Session origination also plays a role. For example, network sessions originating outside the local network could be considered higher risk. Sessions originating over the Internet would be considered riskier than those that come over dial-up connections, and so on. Companies with a demonstrated history of exploitation from certain foreign countries could classify data from those nations as an elevated risk.
The idea is to take all of these considerations and the security assurance provided by these three factors, then compare them to the data, service, or application being accessed. From there, a trust decision can be made. Situations where a weakly assured combination of factors is trying to access highly valuable data might result in a denial of access or at least stricter controls or greater logging and review.
For example, at Microsoft, we might allow employees with fully managed Windows 8 computers running Secure Boot, BitLocker, Direct Access, group policy, and smartcards to have full access to anything the user's permissions allow. But users accessing the corporate network over a traditional VPN on devices not capable of being managed or using encryption might be less trusted. Who knows? We might give less trust to a finger-swipe authenticator than to a smartcard authentication, even on the same device. Microsoft hasn't made every trust decision yet. But we have our factors and our framework, and we're building from an agreed-upon base. Your company should do the same.
That is, unless your company has decided to allow every device and identity equal access. It's an option, but I wouldn't want to try and prove the risk analysis to the board of directors.
Longtime readers will recognize this BYOD framework as a practical implementation of what I've been proposing for over five years in my "Fixing the Internet" whitepaper. Both the more sweeping Internet solution and the BYOD solution allow for different types of sessions. We're just saying they shouldn't be treated the same. The BYOD framework presented here is simply taking the one-dimensional trust decision -- conventionally based on on one identity authenticator -- and moving it to the more realistic multidimensional world that we should've always been using.
Computer malfeasance has always been accomplished based on the protections given by distance and device. We've always accounted for identity. Now let's start accounting for the other two.
This story, "How to have BYOD and security, too," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.