The Future of Information Security Is Context

Aware and Adaptive

Gartner RAS Core Research Note G00200385, Neil MacDonald, 14 May 2010, RA3416 01022011

Most of todays security infrastructure is static enforcing

policies defined in advance in environments where IT
infrastructure and business relationships are relatively static. This
is no longer sufficient in an environment that is highly dynamic,
multisourced and virtualized, and where consumer-oriented IT
is increasingly used in lieu of enterprise-owned and provisioned
systems.
Key Findings
Context-aware security is the use of supplemental information to improve security
decisions at the time the decision is made, resulting in more-accurate security decisions
capable of supporting more-dynamic business and IT environments.
Context information that will be relevant to security decisions is not limited to
environmental context and will include context information from multiple sources.
Application awareness, identity awareness and content awareness are all examples of the
broader shift to context-aware and adaptive security infrastructures.
In static IT infrastructures, ownership became a proxy for trust. This model no longer
works. Every element of our enterprise computing stack needs to be treated with a
degree of uncertainty and skepticism. Binary trust will be replaced with a paradigm of
trustability.
Context-aware and adaptive security will be the only way to securely support the dynamic
business and IT infrastructures emerging during the next 10 years.

Recommendations
Context awareness helps make security an enabler, not an inhibitor, of dynamic
business requirements. Begin the transformation to context-aware and adaptive security
infrastructure now as you replace legacy static security infrastructure, such as firewalls,
and Web security gateway and endpoint protection platforms.
Use the framework provided in this research as a way to evaluate security offerings for
their capability to incorporate richer context information at the time of a security decision.

2
Question security vendors on their specific road maps for
application, identity and content awareness, as well as the
ability to incorporate other types of context information into their
policy enforcement decisions.
Remove hard-coded and static security policies from
applications and other systems, and move them to externalized
security policy enforcement points capable of consuming realtime context information.

STRATEGIC PLANNING ASSUMPTION

By 2015, 90% of enterprise security solutions deployed will be
context aware.

ANALYSIS

1.0 Context Awareness and Information Security

Context is the circumstances within which something exists
or happens, and that can help explain or understand it (see
Acronym Key and Glossary Terms). Context-based computing
uses supplemental context information to improve the computing
experience at the point of consumption. Applying this to information
security, context-based security is the use of supplemental
information to improve security decisions at the time the decisions
are made.
Rapidly changing business and threat environments, as well as
user demands, are stressing static security policy enforcement
models. Information security infrastructure must become
adaptive by incorporating additional context at the point when
a security decision is made, and we are already seeing signs of
this transformation. Network security solutions are evolving to
incorporate application awareness and identity awareness
into their offerings. Information protection solutions are evolving
to deliver content awareness. Application, identity and content
awareness are all part of the same underlying shift to incorporate
more context at the point when a security policy enforcement
decision is made. To enable faster and more-accurate assessments
of whether a given action should be allowed or denied, we must
incorporate more real-time context information at the point when a
security decision is made.

2.0 Why Context, Why Now?

Consider a layered IT stack model of the network, device, operating
system (OS), application, identity, content and process as shown in
Figure 1.
All these layers encompass physical or logical entities (objects)
packets, machines, applications, services, users, groups,
transactions and so on. Information security can be thought of
as the enforcement of a series of policies (in other words, a set
of security policy enforcement points) to enable action between

Figure 1. Example of a Layered IT Stack

Process
Content/Information
Identity
Application
Operating System
Device
Network
Source: Gartner (May 2010)

different entities in an IT stack, with the goal of protecting the

confidentiality, integrity, availability, authenticity and accountability
of the information and workloads being handled among them (see
Figure 2).
As shown in Figure 2, security decisions occur when an entity at
any layer on the left side wants to take an action on an entity on
the right side. For example:
Can this IP address talk with this other IP address? This type of
policy is traditionally enforced by network firewalling.
Can this user load and run this unknown application? This type
of policy is traditionally enforced by antivirus and application
whitelisting software.
Can this user access this content? This type of policy is
traditionally enforced by access control and digital rights
management mechanisms.
Can this input be accepted by this application? This type of
policy is traditionally enforced by application-level firewalls (such
as a Web application or a database firewall).

2010 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. Reproduction and distribution
of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be
reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartners research may discuss legal
issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used
as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions
expressed herein are subject to change without notice.

3
When IT and business infrastructures are fairly static and welldefined, these security decisions are simpler, and there are fewer
of them. In most cases, for the past 30 years, our organizations
owned and controlled most of the entities shown in Figure 1 and
Figure 2.
In static IT infrastructures, ownership became a proxy for trust.
Because we owned and controlled most of the pieces, information
security policy enforcement points were typically only placed at the
demarcation point (perimeter) between something we owned and
something we didnt own (and, therefore, didnt trust). For example,
we placed network firewalls where our network connected to the
outside world, placed e-mail security gateways where we received
outside e-mail and placed antivirus software where our systems
accepted unknown executable code from the outside world.
This model of trusting us (we own it, we control it) and not
trusting them (they own it, they control it) and placing security
policy enforcement points only where we had a handoff between
us and them has worked reasonably well, but is coming under
extreme pressure. This model fails in a world where we increasingly
dont own all the pieces of our business and IT infrastructures.
Multiple converging trends in business and IT are tearing down the
silos of traditional IT infrastructure, and tearing down the traditional,
well-defined boundaries of our businesses. Collectively, these six
trends are driving the need for adaptive, context-based security:

1. Mobilization. Our increasingly mobile workforce requires us

to support anywhere, anytime access to our systems from a
variety of locations using devices that vary in their trustability,
including home machines.
2. Externalization and collaboration. This is the business imperative
to open our IT systems to the outside world for the purposes of
collaboration. By 2015, in most enterprises, more external users
will access internal systems than employees.
3. Virtualization. The decoupling and abstraction of the entire IT
stack and movement to next-generation virtualized data centers
means that workloads and information will no longer be tied to
specific devices and fixed IP addresses, breaking static security
policies based on physical attributes.
4. Cloud computing. The shift to cloud-based computing
resources means that we no longer own or control the
infrastructure or applications that hold and process our
workloads and information.
5. Consumerization. The increasing use of technology designed
for consumers (devices and applications) in the enterprise
requires that we now allow a wide variety of devices, not all of
which are owned by the enterprise, to connect to our systems
(e.g., smartphones and USB memory sticks), and users that
demand access a wider variety of consumer applications (e.g.,
Facebook).

Figure 2. Example Information Security Decisions Among Entities

Can this entity

Process
Content/Information
Identity
Application
Operating System
Device
Network
Source: Gartner (May 2010)

take this action

Examples:
Open
Read
Write
Communicate with
Execute
E-mail
Copy
Print
Paste
Attach to
Insert inside of
Mount
Migrate
Start
Stop
Archive
Recover

on this entity?
Process
Content/Information
Identity
Application
Operating System
Device
Network

4
6. Industrialization of hackers. The shift from mass to targeted
attacks requires a shift in protection strategies where we have
less trust of internal users and systems, either as a result of a
compromised insider or a targeted attack launched from a one
of our own internal systems that has been compromised.

3.0 Real-Time Context Leads to Measures of

Trustability
The six trends identified here will collectively force a shift to contextbased, adaptive security infrastructure. Instead of binary and static
yes/no, us/them decisions that we can anticipate and define in
advance, security decisions in emerging computing and business
environments are not as clearly defined and not known in advance.
Traditional approaches of whitelisting (allow known good, block
everything else) and blacklisting (block known bad, allow everything
else) assume we have excellent, high assurance information as to
what is trusted and what is not. This is no longer the case. Every
element of our computing stack will need to be treated with a
degree of uncertainty and skepticism. Security decisions that were
largely black and white, and where policies were set statically in
advance, become decisions with a multitude of shades of gray
made dynamically at the time the request is made.
Instead of perceived absolute trust (which we never really had), we
will shift to a paradigm that embraces variable levels of trustability
adaptive and context-aware security policy enforcement
mechanisms that help us answer the real question:

Do I have enough trust in the entities involved to take the

requested action at my current level of risk tolerance and given
the current context to allow the action to take place?

For example, This user wants to execute this financial transaction

should this be allowed or not? Adaptive and context-aware
security infrastructure would look at the context of the request
before allowing or denying the request. Is the device trustable? Is
the network connection trustable? Where is the device currently
located? When was the last access? How strong was the
authentication credential used? What time of day is it? Does the
transaction requested fall within historical patterns of being normal?
To enable faster and more-accurate assessments of whether a
given action should be allowed or denied, we must incorporate
more real-time context information at the time a security decision is
made. This is the heart of adaptive and context-aware security.

4.0 Types of Context That Are Relevant to Security

Decisions
Today, context-aware computing is most commonly associated
with the use of environmental context information (such as location
and time of day) to improve computing experiences. In a simple
security example, a sensitive application could be restricted for use
from only within an enterprises physical location and only during
working hours. In Figure 3, we have extended Figure 2 to include
environmental context information.
However, in Gartners definition of context-based computing, there
is no restriction that environmental information be the only type of
information that can be used to improve the computing experience.
An Information Model for Context-Enriched Services maps out

a four-layer model for different types of context information that

provides a more detailed framework for this information.
There are many types of contextual information that can be
used at the point of the security decision to improve the security
decision. In addition to the community and environmental context
from Gartners context information model, any of the layers shown
in Figure 3 can provide additional context for improved security
decisions. Table 1 contains some examples.
All these layers environmental, community, process, content,
identity, application, OS, device and network can provide useful
context to real-time security decisions being made at the layers
below them. For example, identity-level and application-level
information can provide additional context to a network-level
firewalling decision. Content-level information can provide additional
context to a decision as to whether a document should be allowed
to be e-mailed. Indeed, there are multiple real-world examples
of the shift to the incorporation of context information in security
decisions.

5.0 Examples of Context-Aware, Adaptive Security

Infrastructure Today
We are seeing a shift to context-aware, adaptive security
infrastructure across all areas of information security today.
Network-level firewalls have been among the first to be
transformed. Being lower in the stack, they are the most affected
by the six trends identified in this research. As workers become
more mobile, as businesses open up to collaborate, as computing
shifts to the Web and cloud-based computing models, and as
workloads are virtualized, traditional security policies based on
static device and network-level attributes (such as port number
or IP address) are increasingly ineffective. In Defining the NextGeneration Firewall, we highlight the importance of application
awareness (incorporating context information from the next context
layer up, as shown in Table 1) as a key requirement of a nextgeneration firewall. In Introducing the Identity-Aware Network, we
highlight the importance of incorporating identity information into
next-generation network adaptive security infrastructures (such as
the TrustSec Initiative from Cisco).
There are many other examples of the shift to adaptive security
infrastructure throughout information security infrastructure:
Identity and Access Management Authentication is
incorporating more real-time context at the point of
the authentication decision, such as requiring stronger
authentication when the context of the transaction indicates
unusual behavior. Interestingly, in another example of the
consumerization of enterprise IT, many of these techniques
were pioneered many years ago to support consumer payment
transactions (for example, store-based credit card payments or
Web-based payments) where financial services institutions and
other payment acceptors have little or no control over end-user
devices, OSs or networks, and were forced to incorporate more
context into adaptive security policy decisions to reduce fraud.
Likewise, authorization decisions are also becoming more
contextual with the shift to externalized authorization and
entitlement management solutions that are better able to consume

5
Figure 3. Adding Environmental Context to Security Decisions

Can this entity

Process
Content/Information
Identity
Application
Operating System
Device
Network

take this action

Examples:
Open
Read
Write
Communicate with
Execute
E-mail
Copy
Print
Paste
Attach to
Insert inside of
Mount
Migrate
Start
Stop
Archive
Recover

In this context?
Source: Gartner (May 2010)

on this entity?
Process
Content/Information
Identity
Application
Operating System
Device
Network

Environmental context examples:

Location
Time of day

context information when policies are not statically predefined

and hard-coded into applications. Organizations have also
struggled with the static limitations of traditional role-based access
control mechanisms, which are too static for adaptive computing
environments. The move to externalize authorization enforcement
and the shift to attribute-based access control, authorization-based
access control (ZBAC) and claims-based access architectures
highlight this shift to incorporate context information in access
management decisions.
Data Protection To adequately protect sensitive information
throughout its life cycle and across the entire enterprise IT
ecosystem, most security policy enforcement points are
becoming content aware. Content-aware data loss prevention
(DLP) tools enable the dynamic application of policy based
on the classification of content determined at the time of an
operation for example, providing e-mail security gateways the
ability to identify when sensitive content is being sent via e-mail
and applying the appropriate security policy (for example, allow,
block, log and encrypt) based on the context, such as the
information being sent and the identity and role of the person
the information is being sent to.
Network access control (NAC) Whether used on guest
networks, virtual private network (VPN) access or for all
network access, NAC solutions are using real-time contextual

information before allowing workstations to connect to

the enterprise network. For example, based on a health
assessment of the device to see if it is patched, doesnt appear
to be compromised and has a current version of antivirus
installed and running, or based on whether the device is known
and placing unknown devices onto a guest network.
Intrusion prevention systems (IPSs) Rather than apply all IPS
rules to all traffic flows, next-generation IPS systems are able
to use real-time contextual knowledge of what version of an
OS or application a workload is running and what vulnerabilities
are present in the systems they are protecting (for example,
Real-time Network Awareness (RNA)/Real-time User Awareness
(RUA) integration with Sourcefire). This context improves the
speed and accuracy of IPS decisions, allowing more-efficient
use of processing resources, as well as reducing the chance of
false positives.
Endpoint protection platforms (EPPs) Faced with the
increasing ineffectiveness of signature-based approaches,
EPP vendors are supplementing traditional whitelisting and
blacklisting models with community-based reputation services
that provide real-time reputation look-up information when
determining whether a given piece of executable code is
trustable enough or not.

6
Table 1. Examples of Context Information That Might Be Relevant to a Security Decision
Context Layer

Example Categories at This Layer

Examples of Contextual Information at This Layer

Environmental

Local environment
Macroenvironment

Location
Prior location
Proximity
Time of day, month, year
Time elapsed since last action
Temperature
Ambient lighting

Community

Friends
Family
Social networks

Relationships
Patterns of uptake
Presence
Links
Tagging

Process

Customer facing
Revenue producing

Importance of the process

Impact on revenue if down
SLA requirements
Current users of the process

Content

Files
Databases
Executable content
E-mail
Input

Sensitivity of content
Trust of the content
Reputation of executable code
Reputation of the e-mail
Known vulnerabilities
Input from the collective

Identity

Organization
User
Group

Reputation of the user

Strength of authentication
Current role
Team membership
Clearance level
Transaction amount limit
Credit rating

Application

Application
Service
Transaction
APIs
Uniform resource identifier (URI)/URL

Reputation of the application

Reputation of the URL
Sensitivity of the transaction
Amount of the transaction
Historical patterns of behavior
Patch level
Known vulnerabilities
SLA requirements

Operating System

Processes
Threads
System calls
Device drivers
Virtualization platform

Historical patterns of behavior

Health of the OS
Patch level
Known vulnerabilities
Root of trust measurements

Device

Device type
Virtual machine or physical
IP Address

Reputation of the IP address

Device reputation
Health of the device
Managed/unmanaged
Enterprise owned?
Storage encrypted?
Strength of encryption?
Accelerometer data

Network

Packets
Connection types
Port/protocol

Traffic encrypted?
Strength of encryption?
Historical patterns of behavior
Known vulnerabilities

Source: Gartner (May 2010)

7
Secure Web gateways (SWGs) Like the EPP, simple Web
proxy filtering and blocking based solely on URL information is
increasingly insufficient. SWGs are evolving well beyond static
URL filtering to incorporate context information such as the
reputation of the URL, the location and reputation of the source
IP address and other information at the point of the security
policy enforcement decision. These products are also becoming
content aware to help monitor for data loss on outbound
connections.
While a few of the information security vendors have adopted
the term adaptive security infrastructure, most are using the
terms application awareness, identity awareness and content
awareness as adaptive and context-aware security capabilities are
added. Instead of being separate requirements, we believe these
are all examples of an underlying architectural shift to contextaware and adaptive security infrastructure. Each independently
describes the need to incorporate higher levels of context into
security decisions to improve those decisions.

6.0 Looking Ahead: Context Lays the Foundation

for the Shift to Adaptive Risk-Based Security
Context is a foundational element for adaptive security
infrastructure, but alone it is not sufficient. In a world where
the entire IT stack has been decoupled, and our systems and
information have been dispersed around the world on systems
we dont own and dont control, attempting to predetermine all
possible usage scenarios and enforce them using static, predefined
security policies will simply not scale, nor provide the flexibility
demanded by businesses.
In dynamic business and IT environments, we cannot anticipate all
needs to access systems and content.
Static security infrastructure is becoming an inhibitor to dynamic
business needs. Context-aware security mechanisms provide a
layer of abstraction and automation of security policies that can
adapt to the context of the request and the time the security
decision is made. Users will have access to things they would have
otherwise been restricted from using static policies where the
need for them to access the information wasnt presupposed.

Even becoming context aware, we cannot place a security policy

enforcement point at every demarcation point between something
we own and control, and something we dont. Information security
budgets cannot continue to grow at a faster rate than overall IT
budgets. The realities of budget and resource constraints will force
us to start using differential and intelligent security protection where
the risk/reward ratio is optimized.
We cannot protect everything equally, nor is everything we need to
protect of equal value.
As information security evolves to become adaptive and context
aware, our approach to risk management must change as well.
Rather than deploying all security controls possible, we must shift
to intelligent and adaptive placement of controls based on the
context of the action being requested the importance of the
process being protected, the content being handled, the trustability
of the entities involved and our tolerance for risk This is often
referred to as the shift to trust-based or risk-based security, and
context awareness will be a key enabler.
Finally, although there are examples of application, identity,
and content awareness being used to context-enrich security
infrastructure, process awareness is the next frontier. Here,
knowledge of the context of the business process supported by
the requested action will be a factor in context-aware, risk-based
decision making for example, how important the process is to the
revenue generation capabilities of the business or the number of
people that would be affected if the process became unavailable.
Process-awareness and context will require tighter integration
with operational infrastructures, which also has the same need
to support SLAs for these processes and the same fundamental
requirement to provide resilient systems and information as
information security does.

8
Acronym Key and Glossary Terms
Context

the circumstances within which something exists or happens, and that can help
explain or understand it

Context action

an action triggered in response to a change in context

Context analysis

rules that are applied by a context broker in response to the arrival of context data,
and that either deduce new context data or trigger context actions

Context aware

an adjective used to describe applications or services that use context

Context broker

a software component that collects and stores context data, deduces context, and
triggers context actions

Context data

raw or processed information that contributes to determining the context of a

person or object

Context-enriched service

a service that exploits or is enriched by context

Context provider

an organization that operates a context broker to provide contextual services