Untangling zero trust with dynamic authorization
Everyone is talking about Zero Trust and with good reason.
With the proliferation of remote and hybrid workforces and people accessing corporate networks from a diverse number of endpoints, ensuring critical data and assets are protected is critically important.
Recently, I joined analyst John Tolbert of KuppingerCole, Ericom Chief Strategy Officer Dr. Chase Cunningham and my colleague, Axiomatics President and CCO Jim Barkdoll to discuss Zero Trust and, specifically, why dynamic authorization is at the heart of a strong, enterprise Zero Trust strategy.
As Dr. Cunningham – or “Dr. Zero Trust,” as he’s affectionately known – often says, at the heart of the Zero Trust methodology is the mantra “Never Trust, Always Verify.”
While that seems incredibly straightforward, it can be challenging to not only put into practice, but also to maintain on a continuous basis.
Continuity is key, as “always verify” must address an ever-increasing number of users and devices requesting access to networks, assets (like applications and APIs) and data on a constant basis.
This begs the question: How does an enterprise continuously verify to ensure a strong, consistent Zero Trust strategy?
Though no one solution can address a complete Zero Trust strategy, implementing dynamic authorization is a good start to ensure consistent and continuous Zero Trust for enterprises.
Moving away from traditional authorization
For years, when enterprises implemented authorization policies, they looked at a single point in time.
A good example is when an employee arrived at his or her office and logged on to the corporate network.
Traditionally, that single point in time informed access approved or denied rights for the rest of the day (or longer).
With a workforce no longer confined to a brick and mortar office and the globalization of both production and development (requiring integration of both suppliers and partners), that method of authorization puts corporate data at incredible risk.
With a recent study indicating only three percent of IT workers plan to go back to the office on a full-time basis, enterprises need to consider authorization differently, adding a critical element to the mix – context.
A colleague of mine had an analogy about context and authorization that illustrates its criticality.
Authorization is a bit like an online picture. When you first see it, it can be incredibly pixelated, making it difficult to know what you’re seeing.
Adding context to authorization is much like sharpening the picture. As pixels become clearer, you understand what it is you see. The ability to see who is trying to access enterprise resources and data now requires context to be effective.
As part of a Zero Trust strategy, authorization with context is paramount, as it gives you the confidence necessary to know your ability to “always verify” is reliable.
Time. Regulation. Device State. Location.
All of this context is essential to dynamic authorization and to Zero Trust. It leverages these types of attributes to ensure an appropriate level of access.
As pointed out in the NIST Zero Trust Architecture document: “To lessen uncertainties…the focus is on authentication, authorization, and shrinking implicit trusts zones while maintaining availability and minimizing temporal delays in authentication mechanisms. Access rules are made as granular as possible to enforce least privileges needed to perform the action in the request.”
Embarking on a Zero Trust journey
The most common question I get from enterprises around Zero Trust is, “how do I start?”
So much has been written about Zero Trust as a methodology, it can feel overwhelming.
Thankfully, dynamic authorization offers a targeted, tangible way to embark on a Zero Trust strategy.
Here are a few things to keep in mind:
Know where to begin
Many enterprises are simply unsure as to how they can begin a Zero Trust implementation or are worried adhering to Zero Trust would mean a massive step change and overhaul of their existing security infrastructure.
The key to Zero Trust is to understand it is simply a way to focus your security investments to ensure you’re minimizing risk to a level that is acceptable for your organization.
So, choose one area to focus on (for instance, authorization) and build the essential guardrails from there.
Centralization is key
Ensure authentication and authorization are managed and controlled centrally across heterogenous IT systems. This will ensure full visibility, allow for a quick response, prediction, monitoring and standardization.
Critically, this will also mean improved audibility, as policies are uniformly defined for both business and IT.
It’s not about the perimeter
Even in a pre-pandemic reality, the idea of a ‘perimeter’ was waning.
Now, as organizations migrate all manner of assets – critical or otherwise – to the cloud, or at least outside of the tightly-controlled enterprise network, there are fewer perimeters and more access points.
There’s no such thing as ‘absolute’ security
The idea of “success” as it relates to enterprise security will continue to evolve to address the rapid evolution of threats, breaches and bad actors.
“Full” or “absolute” security should give way to quantifying and measuring security in terms of risk.
The goal becomes understanding the organizational appetite for risk and how Zero Trust can be implemented to effectively minimize risk to the level that’s acceptable to the organization.
Axiomatics’ dynamic authorization solutions can be a great starting point for a Zero Trust implementation.
It offers a way to ensure your organization’s most critical assets are only accessed by the right people, in the right way at the right time, which is the essence of the Zero Trust methodology.
In addition, we offer a central control plane to ensure better visibility and improved audibility, as policies and authorization rules are externalized from the application or the dataset and can be centrally monitored, enabling fast decision making.
By externalizing authorization code from the application layer and handling it centrally, our solution allows for an extensible, open, and intuitive approach to creating and enforcing rules while delivering greater visibility and control.
All of these pieces are critical and that more enterprises are interested in pursuing Zero Trust is the right way forward.
As the way in which we work continues to evolve, it will be more critical than ever to make certain convenient accessibility for employees is done safely, with minimal risk.
By Dr. Srijith Nair