0

I recognise that context-sensitive authorisation to applications is a good security control however I can currently only think of location being an example of a sensitive context.

I don't consider time being a sensitive context so are there any other examples?

ellefc
  • 499
  • 2
  • 6
  • 14
  • 1
    Time can be: "employees can only access content during their scheduled shifts" is a perfectly valid access control. – Mike Ounsworth Oct 31 '18 at 11:50
  • Agree of course! I think it would be classified as non-sensitive though so just context authorisation rather than context-senstive authorisation? No? – ellefc Oct 31 '18 at 11:54
  • .... hmm, I don't think I know the difference between the buzz-words "context authorization" vs "context-sensitive authorization". – Mike Ounsworth Oct 31 '18 at 11:58

1 Answers1

1

Context-sensative in this case just means that the context is take into account. It has nothing to do with location being a "sensative" or "secret" attribute.

There's a lot of potential contexts which can be used to aid in authorization.

Location and time are by far the most common.

E.X.

  • Is the request coming from the corporate network?

  • Is the user VPNed in?

  • What is the GPS location of the user?

  • Is this normal business hours?

  • How many of these requests have been made in the last N hours?

Context authorization usually also includes roles, which can be implemented using RBAC.

Daisetsu
  • 5,110
  • 1
  • 14
  • 24