Dynamic authorisation: the key to zero trust

Dynamic authorisation, an advanced approach that grants fine-grained access to resources, is critical to successful zero trust, argues Gal Helemski at PlainID.

Zero trust is a key requirement for any business wishing to optimise its security infrastructure: whether we like it or not, trust introduces vulnerabilities so the golden rule is trust no-one. The first priority of a zero trust architecture is, therefore, to decide which users should have access to an asset or whether they should be denied or revoked entirely.

There are numerous ways to introduce zero trust policies that make this possible – this handy framework, provided by the U.S. National Institute of Standards and Technology (NIST), is a good starting point. It also makes it clear that zero trust should never be an exclusive agent of the network alone.

Rather, zero trust must be applied across three levels of access control if it is to be deployed in full. That means access to the network; application access; and access to intra-application assets. This holistic approach, with a view across all organisational resources, assets, applications and networks, makes genuine zero trust protection a reality.

The dynamic nature of risk

Risk is dynamic by nature – constantly changing to attack new vulnerabilities – which is why we need such a comprehensive approach as outlined above. In the modern world, businesses are built on a digital foundation, with complicated, highly distributed environments, and hundreds of applications and systems, as well as hybrid legacy and cloud infrastructures built on microservices. These provide the backbone for perhaps thousands of roles that change constantly – each time requiring the creation of a new access scenario.

Thankfully, there are plenty of well-tested technology solutions out there which can help security professionals deliver on the fundamental tenets of zero trust, particularly when it comes to network access control and advanced authentication.

Crucially, however, these solutions fail to meet the three more advanced levels of zero trust access as outlined above. Instead, most of these zero trust offerings focus principally on the network without sufficient consideration of – or support – for zero trust at the application level or within the application itself.

For example, the solutions most associated with a zero trust approach include secure SD-WAN, secure access service edge (SASE) and gateway integration and segregation. However, this is clearly a network-centric approach, vital in and of itself but lacking the ability to address the three access control levels we have identified above.

Introducing dynamic authorisation

Dynamic authorisation is a more technically advanced approach to zero trust, which permits real-time, fine-grained access to a variety of resources, such as applications and data as well as any other asset, based on the specific context of each individual session.

There are two powerful forces, which are fuelled by dynamic authorisation and critical to its complete and successful fulfilment: runtime authorisation enforcement and high level granularity.

Each time a user tries to access a network, application or assets within an application, dynamic authorisation will start an evaluation and approval process, focused on a wide variety of essential attributes and qualities. These could include:

• user-level attributes, such as current certification status, role and responsibilities
• whether the user is allowed to access confidential and personally identifiable information (PII)
• asset qualities, including data classification, location assignments and any associated metadata
• the user location, whether internal or external
• the amount of authentication factors involved: single, two-factor or multi-factor
• the precise time and date when the user is initiating authentication
• external attributes, such as the system risk level

The dynamic authorisation policy engine assesses each of these and any other associated attributes to arrive at a decision in real-time as the access attempt takes place. In addition, every time a user tries to access, a new decision is made in real-time.

These decisions are determined by the highest levels of granularity imaginable, examining each attribute which has been updated to that specific point in time, as well as the real-time context. This compares favourably to a traditional approach which relies on ‘as-based-on’ attributes which have been predefined by the application.

A more mature methodology

It is clear that we live in a time where the methods, technologies and tactics used by bad actors are evolving rapidly and becoming much more demanding to resolve using legacy security solutions. Zero trust, on the other hand, is a rigorous, tried and tested approach to minimising the potential for damaging security violations.

If an organisation’s security chiefs are to be totally confident in the comprehensive nature of their zero trust architecture, they must focus on each of the three levels of zero trust access control using dynamic authorisation: network access, application access and intra-application assets.

Gal Helemski is co-founder and CTO at PlainID

Main image courtesy of iStockPhoto.com