk mitigation strategies. “If just adding context was the solution, someone would have devised an expert system modelling the whole organisation from a security perspective, and information security professionals would be out of a job,” says Ionescu.

    Context-aware security tools promise incremental help for the security professional, but he warns organisations against buying them based only on the return on investment calculations of suppliers. “Despite the security and business benefits touted by suppliers of these context-aware next-generation technologies, user organisations should be wary of making any unnecessary leaps of faith,” he says. As with all security technology, organisations should be clear about exactly how the business will benefit and make strategic investments aimed at supporting current and future business processes.

  • Intelligent security

Read more on Security policy and user awareness