Context based security is alive since more than 10 years and the concept had been proposed much earlier. The proposal was simple enough comprised of- building of a security system that can use factors such as location, device and the information being accessed to decide the type and rigour of the security required. Information is an asset for every organisation. The inability of computer systems to protect the confidential data and integrity of information may cause serious financial and legal problems to organisations and severe threats to the information usage.
A recent ISF report addresses this challenge and looks at methods for moving employees beyond basic security awareness and towards behavioural change. “As well as improving general security behaviours, one recommended action in particular making systems and processes as simple and user-friendly as possible will improve context-based information security by reducing the number of false positives generated when people circumvent security procedures to more easily accomplish daily tasks.
“Context-based security is here to stay, and more intelligent networks are a natural response to growing complexity.”
The common characteristic of traditional approach is to operate using simple access modes such as read, write, execute, that control access at the operating system level. Organisational requirements should be able to bridge the gap between the internal requirements and higher stages of elaboration. The basis for organisational security model is derived from the structure of an organisation and the form of activities it undertakes as well as from an explicitly or implicitly expressed security policy.
Although security policies differ in every organisation, there exist a number of fundamental security principles, particularly applicable within commercial security systems.
- Least Privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job;
- Separation of Duty: Two or more different people should be responsible for the completion of a task;
- Chinese wall: People are only allowed access to information which is not held to conflict with any other information that they already possess.
But the hype around context-based security is focused on context rather than this behaviour. “The marketing is technology-based, around the ability to create the required contexts, without knowing whether they are required or not.” Newby believes suppliers are scrambling to create technology that solves a problem which may not yet exist: “The processes and people do not yet require the tools, and they will not require them until governance is in place to change behaviour.”
A context-based access solution adjusts a persons access rights for an enterprise network, based on the device used and from where access is being initiated. For example, someone accessing a corporate network from a corporate-owned PC located in corporate office space is likely to have full role-based access to that network and the data held within it. But if that person used their own smartphone from a coffee shop, a context-based access solution would restrict access to email only. If the smartphone were equipped with one of the newer sandbox technologies, though, and access were from the persons home, a context-based access solution might offer them a richer view of the network and services.
Thus, information security professionals need to think about what systems their organisation needs and invest accordingly.