Context, it’s always about context (or the lack thereof)

I received a call recently that most people have probably received: our banking institution just wanted to verify that yes, that was Don or I making purchases at midnight in Wisconsin and then later in Indiana and yet again that afternoon in Ohio. That’s a good thing, I’m sure, as they’re just trying to watch our back. But later in the day I tried to make a purchase and was, horror of horrors, denied. The bank, when called, seemed matter-of-fact about the situation. The security flag hadn’t been cleared after the morning discussion, but certainly they could do that now and oh, by the way, how long – and where – would we be traveling. Worse, I was then informed that I needed to inform the bank every time one of us travels.

Hogwash. Horse puckey! Inconceivable!

I straightened that out – despite the warnings and ominous portents of disaster the representative foisted upon my obviously ignorant and uncaring ears. I’d have to actually watch my account to make sure someone on that big bad Internet didn’t abscond with my credit card and use it willy-nilly to purchase God only knows what. This simply proved that neither the bank’s fraud systems – nor the bank – really knows anything about its customers.

The reason I mention this is so I can mention something else: the importance of context.




The problem with my bank is that like all financial institutions they use a fraud detection system that triggers security alerts whenever there is a pattern of purchasing that seems out of character. That’s usually good, except apparently these systems are generic and don’t learn from past behavior. I infer this because otherwise the system would know damn well that Don and I (1) share an account and (2) often travel separately and (3) visit Ohio at least twice a year. None of the behavior that triggered the security alert was out of character for us except that purchases occurred in the middle of the night. I might be willing to cut them some slack because of that, but I absolutely refuse to cut them slack on the requirement that we call someone every time we travel. Why can’t we set up a travel profile – you know, cities we frequent and the airports that get us there so if we show up at one the system doesn’t freak out? Something, for crying out loud, has to help here!

Technology doesn’t need to be this inflexible. It really doesn’t. Take mobile access to corporate resources via a secure remote access technology (SSL VPN, for example). These flexible little solutions not only make it possible – and simple – for me to be a teleworker, but it means I can travel without concern and always have access to corporate resources like Microsoft Outlook, SharePoint, and the all important index of all things corporate: the intranet.

My secure remote access solution doesn’t care whether I’m accessing the corporate network from Green Bay or Cincinnati or San Francisco or Seattle. My location is irrelevant because it expects me to be remote and one location is just as good as the other. So why is my SSL VPN location agnostic while the bank’s fraud detection systems aren’t? context

Context. It’s all about context and the lack thereof in the case of the bank’s systems. The secure remote access system knows more about me than I’m guessing the bank does, and my access to corporate resources are based on that information, the context around the usage, rather than simply on location or time of day. If my bank’s systems were as smart as my secure remote access system then it would ignore the location and focus more on the actual request (or in the case of the bank the purchase being made). After all, it’s not out of character for Don or I to purchase gas, or electronics or books. But it would be out of character for one of us to suddenly be purchasing major appliances or cars or eating at a restaurant at 10pm.

Context, it’s all about context and without it, systems just aren’t as flexible as they could be; they aren’t dynamic and agile. They don’t adapt well at all to changing conditions. My secure remote access solution is smart enough to worry about what I’m doing with my secured connection rather than from where I’m doing it and uses the request and device and my identity and role to determine what I can and cannot do. My username and password identify me like my PIN identifies me to the bank, and yet the bank still relies on manual processes to set the “traveling” flag while secure remote access solutions simply expect that to be the norm and concentrate on what rather than where.

It’s all well and good for security systems to protect us – even from ourselves – but when they start hampering the ability to do anything without first getting a note from our mother then there needs to be some changes in how the technology works. Context matters, and it’s not just in the demesne of cloud or application delivery or virtualization in which context needs to apply.