Fresh Thoughts #101: Context Changes Everything

abstract oil on water with blue tint

Is it ok to shout in a library?

Normally - no...
But what if there's a fire?
Or you are making a TV comedy show in the early 2000s?
Context changes the situation.

Traditionally, cybersecurity has taken an over-simplistic view.
Take controlling access.
Are you this type of person?
Doing this type of role?
Well, you can have access.
This is Role-Based Access Control.

But life - and business - is more complex than this.

There are levels of nuance.

  • Where are you working from?
  • What time of day is it?
  • Is this typical behaviour?
    • For the business in general? Or just for you?

What's your situation?
What's your context?

If we can capture this nuance in access decisions, we can:

  • Remove friction: If the situation and context make it 99% certain that the access is trustworthy - why interfere and ask for another multi-factor authentication?
  • Position our staff where they need to be: Sales staff meeting with customers and prospects - away from the office.
  • Remove unnecessary IT tools and costs: There should be no need to load up a VPN to access data from a known - albeit remote - location.
  • Create flexible working practices: In a power outage or winter storm, create resilient access at the drop of a hat.
  • Enforce business policies: Embed decisions on which risks are unacceptable in day-to-day business operations.
  • Be more secure: When something doesn't look right - challenge it. And keep challenging it until we can be confident that nothing is untoward.
  • Maintain vigilance: The perfect security tool - works as needed, when needed - but disappears when it's not and stays out of the way.

So, how do we achieve this?
Conditional Access and Context-Aware Access.

Conditional Access and Context-Aware Access

Conditional Access and Context-Aware Access are Microsoft and Google Workspace technologies at the heart of the new wave of "zero-trust architectures".
They are the engines deciding who to let in and keep out.

Using signals (about where you're connecting from, what device you're using, etc.), the engines make policy-based decisions that can be enforced as we see fit.

And so, as a business, we can work through scenarios - and decide what should happen in each situation and context.

Each policy and scenario layers on top of each other - sieving out unwanted and erroneous access.
All while letting business activities progress without compromise.

And therein lies the challenge. The fly in this ointment.

How do you manage all of the policies working together?
How do you ensure that all scenarios are addressed? And conflicts haven't occurred.

The current industry's best practice is to just ask an expert for their opinion.

But - at Fresh Security - we believe there's a different way.

A way to prove how effective your Conditional Access Policy is.
And have confidence that there aren't unforeseen gaps.

I'll share more in the coming weeks.

January 16, 2024
2 Minutes Read

Related Reads

salt marsh

Fresh Thoughts #96: Robust or Resilient?

Robust. Resilient. Words sprinkled into IT presentations and marketing, but what do they actually mean?

Fresh Thoughts to Your Inbox

Fresh perspectives on cybersecurity every Tuesday. Real stories, analytical insights, and a slash through buzzwords.

We'll never share your email.

Subscribe to Fresh Thoughts

Our weekly newsletter brings you cybersecurity stories and insights. The insights that help you cut through the bull.

We'll never share your email.


Fresh Security Support

Your Questions


Fresh Sec Limited

Call: +44 (0)203 9255868