Dave Kearns, who will contribute as a track moderator and speaker to our European Identity Conference 2008, has introduced the term context-based authorization (and influenced my thoughts on this topic - thanks to Dave) as an approach for basing authorization on the context in which a user acts, which goes beyond the risk-based authorization in two ways: It's not binary, e.g. either in or out. And it's based potentially on more information about the context. I'd like to add some thoughts from my side to this and explain as well the difference between today's risk-based authorization and tomorrows context-based authorization.
Risk-based authorization is an approach which has developed mainly in the financial industry. The idea is to observe and analyze user interactions to detect potential attacks and other dangerous situations. If there is a risk, the authorization to access a specific system or specific data within in a system is denied. There are several vendors in this space, including Oracle with their Bharosa acquisition and Arcot Systems.
The idea of context based authorization goes well beyond this, even while there is no hard borderline between vendors of risk-based authorization and the context-based authorization idea. It's more sort of an evolutionary process. I personally expect that todays vendors in the risk-based authorization space (which sometimes have a some ability for context-based authorization as well) will expand their products towards context-based authorization. I assume that we as well will see some new specialists in the space of context-based authorization. And for sure the key players in the IAM space will enter the market for context-based authorization either with the make or the buy approach, e.g. building it by themselves or acquiring someone.
There are several factors which can be included in the context-based authorization decision. There is obviously the location of the users. There is the observed user interaction. You can add the device as another factor. The strength of authentication might be included. The domain a user belongs to, e.g. employee, partner,... can add to this. And there might be other factors as well, up to the roles of the user. It is obvious that some of these factors are dependant, like the strength of authentication and the device or device and location. By the way there are some apps like the Imprivata SSO appliance which at least at an entry level include some of these factors in decisions.
The context of the user is not the only aspect which has to be considered when deciding on the authorization. The system and the information within the system is important as well. How sensitive is the information and the system? There might be information in a system which isn't very sensitive - whilst other shall be accessed only by users in a very secure environment and with no hint of any ongoing attacks. That means that there has to be a classification of systems and information.
Given the many aspects which might influence the authorization decision it's obvious that this will be - at least at a system level - not binary but much more differentiated. At the level of the single information object and the requested access type (read, write,...) it is binary again, for sure.
A system for context-based authorization will work based on rules. From my perspective, the architecture shall allow to flexibly include new factors. It might be a good idea to define standards for such interfaces in an early stage, so that it is easy to obtain role information as well as information on the observed behavior from a web tracking system and other data out of many other sources like physical access control systems in an easy and consistent manner. As well there has to be some standard for the classification of information and systems for which the authorization shall be done.
Context-based authorization will be done mainly at the web access management level and the Enterprise SSO level, even while I can imagine the concept to become integrated into other authorization systems as well. The idea of context-based authorization will influence the approaches for enterprise entitlements, e.g. a business controlled approach for authorization management which is also an important part of my idea of "Enterprise Information Management" (about which I still have to write in my blog...). I'm convinced that context-based authorization will be one of the major trends in IAM over the next years.