The proliferation of mobile devices (such as laptop computers and smart phones) that are able to access the computing infrastructure of an enterprise have increased productivity for remote workers. However, this increase in productivity also increases security risk for the enterprise. For example, the mobile device may be more difficult to manage by computing infrastructure administrators and may pose increased security risks such as improperly configured or non-existent anti-virus software running on the mobile device. Furthermore, the network connection used by the mobile device may be less secure. Numerous other risks may also exist. Thus, remote and/or mobile access to computing infrastructures may present substantial security risk. In some instances, computing devices within the computing infrastructure may pose similar risks.
Existing systems may attempt to mitigate risk by using a layered (or contextual) security approach. For example, when a computing device attempts to access the computing infrastructure, existing systems may assess the security posture of the device when determining whether to grant access. The device may then be granted access only when the security posture of the device is deemed sufficiently secure. Elements within the computing infrastructure may have their own security layer such as those that include prompting the user for a username and password.
However, as the relationship among components of networks becomes increasingly complex, existing security systems that are layered and fragmented become increasingly difficult to manage. Furthermore, using a layered approach fails to take advantage of security information from other layers. For example, suppose a sales executive is traveling and has just completed a customer visit. The sales executive wishes to place a large order using a personal digital assistant (PDA). Using the PDA, the sales executive uses a local coffee shop's wireless network to access the computing infrastructure of her company. Once access to the computing infrastructure is granted, the sales executive may access a purchasing application (an element within the computing infrastructure), which prompts the sales executive for a username and password for user authentication. Upon user authentication, the application enables the order to be placed. In this scenario, the coffee shop's wireless network may be unsecured. Although this may not have presented a sufficient security risk to deny access to the computing infrastructure generally, the purchasing application may have more strict requirements. Because the act of placing orders involves invoicing, customer data, or other sensitive data, it may be desirable to allow access only when all security contexts associated with the order are secure. In particular, it may be desirable that the purchasing application require purchases to be made only through secured networks. However, because information regarding the type of network used to access to the computing infrastructure is not retained at the application level, its security layer information cannot be used. Thus, because the application context is separate from the network context, the security information related to each are unavailable to the other using existing systems.