It’s All About Context – Why Security Without Context Isn’t Secure

I was talking to a colleague last week and, as you do in most conversations, I asked him how his day was going. He told me it was exhausting as he had to purchase a new windshield wiper motor for his daughter’s car.  I asked, “Why was that so hard?”  You see, I didn’t have any context.

The truth is that his daughter goes to school about two hours away and was going to drive home in two days so ‘dear old Dad’ could replace the wiper motor.  So, on that Thursday morning, he called the local auto parts store.  It turns out that the motor for her car, a Mazda 3, is a “special order” that would take five days to ship.  Given that his daughter was coming home in two days, that would not work.

So, next, he called one of the local Mazda dealerships.  After being forwarded from the switchboard to service (when I asked for parts), he was disconnected.  He gave up and called another dealership.  He finally got through to that dealer and they told him that they could have the part on Friday, but he had to pay for it by 1 p.m. that day (it was 10:30 a.m.).  They also mentioned that he needed the vehicle identification number (VIN) so they could make sure to order the right part.

So, he grabbed his smartphone and texted his daughter — who is working at her co-op two hours from home — to walk to her car, take a picture of the insurance card in her glove box and email or text it to him.  As I am sure you know, the insurance card has the VIN number on in.  His daughter texted back that it was raining and, since the wipers didn’t work, she had to carpool with one of her co-workers.  The car, along with the insurance card, was at her apartment, not with her at work.

Next, he texted his wife because he knew she had the name and number of the insurance agent, and surely they would have the VIN for the Mazda.  Turns out she was at a one-hour yoga class and could not be reached, and time was running out.  Then, it dawned on him that he had an insurance card in the glove box of his car.  He grabbed that, called the insurance agent, verified who he was, got the VIN for the Mazda, called the dealership, and placed and paid for the order.

After he explained all the CONTEXT of ordering the wiper motor, I understood.

Security is the same way.  Currently, most organizations believe that providing employees, partners and customers a user ID and password is sufficient for security purposes.  But it’s not.  To truly enhance security, you also need context.  What does context mean in this case?  Let me give you a few examples.

Almost every Monday, I drive to the office at 7 a.m.  I swipe my keycard at about 7:05 a.m.  I get to my office, turn on my computer and log in at about 7:10 a.m.  If I were to do this next Monday, my company’s security infrastructure could add my correct credentials to the context of my login (time, date, etc.) and assume that I am who I say I am.

However, let’s say my wife and I take a weekend away, and I stay over Monday because there’s a snowstorm.  I might try to log in around 9 a.m. from another city using a different network, say from a local coffee shop.  When I log in with that context, my security infrastructure might be a bit more cautious, even though I used the right credentials.  One option might be for the system to ask me for a second factor of authentication to further prove who I am.

Finally, let’s say at 2 a.m. next Sunday, my credentials are used to attempt a login from North Korea.  With a context-aware security infrastructure, the system can probably make an educated guess that my credentials have been compromised and should probably deny me access to everything, despite the fact that the credentials are correct.

You see, in the cases above, the correct credentials were always used, but the context with which they were used were vastly different.  A context-aware or adaptive infrastructure can detect this and react accordingly using a combination of policies and real-time information. 

If your organization is relying solely on user IDs and passwords for your users to access critical — or even non-critical — apps and data, you should ask your security team or partner about moving towards context-aware security.