It is more than 10 years since context-aware security was proposed. The idea is simple: build a security system that can use factors such as location, device and the information being accessed to decide the type and rigour of the security required.
In theory, technology designed to use situational information – such as identity, location, time of day, device type, business value of data and reputation – would enable security decisions that are more effective, efficient and accurate.
A decade on, technology and networks have evolved to the point where such a system is possible and can be sold commercially. But judging the uptake of context-aware technologies is difficult because it is not one platform or one application, says Adrian Davis, managing director, Europe for (ISC)².
“We are seeing more suppliers offering context-aware products and some are already offering integration platforms, such as Cisco’s pxGrid,” he says. “But on the enterprise side, adoption seems to be slow, as other initiatives such as bring your own device (BYOD), cloud and cyber defence take priority and the lion’s share of limited budgets. Additionally, these technologies may require significant investment and alterations in network infrastructure.”
Popularisation of context-based security
While BYOD and cloud initiatives may take budgets away from context-based security in some organisations, they are driving its adoption in others. The reason is that context-based information security is becoming more important as cloud and mobile computing erase network perimeters that were previously rigid.
Also, advances in data generation, collection and analysis are allowing networks to respond more intelligently to fast-moving or unexpected situations. This is helping companies and banks that have access and identity management systems to track anomalous behaviour so they can distinguish potential data theft or fraud.
The algorithms underpinning these systems are improving, and larger amounts of historical data are allowing for more finely calibrated context decisions, says Dave Clemente, a senior research analyst with the Information Security Forum (ISF). “However, this is not just a technical issue and the human element is a core part of the problem and the solution. After all, a human must decide what constitutes anomalous behaviour and design algorithms accordingly,” he says.
A recent ISF report addresses this challenge and looks at methods for moving employees beyond basic security awareness and towards behavioural change. “As well as improving general security behaviours, one recommended action in particular – making systems and processes as simple and user-friendly as possible – will improve context-based information security by reducing the number of false positives generated when people circumvent security procedures to more easily accomplish daily tasks,” says Clemente. “Context-based security is here to stay, and more intelligent networks are a natural response to growing complexity.”
Clemente believes information security professionals need to think about what systems their organisation needs and invest accordingly.
But when it comes to deploying context-based security technologies, (ISC)²’s Davis recommends enterprises first gain understanding of the business and security benefits of context-aware security. Next, they need to agree criteria for success, plan the integration of the technologies and identify a suitable pilot project to trial the technologies. The impact of adopting context-aware security on the current IT and security architectures should be considered. “It may require that one or both architectures need to be revised to gain the greatest benefit from adoption,” says Davis. “As the (ISC)² Common Body of Knowledge states, the architecture provides the means to ensure that the implementation of security controls is correct and verifiable.”
Barriers to success
Once the trial is underway, the performance and success of context-aware technologies can be measured and compared against the success criteria. But long-term success rests on whether or not a system is deployed with sufficient management buy-in from the required departments, says Robert Newby, an analyst and managing partner at KuppingerCole UK.
Success, he believes, also requires an understanding of the processes a new system will be required to integrate with, the overhead of deployment and management, and the long-term costs.
“Tools can be useful if part of a wider project, but this has to come as the result of a need, a set of requirements from across the business. Without this buy-in, a tool just gets left on the shelf,” says Newby.
Assuming all these requirements are met, he says the business still faces the challenge of measuring the effect of a security system. For this, the first requirement is good governance. “This is often underestimated or misunderstood, but it is the cornerstone of enterprise security,” says Newby.
“If you have a baseline you can reference consistently, risk management and metrics suddenly become repeatable and meaningful, and the executive buy-in you were lacking to start your project is ingrained in policy,” he says.
However, Newby cautions that metrics do not just measure the effectiveness of technical controls, but of processes and people-based controls, such as awareness and training. Again, he says, these should not be underestimated, as they are the mechanisms for reporting back to the executives who have sponsored your security projects.
Once again, it comes back to the human factor. “Security could be described as managing human behaviour, which may include context if the behaviour is expected,” says Newby.
But the hype around context-based security is focused on context rather than this behaviour, he says. “The marketing is technology-based, around the ability to create the required contexts, without knowing whether they are required or not.”Newby believes suppliers are scrambling to create technology that solves a problem which may not yet exist: “The processes and people do not yet require the tools, and they will not require them until governance is in place to change behaviour.”
>Some enterprises are good at applying governance, measuring risk, implementing change in line with operational requirements, measuring control effectiveness and feeding this back into governance, but most are not, he says: “Unfortunately for context-based security, it does not consider the business context of security, just the context of the users.”
Until this can be fully integrated into workflows and business process, via governance, he believes context-based security will remain a useful marketing point without a proper set of requirements. Despite all the technological advances since context-based security was first mooted, the vital element of business context is still missing.
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Related content from ComputerWeekly.com
RELATED CONTENT FROM THE TECHTARGET NETWORK
This was first published in April 2014