Zero Trust architecture has been gaining more traction in the wake of President Biden’s Executive Order 14028 in 2021 and the supporting strategy on Zero Trust Cybersecurity published by the Office of Management and Budget (OMB).
To implement a Zero Trust architecture, businesses often rely only on authenticating people or machines, neglecting other imperatives, as highlighted by Gal Helemski, CTO & Cofounder at PlainID, who discussed dynamically authorizing entities in a Zero Trust architecture during the European Identity and Cloud Conference.
What is a modern Zero Trust?
In a recent article, Forrester defined modern Zero Trust as: “An information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices.”
Based on this definition, the fundamentals of Zero Trust can be summarized in the following three bullets:
- Default deny
- Access by policy only
- For data, workloads, users, devices
What is Dynamic Authorization?
A dynamic authorization defines the relationship between identities – human identities and machine identities – and the digital assets to be accessed. The basic principle behind authorization is that any identity, as secure it might be, is not to be trusted implicitly to access any digital asset.
Authentication only informs us that the identity is secure. But can we trust this identity to access our critical assets and data? This is where authorization comes in. Dynamic Authorization defines the trust to enable a connection between a known, secure identity and services, data, APIs, and enterprise resources.
Authorization is powered by policies
Authorization policies define the connection between identities and digital assets. To manage dynamic authorizations efficiently, you need to have Policy Based Access Controls (PBAC).
NIST defines PBAC as “A strategy for managing user access to one or more systems, where the business roles of users are combined with policies to determine what access privileges users of each role should have. Theoretical privileges are compared to actual privileges, and differences are automatically applied.”
The key elements of an authorization policy are:
- Identity: What is the identity? An employee, a partner, a consumer? What are the characteristics of the identity?
- Resource: What resources is the identity trying to access?
- Device: How is the identity accessing the resources? Mobile device, laptop?
- Environmental conditions: Time and date, location, etc.
- Business policies associated with the role of the identity
- Compliance requirements
All these elements inform the dynamic access decision to ensure that the right identity accesses the right resources.
The access flow
The objective of authorization is not just to access an application or any other resource. It is rather to enter this resource and use the services it offers. To achieve this objective, the identity has to move through devices, networks, API gateways and other controls.
The authorization journey is controlled by (1) who the identity is (2) what the identity can do.
Authentication and authorization together provide the framework and the controls required to secure the access to apps, data, and systems. And this is the real essence of a Zero Trust approach to security. Zero Trust is not just about authenticating and verifying identities. It is also about authorizing these identities to access the resources they are entitled to. A complete and robust Zero Trust framework enforces access and authorization controls in all layers of access – network, application, and data.
-- Zero Trust is not just about authenticating and verifying identities. It is also about authorizing these identities to access the resources they are entitled to. --
In this Zero Trust framework, a dynamic authorization decision can be either a yes/no question or a more elaborative answer to support the various deployments in the enterprise ecosystem.
Therefore, the questions can be:
- Can this identity access that resource?
- What can this identity do?
- Who can access this resource?
- What is the access policy for this identity?
How Venafi can help
As PlainID’s Gal Helemski mentioned in her presentation, centralized management of all identities – human and machine identities – with decentralized enforcement is the key for enabling a Zero Trust architecture.
Venafi PControl Plane for Machine Identities powers enterprise solutions that give you the visibility, intelligence and automation to protect machine identities throughout your organization. Plus, you can extend your protection through an ecosystem of hundreds of out-of-the-box integrated third-party applications and certificate authorities (CAs).
To learn more, you may talk to one of our experts.