We’ve had a great response from customers and the media (see eWeek, NetworkWorld, SiliconAngle) to last week’s release of Resilient Access 3.0. At the core of this new release is functionality that we are calling contextual access control. We believe that to securely share data and connect organizations we need to go beyond today’s narrow definition of “identity” to a broader understanding, one that is focused on context.
Organizations today are in a tricky spot. They fully acknowledge that the world has become digital, and that to be competitive they must connect and collaborate with outside parties. On the other hand, sharing resources with partners and customers is inherently risky. Many still feel that the security concerns outweigh the benefits. Others use Identity and Access Management (IAM) systems that were built for internal sharing, and use identity, provisioned by a single entity as the root of trust.
Going beyond identity to focus on context however, allows us to reimagine IAM for the connected world. Contextual access control offers a way for organizations to gather enough context to form a more complete picture of these external parties. Fundamentally, the more you know about the context of an access request the more likely you are to make the correct access decision. Contextual access is about connecting to data sources so that we can answer sophisticated questions before granting access.
These questions fall into the following categories:
Subject – What are the details about the person requesting access? (Role, group memberships, department, company, certifications, biometrics etc.)
Action – What is the person attempting to do? (Read, write, edit, download etc.)
Resource – What resource will be impacted by the action? (Apps, docs, APIs, services etc.)
Environment – What is the environment of the request? (Time, location, device type etc.)
Broadening the definition of what we mean by identity allows us to ask and answer questions like “Is this a doctor?” or “Is this a trusted device?”
Interestingly we are seeing a number of industry experts who are also talking about context in the same breath as identity. For example, in a recent article Forrester’s VP and Principal Analyst, Andras Cser, (@acser) defined identity as follows:
“By identity, we mean a specific set of attributes that, when paired with the right context, and policy evaluation engine, allows the user to connect and access only the company data and apps that they are supposed to have access to.”
Context is indeed everything.