Context information can make authorization management more flexible and more secure. Knowing when and where users are, and what they are up to helps in determining which access rules to apply. There is an increasing need for organizations, especially organizations in the banking sector, to be more flexible while maintaining the same level of security. The new found flexibility can be used, for instance, to enable new forms of working in which employees of a bank need to be able to perform high-risk transactions from different locations (home, office, at a customer location etc.), at different times of the day and using different devices.
The promise of context-enhanced authorization is that by making the context information explicit in authorization rules the flexibility increases without reducing security. The wide-spread introduction of mobile devices makes more and more context information available, and promising technical authorization standards driven by factors such as cloud computing are just about ready to make context enhanced authorization possible.
Rabobank, IBM, and Novay are participating in a SII innovation project in order to identify the opportunities and challenges of context enhanced authorization. Goal of the project is to assess the feasibility of the use of context information to enhance authorization policy with a focus on employees in the banking sector.
The usefulness of context enhanced authorization for employees in the banking industry is studied by identifying a number of use cases in which context information promises to truly enhance flexibility or security. These use cases are developed in close cooperation with relevant stake holders in the banking industry.
The project also builds a demonstrator to validate whether context enhanced authorization is technically feasible given today’s state-of-the-art technologies. The current generation of Identity & Access Management (IAM) suites enable individual applications to externalize their authorization decision logic. An upcoming standard making this possible is XACML.This technology promises to be an important component of the solution, though technical challenges may need to be tackled first before theses systems can process real-time context information. The demonstrator will most likely be built on top of an existing IAM product.