Context-based authentication and authorization is one of the topics which have the potenzial to become the next hype. I've posted twice on this subject, here and here and we had, led by Dave Kearns, a lot of discussions around this at our EIC 2008. I'm convinced that the topic will become even more important at next year's EIC.

Besides the ones which are obvious players in that future market segment like the risk-based authentication vendors (Arcot, Entrust, Oracle, RSA and some others) there are some other categories of vendors which offer even today at least some context-based authentication and authorization. One of them is Citrix. Given the number of installations of the Citrix Access Gateway they might even be sort of the leader in that market.

You might argue: A SSL Gateway is not a solution for context-based authentication and authorization. Yes - and no. No because a SSL Gateway without additional components is just a SSL Gateway. Yes, if you combine a Citrix Access Gateway with other things. At an Citrix Analyst Briefing yesterday, a Swiss bank talked about their approach for controlling access of remote workers. They use the Citrix Access Gateway together with many other Citrix technologies and with a NAP (Network Access Protection) tool from EPA factory.

This tool provides some information about the state of the clients. There is also some information about the device which is used and there might be some derived location information. That information about the context in which a user is acting is used at the Citrix Access Gateway. Policies control whether - and with which authentication requirements - authentication is done and what the user is authorized to do.

In the result this is nothing else than context-based authentication and authorization.

For sure there are shortcomings. You need tools from at least two vendors, even more for additional authentication technologies. It requires a Citrix environment (which is nothing bad - but not everyone has one). The location detection is probably not the best you could imagine. Some other factors which are relevant for context-based decisions like fraud analysis information aren't included. Data from physical access control systems isn't used. There might be a much more granular authorization. Currently it is decided whether someone is allowed to access an application or not - there might be a deeper integration with the applications.

It is not yet the perfect solution for context-based authentication and authorization. But it is a step in the right direction, combining Citrix' access strategy with additional tools. The solution proves, by the way, that many vendors might deliver solutions for context-based authentication and authorization for corporate users with a limited effort, providing a higher level of security and reducing IT risks to the customers.

I'm convinced that there will be several types of technical solutions for context-based authentication and authorization, targeting the online business, remote workers, and other requirements. There are several places to integrate with - Web Access Management tools, SSO tools, and Access Gateways. I expect more solutions to show up in the context-based authentication/authorization market within the next 12 to 18 months, even while some of the won't be defined as "context-based" but as "risk-based", "physiscal/logical convergence" or "location-aware". But over time there will be a market segment for these context-based solutions where all the vendors will position themselves, with more flexible solutions and a tight integration of the requirement components.