Every business wants to protect itself against cyber threats. But there's such a thing as too much protection. If your authentication and authorization processes are excessively rigorous, you'll create unnecessary burdens for your IT operations team — not to mention your users.
That's why smart organizations should be embracing concepts such as context-aware security, which helps ensure that security protections don't get in the way of IT operations. Keep reading for a primer on what context-aware security means, how it benefits ITOps, and how to get started using it.
What Is Context-Aware Security?
Context-aware security is the use of contextual information to help manage and control security processes. Contextual information could include data such as where a user is geographically based when making a login request or the time of day when the request occurs, for instance.
The purpose of context-aware security is to reduce the volume of unnecessary or burdensome disruptions that users, as well as the IT teams that support them, have to contend with. We'll say more about the benefits of context-aware security below.
But first, to drive home what context-aware security means, let's look at an example. Imagine you have an application that is configured to require multifactor authentication (MFA) by default. Without context-aware security, the application would always require every user to log in using MFA, every time. But with context-aware security, the application could be configured such that a user who connects from the same IP address and during the same time of day when she has logged in routinely in the past isn't asked for a second authentication factor, because the authentication software assumes based on the context that the login request is coming from a legitimate user.
In this case, the user's experience would be a little more convenient because the login process would be simpler. And the security risk of not using MFA in this case is minimal. If an attacker who had stolen the user's password were trying to log in, there is a low chance that the login request would be coming from the same IP address and at the same time of day as normal, legitimate requests.
IT organizations can also use context-aware security to add extra protections beyond the defaults. For example, you could configure an application not to require MFA under normal circumstances, but to do so if a login request originates from a computer with an IP address based in a region where none of your company's employees are based. In that case, the unusual context of the login request would trigger additional security protections.
The Benefits of Context-Aware Security for ITOps Teams
The benefit of context-aware security for end users is probably obvious enough: It allows them to bypass security controls that add little value under specific circumstances. In turn, they can be more productive. Practices like MFA can potentially lower productivity and increase user frustration, so finding ways to mitigate their negative impact is beneficial for users.
But IT teams, too, benefit from context-aware security because it reduces the amount of support requests they have to manage. When users can't log in because, for example, their MFA is set up incorrectly or they get locked out following repeated failed login attempts, the task of rectifying the issue typically falls to the ITOps team. By using context-aware security to eliminate unnecessary friction from security processes, IT organizations can reduce the number of support tickets they need to handle.
On top of this, context-aware security can help reduce the number of successful breaches. As noted above, context-aware security can be used to deploy additional protections that go above and beyond the basics in contexts where especially suspicious behavior occurs. Those protections translate to lower levels of risk and, most likely, fewer successful attacks — and all of this is achieved without requiring the IT department to work any harder or respond any faster to threats. Once context-aware security protections are implemented, they work automatically.
The Limitations of Context-Aware Security
To be sure, context-aware security isn't the right fit for every context. Applications or systems that manage particularly sensitive information might always need to have the strongest possible protections, regardless of contextual information. Nor should ITOps teams place blind faith in context-aware security; even the best-designed security protections may be circumvented under certain circumstances.
Still, context-aware security is a smart strategy for making security stronger, while also making the lives of end users and ITOps engineers better. It's a win-win, and organizations should be looking for opportunities to put it into practice.
About the authorChristopher Tozzi is a technology analyst with subject matter expertise in cloud computing, application development, open source software, virtualization, containers and more. He also lectures at a major university in the Albany, New York, area. His book, “For Fun and Profit: A History of the Free and Open Source Software Revolution,” was published by MIT Press.