In an enterprise, how to dynamically enforce the right security policies in the context of the user’s interaction?
Defending against threats based on a binary assessment of a user’s trustworthiness and a device’s trustworthiness is restrictive and inadequate in increasingly dynamic business and IT environments.
To enable more accurate assessment of whether a given action should be allowed or denied, there is a need for real-time information of the user reputation and the device reputation at the point when a security decision is made.
Calculate reputation score for both user and device based on their interaction with the network, dynamically at the PIP (Policy Information Point). Then PEP (Policy Enforcement Point) can augment the existing policies in the enterprise with reputation scores so the policy decisions are more accurate and contextual based on dynamic interactions.
Instead of binary and static yes/no decisions that we can anticipate and define in advance, they become decisions with multitude of shades of gray made dynamically at the time the request is made.
For example, user X wants to access a site using a certain type of browser, from inside an enterprise network. The corporate security policy might allow access to that particular site for the user X but then the type of browser user is accessing with may have some vulnerabilities that has surfaced a few hours ago. This problem can get exacerbated by the type of device and the past track record of the user. When was the last access? What time of day is it? Does the transaction requested fall within historical patterns of being normal?
1.2.4 Examples / Use-cases
Adaptive Security pattern helps make security an enabler, not an inhibitor, of interactive digital experiences. The Adaptive Security pattern ensures security by dynamically adjusting the authorizations based on reputation scores of the user and device.
A context-aware retail app that offers an interactive service as the personal assistant engaging in a dialogue with the shopper asking for the purpose of their visit.