Dynamic authorization – the key to solving zero trust
By Gal Helemski, Co-Founder and CTO, PlainID
Zero trust is no longer just another trendy technology catchphrase – today it has become a key requirement for any business wishing to optimize its security posture. In this context, trust is synonymous with vulnerability, and as such, the model relies on the practical application of a golden rule: no one should be trusted.
More specifically, it removes some common assumptions that contribute to weaknesses of alternative approach, including: user identities have not been compromised and that all users, once in the network, are operating responsibly and are not threat actors or hostile insiders.
What’s more, in our digitally dispersed work-from-anywhere society, zero trust has become even more important as network perimeters continue to expand to the point where, in practical terms, “inside the perimeter” no longer applies.
The most important job of a zero trust architecture is to make the decision about whether to grant, deny or revoke access to a resource. While there are a variety of ways to implement a zero trust approach to security, the U.S. National Institute of Standards and Technology (NIST) has set out a useful framework that emphasizes zero trust should never be an exclusive agent of the network alone.
Instead, for zero trust to be fully implemented, it must apply three levels of access control – access to the network, access to applications and access to intra-application assets. Without this complete approach, true zero trust protection is simply not possible.
The reason for this comes down to the dynamic nature of risk. Today’s digital enterprises are driven by complex environments that are highly distributed with hundreds of applications, many systems, hybrid legacy and “cloudified,” microservices-driven infrastructures. These support hundreds — sometimes even thousands — of roles that are continually changing and which require the creation of a new access scenario with each change.
Zero trust technologies
The good news for security professionals is that there are mature technologies available today that address some of the basic tenets of zero trust, especially around network access control and advanced authentication.
On the flip side, these technologies do not address each of the three critical levels of zero trust access control. In fact, the current focus of available zero trust offerings is primarily on the network and does not include adequate reference to, nor support for, zero trust at the application level, nor within the application.
To illustrate, the solutions that are most heavily promoted as supporting zero trust include gateway integration and segregation, secure SD-WAN, and secure access service edge (SASE). The problem is, these are focused on network-centric zero trust when what’s actually required is a solution that addresses each of the three access control levels.
Enter: Dynamic authorization, an advanced approach that grants fine-grained access to resources, including application resources, data assets and any other asset based on the specific context of that session, in real time, at the time of access.
Dynamic authorization completes zero trust by powering two processes that are vital to its full and complete realization: runtime authorization enforcement and high levels of granularity. When a user attempts to access a network, application or assets within an application, this will initiate the evaluation and approval process that focuses on a range of key attributes, including: User level attributes, such as what is their current certification level, role and responsibilities, and whether they can access confidential and personally identifiable information (PII), among others; asset attributes, such as data classification, location assignments and any relevant metadata; the location that a user is authenticating from, including whether from an internal or an external system; the number of authentication factors being used, i.e., with single, two factor or multifactor authentication; the time of day and day of the week at which the user is authenticating; and additional external attributes, such as the risk level of the system and more.
The policy engine evaluates each of these and all other relevant attributes and makes the decision at that point of access during runtime. Furthermore, each time access is attempted, a new decision is made in real-time. This decision is driven by the highest levels of granularity possible, evaluating all the attributes that are updated to that specific point in time, as well as the real-time context and environment, rather than as-based-on attributes that were predefined by the application.
In an era where the tactics and technologies employed by bad actors are becoming more challenging to address with legacy security solutions, zero trust is a mature and robust approach to reducing the risk and damage of a security breach. However, if an organization’s security leaders are to be fully confident in the completeness of their zero trust framework, it is incumbent upon them to assure that they are addressing each of the three levels of zero trust access control – access to the network, applications and intra-application assets with dynamic authorization.
About the author
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.