PR.AA-05.208

Does your authorization system consider contextual attributes such as geolocation, time of access, or device security posture when making access decisions?

Explanation

Context-aware authorization enhances security by evaluating not just who is requesting access, but also the circumstances of the request. For example, your system might deny access to sensitive data when requested from an unusual location, outside business hours, or from a device that doesn't meet security requirements. Evidence of implementation could include documentation of your authorization policy rules showing contextual factors, screenshots of configuration settings in your identity management system that enable attribute-based access control, or logs demonstrating access decisions that were influenced by contextual attributes.

Implementation Example

Take attributes of the requester and the requested resource into account for authorization decisions (e.g., geolocation, day/time, requester endpoint's cyber health)

ID: PR.AA-05.208

Context

Function: PR: PROTECT
Category: PR.AA: Identity Management, Authentication, and Access Control
Sub-Category: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub