Achieving zero trust security – The key role of dynamic authorization
By Lani Leuthvilay, Senior Director of Product Marketing, PlainID
The zero-trust security model is based on the simple premise that no one interacting with a network is assumed to be trustworthy. This works in sharp contrast to the traditional model of network security where a perimeter is established and everyone inside it is assumed to be trusted. In the face of growing cybersecurity risks and breaches, however, zero trust is no longer an emerging industry trend but has become a key requirement for any organization focused on optimizing its security posture.
In recent years, the approach has become even more important. For instance, in our digitally dispersed working cultures, the concept of “inside” vs. “outside” – the traditional basis for establishing trust relationships – is no longer relevant. In particular, traditional boundaries have eroded and more people, devices, and applications are operating with enterprise resources than ever before, bringing significant additional risks.
In practical terms, the most important function of zero-trust cybersecurity is to determine whether to allow, deny or remove access to a technology resource. To achieve this objective, there is a range of approaches that can be adopted, perhaps most notably, the framework published by the U.S. National Institute of Standards and Technology (NIST), which is predicated on the principle of “never trust, always verify”.
To fully implement zero trust, organizations should focus on applying three levels of access control: access to the network, access to applications, and access to intra-application assets. Without this holistic approach, effective zero trust protection cannot be achieved, primarily because the nature of risk is continuously changing.
For example, today’s digital-centric organizations typically operate increasingly complex tech environments that are also highly distributed and decentralized. Running hundreds if not thousands of applications, microservices-driven infrastructures, and diverse systems, they support a multitude of roles and business processes that are continually evolving. As these environments and requirements change, cybersecurity teams must minimize risk across new scenarios for internal workforce access and external access for customer-facing interactions.
Dynamic environments need dynamic authorization
So where does that leave us? On the one hand, there are a range of proven technologies in widespread use today that can be implemented to address zero trust at a foundational level. In doing so, they allow security teams to focus on important issues such as network access control and advanced authentication.
On the other hand, however, these technologies are not designed to address the seven of zero trust access control. What’s more, many contemporary zero trust solutions focus primarily on the network and, as a result, do not effectively deliver zero trust at the application level or data level for that matter.
This is where the concept of dynamic authorization is playing an increasingly valuable role. It is an advanced approach designed to grant fine-grained access to enterprise resources, from applications and data assets to any other asset based on the specific context of that user session. It achieves this in real-time and at the request of access.
Dynamic authorization enables organizations to fully implement zero trust by focusing on two vital processes: delivering runtime authorization enforcement and high levels of granularity. For instance, when a user attempts to access a network, application, or assets within an application, dynamic authorization initiates an evaluation and approval process that focuses on a range of critical attributes. These include:
- User level attributes, i.e. their current certification level, role and responsibilities, and whether they can access confidential and personally identifiable information (PII). This also includes the location that a user is authenticating from, whether from an internal or an external system. This also extends to the number of authentication factors being used, i.e., with single, two-factor or multifactor authentication; the time of day and day of the week at which the user is authenticating, among other important factors.
- Asset attributes, including data classification, location assignments, and any relevant metadata.
A core component of an effective dynamic authorization platform solution, which evaluates each of these important attributes and others to make authorization decisions at each point of access during runtime. In addition, every time access is requested, the decision-making process is repeated in real-time, driven by the highest levels of granularity possible on each occasion. In doing so, it delivers on a zero trust approach by evaluating all relevant attributes, from multiple sources, as opposed to a potentially narrower set of attributes.
Given the increasingly complex technology environments that sit at the heart of organizations around the world, these are now security crucial capabilities. And by delivering a true zero-trust approach to network security, organizations can be fully confident that they are fully addressing the three key layers that are fundamental to meeting cybersecurity threats head-on.