• United States




Big picture security

Oct 20, 20174 mins
Access ControlData and Information SecurityIdentity Management Solutions

Context and risk aware access control promises to make our industry more likeable.

access computer through your phone skeleton key unlocking
Credit: Thinkstock

Two of the leading advances being developed in identity-centric security are sometimes called “context aware” and “risk driven” access control.

Context aware access control involves using the attributes of who, what device, from where (location & network) and what data to make real-time decisions about whether or not to authenticate users and permit access to business critical or sensitive data.

Risk driven access control goes further to strengthen identity and access management by applying risk concepts and behavior-based trending methods to continuously assess activity during connected sessions and re-authenticate users if necessary.

For example, imagine if a company’s top engineer who is developing code for a highly confidential skunk works project decides to spend the day working from a coffee shop in order to power through some serious deliverables. Is this a good idea? From an employee satisfaction and productivity standpoint, maybe so. From a security standpoint, not so much.

To understand why, let’s unpack this scenario both from a context and risk perspective.

The user (a recognized employee) and device (company-issued laptop with full disk encryption) meet the criteria for access to the corporate network. The location meanwhile (a coffee shop) is not ideal for accessing sensitive corporate data. The local network being used by the device is likely unsecured, and as such is open to vulnerabilities and snooping.

The network security risk would be less of a concern if the user were accessing the company network via a secure VPN. In this scenario, the data component is composed of a secure application and information stored in the company’s confidential source code repositories. It’s a bad idea to be accessing and exposing both the source code repository application and the confidential source code trees on a local coffee shop network, even if it’s over a secure VPN and on a fully secured corporate device.

This analysis illustrates the myriad of elements that must be considered for users connecting to a corporate network from non-secure locations. While this methodical decision tree will prevent the company’s network and intellectual property from being exposed to security threats, it also torpedoes the engineer’s goal of working in a more productive environment for the day.

Given this scenario, are there any alternative measures that could be employed to enable this engineer to safely work in a coffee shop?

To answer this question, we need to look at access control through more than just a purely contextual lens, and also consider risk factors. Risk driven access control treats authentication as a continuous stream of events that are under constant evaluation from the beginning to the end of a session.

Supplementing the context aware access control model with a risk component requires including behavioral attributes of the user. For example, it might include how quickly and (in)efficiently a user types on the keyboard. Matching current to stored behavioral attributes with an established pattern generates a dynamic risk score.

Any deviation from the established pattern would generate a higher risk score and require the user to provide additional authentication data (e.g., enter PIN via text on smartphone) to maintain access to the sensitive application and/or data. If the deviation exceeds pre-established thresholds, access can be completely revoked, requiring the user to reconnect and completely re-authenticate. This is sometimes called behavior-based authentication. Biometric authentication, if available on a device, can also be included as an attribute in the risk score to inform the application on how much access to allow the user.

The greatest benefit of this model to the end user is that all of this occurs in real time, with behavioral models being evaluated by a risk engine to constantly determine the user’s authentication score based on a combination of attributes. It enables a seamless and continuous form of connection and authentication to corporate networks, applications and sensitive customer data. Once they have satisfied requisite authentication requirements, users will no longer be required to perform additional attestations or navigate around additional obstacles to gain and maintain access.

In this way, context plus risk-driven access control enhances the user experience by allowing employees to focus on their core job functions and not be derailed by having to jump through security speed bumps over and over again.


Leslie K. Lambert, CISSP, CISM, CISA, CRISC, CIPP/US/G, former CISO for Juniper Networks and Sun Microsystems, has over 30 years of experience in information security, IT risk and compliance, security policies, standards and procedures, incident management, intrusion detection, security awareness and threat vulnerability assessments and mitigation. She received CSO Magazine’s 2010 Compass Award for security leadership and was named one of Computerworld’s Premier 100 IT Leaders in 2009. An Anita Borg Institute Ambassador since 2006, Leslie has mentored women across the world in technology. Leslie has also served on the board of the Bay Area CSO Council since 2005. Lambert holds an MBA in Finance and Marketing from Santa Clara University and an MA and BA in Experimental Psychology.

The opinions expressed in this blog are those of Leslie K. Lambert and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.