Children’s Guide to Context-Aware Access

By Colin Mo
January 11, 2023
four round white and brown ornaments

This guide gives a children’s-level overview of leveraging external data sources in Section 3 Logical Components of NIST SP 800-207 Zero Trust Architecture.

Click here for part 1: Children’s Introduction Guide to Zero Trust

Context-Aware Access (Leveraging External Data Sources)

Alice made many friends while sailing the Wild Wild Web and came to know many people. Sometimes, she would even invite her new friends into her container ship, allowing them to enter. After all, she knew them and trusted them, right?

The day came when Alice made a video-call to DevMom, crying.

“Wendy stole all of my favorite chocolate mint ice cream!” Alice sobbed in front of the screen. “She even took a bite out of the cookie dough. She doesn’t even like cookie dough!”

“Oh honey.” DevMom’s voice crackled through the screen before the connection stabilized. “I am really sorry to hear that. I know ice cream’s your favorite. Can you tell me what happened?”

“I recently got into an argument with Wendy over which ice cream flavor is best. Obviously, chocolate mint ice cream, right? Wendy disagreed, and that’s fine. But when I was gone, Wendy entered my ship and replaced my favorite ice cream with their own. I hate pistachio ice cream!”

“Did you tell DevDad?”

“I did, but all he talks about is changing ‘identity-aware access’ to ‘context-aware access.’ He’s not listening to my problem at all. It’s like he doesn’t care that my favorite ice cream is stolen!”

“DevDad tends to jump to solutions first,” DevMom soothed Alice. “But I hear you. It is a shame when ice cream gets stolen — I am sure you were looking to savor that ice cream. You bought it while visiting the Castle in the Clouds, yes?”

“Yes! Thank you for understanding. But DevDad wasn’t listening at all.’” Alice’s voice turned suspicious. “All he wanted to talk about was how to fix it.”

“Your DevDad can be silly like that, but he means well.” DevMom laughed over the phone. “But, context is very important when we make decisions. DevDad taught you about zero trust before letting you leave the SandCastle, hopefully?”

“He did.” Alice repeated what she learned about Users, Devices, and Requests. “But,” Alice added, “I don’t know how this could have prevented Wendy from stealing my ice cream. Was I just … stupid for giving Wendy the keys to my freezer while I was gone?”

“First: It’s never your fault that others were not brought up to keep their hands to their own ice cream.” DevMom’s voice was firm. “Never blame yourself for others acting like Badhats. Do you understand, Alice?”

“Okay.”

“Good. Now, this doesn’t mean that we should forget the Wild Wild Web is full of Badhats. The only thing we can do when sailing the Wild Wild Web is protect ourselves, and learn from our mistakes. That’s where context, or using all of what we know, comes into play. Does that make sense?“

Alice shook her head. “Why do you think I’m not using what I know?”

“Oh that happens more than we like to admit.” DevMom’s face scrunched up as she came up with an example. “Remember that time you let Chuck come to the Sand Castle to play, then some things in your room went missing? And you said it must have been Chuck, because Chuck likes to take things from school? And I asked you why you didn’t think Chuck would take from your room too?”

Alice seemed miffed. “Okay, are you still angry about that?”

“I’m not angry, just pointing out times where we know something but forget to use it.”

“But how does this help me stop people like Chuck or Wendy from doing what they shouldn’t be doing?”

“When DevDad talks about context-aware access, it’s exactly that. Using everything you know to make a decision, especially if it’s new information.” DevMom explained gently. “For example, at one point you trusted Wendy enough to let her go to your freezer, yes?”

“Yes.”

“But then you had the ice cream fight with Wendy. Why didn’t you let your ship know that?”

Alice stared at DevMom’s image on the screen. “I don’t understand why that’s important.”

“It is, because that disagreement should be considered when your ship decides if it’s safe to let Wendy in. None of us are happy after a fight — Wendy might decide to do something mean or dangerous, and your ship’s job is to protect you. How can it do so when you don’t tell it new information, such as a recent fight?”

“Uh,” Alice said defensively, “Because I was too angry after the fight?”

“And I completely understand that,” DevMom mollified Alice. “But that’s why it’s important to set it up so your ship receives this sort of information immediately, so it can act upon it. This can make the difference between your ship being able to protect you in time or failing to do so. Without being able to consider other sources of information, your ship is forced to rely on Wendy’s identity alone to decide if it should let Wendy in. I’ve personally encountered this before at work, where someone who left my team tried to come back in and make a mess.”

Immediately curious, Alice asked, “What happened? Did they ruin your day?”

“The hard part about betrayal is it can only come from someone you used to trust — but no, our day was saved. Our Sand Castle was told the moment they were no longer part of the team, so they couldn’t get in.” DevMom brought the camera closer to her face, her expression gentle. “Did that make sense?”

Tilting her head, Alice seemed deep in thought. “Can I have another example?”

“Hmmm. Think of this then: you’re on a call with me right now, right? But say someone knocked on your ship container and you peeked out to see ‘me’ standing there — but not on a call. What would you think?”

“If I’m seeing two of you…” Alice blinked twice, looking from the screen to her ship’s door. “I would think something is wrong.”

“Yes, exactly. I am either on the call with you, here, in my room, or I am not on the call and in front of your ship. Both can’t be true at the same time. Even if the version of me in front of your ship seems real, should you just let that person in when you think I should be at home?”

“No. That would be…” Alice struggled to find the right words, trying to think of seeing two of the exact same DevMoms at the same time. “That would be weird.”

“Exactly. So even if the version of me at your door looks and feels real, you know that I should be on a call with you, so you don’t let them in. Using everything you know when making a decision, that’s context.”

“I think I understand,” Alice said slowly. “So…what now?”

“Now, you do what DevDad wanted. To improve your ship and make sure it can use context, make sure the reverse proxy DevDad installed can receive and use any extra information you give it. Can you do that?”

“I think so!” Alice said, “Or at least, I’ll give it a try!”

“Good. And when you get it done, I’ll send you a pint of ice cream.”

“Chocolate mint?” Alice asked, excited.

“And some pistachio for your friend, when you two make up.”

Alice made a face. “Eww.”

“Let me know when you’ve got it done!” DevMom laughed, and they ended the call.

Want to understand how Pomerium leverages external data sources to enable zero trust access control?

Sign up to receive an illustrated digital copy of our Children’s Guides!

Name(Required)

social-media-facebook social-media-twitter professional-network-linkedin
More in Children's Guide

Announcing Pomerium v0.25

January 10, 2024

Children’s Guide to Deperimeterization

December 13, 2023

Children’s Guide to the Perimeter Problem

December 13, 2023
View all 69 posts
Announcements, January 10, 2024

Announcing Pomerium v0.25

Pomerium’s v0.24 update drastically improves performance at scale and adds certificate matching as a policy condition!

Read More

Revolutionize Your Security: Achieve Compliance Hassle-Free!

Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.

Download Now
Download Now