by Gal Helemski, co-founder and CTO, PlainID
In little more than a decade, ‘zero trust’ has gone from an industry buzzword to the cornerstone of every cybersecurity programme worth its salt. The concept is a simple but effective one – trust makes you vulnerable, so nobody/nothing should be automatically trusted – and in today’s fast-paced, highly data-driven business world, it makes a lot of sense. But like so many things in life, the true effectiveness of zero trust lies in its implementation, and it is here where there remains room for improvement.
Trust must be earned, not given
Security programmes based on zero trust are designed to remove some of the key assumptions that make alternative approaches weak by comparison. Perhaps the best and most common example of such an assumption is that if someone logs into a network with certified user credentials, they are indeed who they claim to be (and will therefore operate responsibly at all times). As many organisations find out to their detriment, user credentials are all too easy to steal and/or lose, meaning the longer a set is used unchallenged, the higher the chance that they may become compromised by someone with malicious intent.
Security should match the way we work today
With the rise of remote working over the last few years making modern workplaces more fragmented than ever before, zero trust has become increasingly important. This is because the ‘walled garden’ approach that traditional perimeter security programmes rely on is no longer applicable to most organisations, particularly those with large, highly dispersed workforces.
Instead, zero trust architecture focuses around one key decision – whether to grant, deny or revoke access to a resource, each and every time a user requests it. While there are a variety of ways to implement this, the U.S. National Institute of Standards and Technology (NIST) has set out a useful framework that emphasises zero trust should never be an exclusive agent of the network alone. Instead, for zero trust to be fully implemented, it must apply three levels of access control:
- Access to the network
- Access to applications
- Access to intra-application assets.
Without this kind of approach, true zero trust protection simply can’t be achieved. Why? Because of the dynamic nature of risk. Today’s digital enterprises are driven by intricate environments containing hundreds of applications, numerous different systems, hybrid legacy and “cloudified,” microservices-driven infrastructures. Such environments support hundreds — or even thousands — of continually evolving roles, which require the constant creation of new access scenarios.
Zero trust technology is still maturing
The good news for security professionals is that there’s an ever-growing range of powerful technologies now available that address some of the basic tenets of zero trust, particularly around advanced authentication and network access control.
However, these technologies still do not address each of the three critical levels of zero trust access control. In fact, the current focus of available zero trust offerings is primarily on the network and does not include adequate reference to, nor support for, zero trust at the application level, or within applications themselves.
For instance, the solutions that are most heavily touted as supporting zero trust include gateway integration and segregation, secure access service edge (SASE), and secure SD-WAN. The problem is, these are all focused on network-centric zero trust when what’s really needed is a solution that addresses each of the three access control levels in turn.
Dynamic authorisation holds the key
For many, the solution is dynamic authorisation – an advanced approach that grants fine-grained access to resources, including data assets, application resources, and any other asset based on the specific context of that session, in real-time.
Dynamic authorisation completes zero trust by powering two of the main processes that are vital to its full and complete realisation: runtime authorisation enforcement and high levels of granularity. When a user attempts to access a network, application or assets within an application, this initiates the evaluation and approval process that focuses on a range of key attributes, including:
- User level attributes – such as current certification level, role and responsibilities, and whether they can access confidential and personally identifiable information (PII)
- Asset attributes – such as data classification, location assignments and any relevant metadata
- The location that a user is authenticating from – including whether from an internal or an external system
- The number of authentication factors being used – i.e. with single, two factor or multifactor authentication
- Additional external attributes – such as the risk level of the system and more
The policy engine evaluates each of these and all other relevant attributes, before making a real-time decision on whether to grant access. Furthermore, each time access is attempted, a new decision is made. This process is designed to be extremely granular, evaluating all the attributes that are updated to that specific point in time, as well as the real-time context and environment, rather than attributes that were already predefined by the application.
The business landscape is rapidly evolving, which means cybersecurity must as well. Many organisations have already recognised the importance of a zero trust approach for keeping sensitive data safe in increasingly fragmented working environments. However, the way it is implemented is critical to overall effectiveness. By using dynamic authorisation to address each of the three levels of zero trust access control (access to the network, applications and intra-application assets) business leaders can be confident that users accessing sensitive data are not only who they claim to be, but that they also have the right to do so.
