What is context-aware security?
Security is a major concern in the digital age. The proliferation of mobile devices and cloud computing has made it simpler and more rewarding for hackers to steal information. At the same time, users are being targeted by cybercriminals who employ malicious software and social engineering techniques to gain access to personal or organizational data.
Context aware security is an access control design strategy that uses situational information to determine the nature and risks of an access request before granting appropriate access permission to the protected information or resources within an organization.
How does context-aware security work?
Let’s look at an example that illustrates how to apply context-aware security.
- When I want to withdraw money from my bank, they need to know who I am. Once authorized, they look in my account to see how much money I have. If I have enough funds for the request, they give me the amount I asked for. Simple enough, right?
- What if I make my withdrawal request over the phone without any formal identification? Does the bank still allow me to withdraw cash? If I had lost my wallet and passport during an overseas trip, I could be stuck if the bank refused access to my money!
- With context-aware security, the bank could still give me all or part of the money I requested by considering the circumstantial information about my request.
- My bank can examine the time and location (environmental factor) when the request was made, request a personal interview with a bank manager at a nearby branch (additional authentication), and confirm the reason (context) for my withdrawal request.
- While evaluating all these additional details about my request, the bank can quickly build a risk profile for my withdrawal request, then make a comparison against other known risk factors such as my past withdrawal patterns, local crime statistics, and the current probability of malicious withdrawal requests (threat intelligence). More importantly, the bank must determine how much money it is willing to lose if this is not a genuine emergency cash withdrawal request from me (risk tolerance).
- In this scenario, my bank agrees to give me enough money to pay my hotel bill and fly home the following day.
Context-aware security enables organizations to strengthen security without hindering what users want to do. It allows users to have a smooth, secure access experience without going through an onerous series of multiple authentication mechanisms.
A smart analytics engine is often used to evaluate the risk factors from multiple sources and produce appropriate decisions for the security controls to enforce prescribed access in real time.
Zero trust and context-aware security
Zero trust security assumes the network perimeter-based protection is no longer effective, because your data assets and resources now reside in an open and interconnected world. No longer should any request to your network, environment, application or data be trusted.
Instead of granting access to everything upon login, regular identity verification for requesters and devices is required before minimum access is granted — along with a prescribed network route to the requested environment and a defined set of data to be made available. The access granted is time-limited and the use of this access privilege is under constant monitoring. Any deviation will trigger changes in the granted access or elevated authentication.
Context-aware security is a key component of implementing zero trust security. We can set up many smaller protected zones in an open environment by using identity as the protection perimeter and deploying context-aware security control as the gatekeeper.
This type of zero trust security implementation offers strong protection for your data and resources within the secured zone. The frequent examination of their intentions and behavior makes it extremely difficult for an internal or external intruder to move across the guarded zone without being detected.
Apart from reducing the chances of security breaches, context-aware security also reduces the amount of constant authentication challenges demanded by the zero trust principle of “never trust, always verify.”
Regular evaluation of how the least privilege access is granted and used provides real-time feedback to the context-aware security control as an additional factor, enabling access to be fine-tuned without bothering the user with extra authentications. Accordingly, it is a great way to implement a frictionless security service without impacting user productivity and experience.
The journey towards a trusted business
There are many cybersecurity products and services that offering context-aware security capabilities today. However, both zero trust and context-aware security are based on cybersecurity design philosophies and simply not about a product implementation.
Zero trust and context-aware security are means to create a highly trusted environment for your customers to confidently interact and do business with you. Such an environment requires transparency and traceability of all transactions carried out within it.
The business will need visibility into who has access to what information, and what transactions took place and when. Most enterprises are unlikely to implement this kind of capability with only a single technology.
The best approach is to create a vision of what your trusted environment should look like based on your business objectives, what risks you want to mitigate, and what data you need to protect.
Once the cybersecurity goals and requirements are understood, you can decide where the context-aware security controls can be deployed, how many controls are needed, and — more importantly — how they will work together seamlessly. The guiding principles of zero trust can be used as a compass to map out your transformation journey, positioning your business as a trusted brand in your industry.
About the author
Advisory Practice Director, Enterprise Architecture and Identity, Atos Northern Europe
Aaron joined Atos since 2006 and successfully delivered several large-scale cybersecurity transformation programmes for Media, Finance and Public Sector industries. He is also a Senior Atos Expert specialises in Identity and Access Management and being a vocal advocate of “identity is the core foundation of building trusted business”.
His current focus is helping customers achieving a trusted business and operating environment by applying an end-to-end business centric and risk driven cybersecurity approach. Aaron is currently leading several enterprise security architecture and zero trust advisory projects for Insurance, Health and Manufacturing customers in Europe.