All access is not created equal

One of the most important challenges needing to be addressed as a result of the rapid evolution of mobility has been missed by many organizations.

Many organizations start with the premise that only valid users with proper credentials will get into their systems (e.g. Username and Password).  We’ve put in the necessary firewalls to keep the intruders out and we’ve even added some capabilities for remote access like VPNs (all prior to the big mobility wave).  But what happens next is the real challenge that organizations need to solve.  The user is logged in and gets full access after putting in their username and password.  This is quite common when you’re sitting at your desk inside the corporate network.  It’s also pretty common for VPN technologies.  So why is this a problem?

One word: mobility. That desktop machine organization’s used is now a laptop and it likely travels around with the employee outside the company walls.  The user probably has another device or two, which may or may not be owned by the company.  They’re getting access from their home PCs, internet cafés, and kiosks.  In short, they’ve completely destroyed any perimeter that might have created.

The problem is that, due to the way most security products and networks have been designed, organizations aren’t understanding the Context of Access!

So what do I mean by Context of Access?  Context of Access involves understanding not only the user but the device they are using, the status of that device, the location of access and more. It’s creating a three-dimensional picture of that user on that device at that moment in time.

Let’s consider this example: Let’s say I’m a finance employee and I’m preparing the financial reports for a public company that will be released shortly.  These are highly confidential reports that must remain private until they are officially released.  I’m working on these reports on my company issued corporate laptop in the office.  The laptop is a corporately managed device so it’s locked down and secure.   I sign in using my username and password as usual.  I get access to all my information to work on my reports.  Everything is good so far.

Now, what happens if I get up from my desk, take my secure corporate laptop and my same user credentials and log in from an internet café outside the office?  Should I still get the same access to the confidential information?  If I’m allowed to sign in through a VPN, chances are I still get the same access I did when I was in the office.  But now I’m not in a secure location.  Someone could be looking at my information while I am working on it and know what the company financials are going to look like when they’re released.  What if I was on my iPad?  What if I was on my Home PC?  How should I be treated?  Should I get access or not?

This is where Context of Access becomes so critical.  Understanding who is logging into the system is only part of the story today and it’s more than username and password.  What is needed is a three dimensional model of that user, at that moment in time, from that location, on that particular device. Then, the right policy decisions can be made about access to each specific resource under those circumstances.

We’re all spending a huge amount of time and money trying to manage the latest device that’s being introduced into the organization.  In order to properly tackle this problem though, we have to take a step back and understand what it is we’re really trying to protect, how and why.  We’re trying to protect access to business applications and information.  At the same time, we have to “open up” our networks more than ever before and to all sorts of new devices from untrusted locations. Even end-user-owned devices are now part of that mix.

In order to securely open up and allow for new business innovation, organizations must understand the Context of Access and have technology that will support this.  Our future security technology must have the ability to evaluate Context, compare it to corporate policy and determine if access should be granted in full, in part or not at all.