In a world where rapid IT expansion must adapt to the requirements of cloud computing amid the risks of increasingly sophisticated cybercrime, enterprises of all sizes are rethinking their IT security. Gartner has predicted that one of the newest preferred methods of implementing IT security will be through the use of a context-aware methodology. These new security technologies will allow enterprises to cope with emerging threats as they evolve their business requirements for greater openness. Neil MacDonald of Gartner described context-aware security as the use of supplemental information to improve security decisions at the time they are made, resulting in more accurate security decisions capable of supporting dynamic business and IT environments.
Vendors of cutting edge endpoint, network, application and data protection platforms are starting to incorporate context into their security information and event management platforms. Gartner recommends that chief information security officers begin migrating to context-aware and adaptive security infrastructure as they replace legacy and static security infrastructure.
Another vital recommended change is the removal of hard-coded, static security policies from applications and systems, and their transformation to externalized security policy enforcement points capable of consuming real-time context information.
Joseph Feiman, Vice President of Gartner, emphasizes the importance of being adaptive as it relates to IT infrastructure. Additional context during security decision making is now beginning to appear in next-generation endpoint, application, network, data protection platforms security information and event management.
The concept of context aware security is not new. As early as 2002, Michael Covington presented the IEEE paper A Context-aware Security Architecture for Emerging Applications. He describes an approach to creating security services for context-aware environments very much foreshadowing today’s emergent product architectures. In his design approach discussions, he focuses on security services incorporating the security-relevant context, making policy enforcement and access control flexible within a system-level service architecture. Inherent components in this concept of context-aware security services are enhanced authentication services, flexible access control and an adaptable security subsystem responding to current conditions in the environment.
A DARPA supported CMU project on context sensitive security resulted in the paper, Interleaving Semantic Web Reasoning and Service Discovery to Enforce Context-Sensitive Security and Privacy Policies by Jinghai Rao and Norman Sadeh.
Increased Web use by both individuals and organizations now demands a more robust security policy with flexible means of enforcement. Enterprises must meet an emerging need to selectively grant access to sensitive information based on dynamic relationships, or restrict information sharing under certain conditions. These new, vital access requirements require context-sensitive security and privacy policies; policies that are inherently variable and cannot be defined in a static model. They are challenging to implement for the following reasons:
- Sources of information available to enforce these policies may vary from one entity to another. For example, it’s likely that different users will have a variety of sources of location tracking available depending on cell phone operators.
- Existing sources of information for the same principal can change with time.
- Available information sources may not be known in advance. As a result, enforcing context-sensitive policies in open domains requires the ability to dynamically incorporate policy reasoning with dynamic identification and access to relevant sources of contextual information.