For organisations everywhere, zero trust represents a paradigm shift in the way they approach security. Traditionally, networks have operated under the assumption that all users are trusted until proven otherwise, but zero trust takes a different approach. It assumes no user can be trusted and requires all users to prove their identity—even those from inside the network.
In practical terms, this means that any user who wants access to resources on the network must be verified by mechanisms such as two-factor authentication or other strong security processes before they can proceed. The only exception to this rule is for users who exist within the organisation’s directory, who remain “trusted” throughout their tenure at the company.
The key role of a zero trust architecture is to make decisions about granting, denying, or revoking access to network resources. This approach to security is becoming increasingly important as digital enterprises face complex and dynamic risks in their highly distributed environments. To fully implement zero trust, access control must be applied on three levels: network access, application access, and intra-application asset access.
Among the various benefits this provides is that it removes some common trust assumptions that contribute to weaknesses of alternative approaches and makes it harder for attackers to compromise systems. In addition, by requiring strong authentication even for internal users, organisations can ensure that all employees follow policies set forth by IT departments regarding password management, security updates and other important aspects of cyber hygiene.
In practical terms, the U.S. National Institute of Standards and Technology (NIST) has set out a framework that emphasises the importance of implementing zero trust across the entire enterprise and not just the network. This comprehensive approach is necessary to achieve true zero trust protection, as today's digital enterprises are driven by complex, dynamic, and distributed environments that support many roles that change constantly.
This often requires the creation of new access scenarios with each change, and without a complete approach to zero trust, it simply isn't possible to provide the necessary level of protection. To fully realise the benefits of zero trust, it must be implemented in a comprehensive and integrated manner, taking into account the many different elements of an enterprise's infrastructure, systems, and applications.
The State of Zero Trust Technologies
When considering the zero trust approach, security professionals can take confidence in the fact that mature technologies exist for addressing fundamental aspects of zero trust, particularly for network access control and enhanced authentication.
Crucially, however, these technologies do not provide coverage for all three crucial levels of zero trust access control. This is because, currently, many zero trust solutions concentrate primarily on network access, lacking adequate consideration or support for zero trust at the application or intra-application level.
For example, the most widely marketed zero trust technologies are gateway integration and segregation, secure SD-WAN and secure access service edge (SASE). While these solutions provide network-focused zero trust, what's also needed is a comprehensive solution that addresses all three access control levels.
Dynamic Authorisation: A Breakthrough for Zero Trust
In contrast, dynamic authorisation represents a cutting-edge method for granting precise access to resources, including applications, data, and other assets, based on the context of the session and evaluated in real-time.
The approach focuses on two critical processes for achieving a full zero trust implementation: runtime authorisation enforcement and high granularity. More specifically, upon accessing a network, application, or asset, the dynamic authorisation system evaluates and decides access based on a range of factors. This can include the user's certification level, role, responsibility, access to sensitive information, data classification, location, authentication methods, time of day, external risk factors and more.
With dynamic authorisation, zero trust becomes a reality as every session is evaluated and approved based on the current conditions and each user's attributes. The result is a more secure, efficient, and effective approach to access control that protects valuable assets while enabling secure access.
The policy engine of an effective dynamic authorisation system evaluates all relevant attributes during runtime and makes real-time decisions at the point of access. The decision is based on the most recent attributes, real-time context and environment, rather than predefined ones. This allows for the highest level of granularity and flexibility in security measures.
With dynamic authorisation at its core, zero trust can provide a robust method for reducing the risk of security breaches in an era of advanced security threats. Without it, organisations must continue to put faith in security technologies that are under greater strain than ever before.