Traditionally, a request for data access is originated by an endpoint device such as a mobile phone and access to the data is granted by a central server associated with the type of the data requested. As an example, a user using a mobile phone may activate a file sharing application. The user may input credentials such as a username and a password into the application and the application may transmit the credentials or information regarding the credentials to a file sharing server that verifies the credentials or information by comparing them to an existing validated list and grants the user and device access to a set of data and or services based on this comparison. If a match is found, the user is granted access. Generally the system does not require any further information or evaluate any further criteria to determine whether the user and/or the phone should be granted access to the data or services. Additionally, the central server can be limited to granting or denying access based only on the information contained within the central server, and is isolated from external knowledge to supplement the access decision.
Access decisions are generally based on predefined criteria which, once established, are deployed by a central server. As an example, a central server may require that a user input a username and password and may optionally input a company name, at a first time. An update to the security settings for the central server may be modified such that a username, password, and company name are be required to gain access to the central server. Traditionally, the change in security setting is implemented when a decision to implement the change is made and the code to execute the change is committed.