When it Comes to Authorizations, Context is King

Gal Helemski
November 30, 2016

The advent of mobile computing has done funny things to authorization. Computers used to stay in one place—but now every single user has a tiny computer in their pocket that they can use from anywhere. This leads to an interesting question for AuthZ: How should your environmental context influence your authorizations?

Authorizations need to be context-aware, because this can be the only way to reduce risk and  gain better control of your assets. If a person is logging in from an unusual location, for example, they might just be on their mobile phone—or their phone might have been stolen. Either way, AuthZ needs to take variations in time, location and events into account in order to address compliance and security.

How Does Contextual Authorization Work?

Static authorization is static because it is based on definitions that were created in the past, and are not adapted to the here and now... How can authorizations be adjusted to consider what happens now? What is the current time, where is the user working from, what is currently going on in the organization (some event perhaps?)?

Contextual authorization has to be dynamic.  This means that whenever an access request is made, the current situation is considered by the authorization system. The decision whether a user can access or can perform an action is not predetermined, but rather “calculated” in real time.

Use Cases: Contextual Authorization based  on Location and Time of Day

How does context help enforce security during authorization? Let's take the user's location as an example. A particular user, say the accountant usually works at the office, but sometimes likes to look at work documents while he’s at the coffee shop. We know that public WiFi isn't particularly secure, so if the contextual authorization system sees that the accountant is at Starbucks, it can take a few actions, such as cutting off access to high-security documents (SSNs), and giving read-only permissions to low-security documents (email).

Time of day is also important. While plenty of workers like to burn the midnight oil, others still work a regular nine-to-five schedule. If you see someone log into an application well outside of their working hours, can you be sure it's really them? What if it's an impostor that's stolen their credentials? With contextual AuthZ, you don't have to worry—you can set a rule that restricts users' access during certain times of day.

Lastly, we know that security incidents rarely come one at a time. DDoS attacks, for example, are often used as cover for a more in-depth attack. While a security team is busy getting their sites back, it could be that no one notices that a hijacked account is busy emailing thousands of classified files to an unknown address. With contextual AuthZ, you can automatically lock down authorizations for all users during a security breach, thus mitigating additional risks.

Deflect Cyberattacks with Contextual AuthZ

When privileged accounts get hijacked, no one has a good day. Compliance breaches, data loss, and outraged customers are par for the course. With contextual authorizations, however, enterprises can seriously clamp down on these outcomes.

By restricting user activities when they're away from their desks, during times when they're not likely to be working and countless other scenarios, attackers can be effectively hamstrung. Instead of having the full abilities of a privileged account, attackers will be left with read-only files of little importance, or nothing at all.

About PlainID

For more information on how contextual authorizations can work in your environment , contact us today: Talk to an IAM Expert

Most popular posts