Context-Aware Identity Management: The Who, What, Where, When and How

In the age of Bring Your Own Device (BYOD), users increasingly want the flexibility to access both their business-critical applications and personal applications anywhere, anytime and on multiple devices.  This increased mobility — combined with the fact that many applications are emerging that cross multiple industry sectors or domains — requires authentication and authorization processes beyond single sign-on capabilities.  Furthermore, the continued growth of sophisticated connected devices is creating an abundance of contextual information available to networks.

The ability to effectively collect, manage and analyze this information is driving the development of new solutions in the area of Context-Aware Identity Management that can effectively discover and apply context-based information to meet future market requirements and create new business opportunities.

Contextual information can be acquired from a number of sources. It includes environmental data, location, proximity, presence and sensory data. In addition, it can also include user preferences, profiles, behavior or other characteristics. The fact that much of this information is real-time and dynamic offers an opportunity to develop a more powerful approach to managing authentication and authorization in the future.

Context-aware access allows organizations to define and enforce a more granular set of information that will enable them to accurately determine the identity of the person trying to access their network or service.  In other words, context-aware access looks beyond simply a username and password to help determine if that user is actually who they say they are or someone pretending to be them.

By leveraging additional information, context-aware security can determine who the user is; what the user is requesting; where the user is located; when the user is requesting information and how the user is connected. The goal is to prevent unauthorized end users or insecure devices from being able to access the network or applications.  For example, a user may be able to access sensitive data from inside the company office, but may be denied access if using the public WiFi at the local Starbucks.

Examples of contextual sources of information across users, devices and objects is shown below.  In some cases, these contextual attributes may exist across multiple categories and the user or device may assert one or more identities depending on the application or intended use.

Examples of Contextual Sources of Information

Users Devices Objects
  • Personal Information
  • Characteristics
  • Profiles
  • Preferences
  • Groups
  • Roles
  • Location
  • Proximity
  • Presence
  • Environmental
  • Sensory
  • Categorization
  • Access Type
  • Relationships
  • Associations
  • Movement

As the sources of network-accessible contextual data increase, it is expected that identity management architectures will take advantage of this contextual information, with appropriate privacy and user consent controls, to enhance risk assessment techniques and create more robust security mechanisms for access to resources and services.

Context-Aware IdM Framework

In 2017, ATIS launched its initiative on Context-Aware Identity Management (CAIdM) to help service providers leverage the vast wealth of context-aware information to make identifying users and devices (and granting them access to authorized services) easier, more dynamic and more secure.

As part of this initiative ATIS has developed a report, Context-Aware Identity Management Framework, which provides a detailed assessment of CAIdM approaches that can provide additional robustness to existing authentication and authorization infrastructures used by network operators, enterprises and third-party/OTT entities.  In addition, the report details a number of use cases, describes the framework and functional elements and introduces the concept of a Context Manager that will promote adoption and interworking in the future.

The purpose of the proposed framework is to promote a consistent and interoperable approach across industry for a context-aware IdM architecture.  Additionally, this framework can help guide future development of solutions that adopt the basic principles of the ATIS context-aware IdM architecture to produce a common set of transactions that occur between the context-aware environment and the identity management infrastructure.

Comments