Dynamic Authorization Fulfills the Promise of Zero-Trust Architecture

Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Gal Helemski of PlainID examines how Dynamic Authorization fulfills the promise initially made by zero-trust architecture.

Cybersecurity is a tough business for many reasons, foremost among them the fact that nine times out of ten, your most paranoid fears turn out not to be paranoid enough. Whatever worst-case scenario you might be worrying over, you can be sure a hacker is hard at work bringing something even worse to life.

It’s for this very reason that, for the last decade-plus, the reigning defensive philosophy of the cybersecurity world has been zero-trust architecture. Its guiding principle is that no one can be automatically trusted. Everyone is a potential bad actor until proven otherwise. The mass adoption of these principles over the last decade has been a highly positive development. The proliferation of network access control and advanced authentication tools has been hugely beneficial. But there are indications that most companies haven’t taken things far enough in securing their assets— especially when it comes to entry points that aren’t network-centric. In fact, 40 percent of respondents to a recent survey said they’re still using homegrown, customized solutions to authorize user identities, leaving perilous gaps in their security infrastructure.

The only response to our current threat environment — in which ransomware attacks are continually on the rise — is an unflagging investment in true zero-trust network architecture. Only dynamic, granular, ultra-responsive authorization can truly keep businesses and consumers safe.

Dynamic Authorization Fulfills the Promise of Zero-Trust Architecture

What Current Zero-Trust Gets Wrong 

Again, we should applaud businesses for their investments in zero-trust architecture. In general, authentication processes circa 2010 were unbelievably crude compared to the more sophisticated methods businesses are deploying today. But that doesn’t mean we can just rest on our laurels, especially when bad actors are waiting to take advantage of the slightest slip-up.

The fact is that zero-trust architecture, as currently practiced, has serious problems that put us all at risk. Per the National Institute of Standards and Technology (NIST) report on zero trust architecture, zero trust is not just about things like network access, assessing risk, detecting intrusions, etc. Current zero-access tools do a relatively good job of taking care of things like that, but they’re only part of the story. To meet the true definition of zero trust, per the NIST report, a given company’s architecture also requires dynamic decisions and authorization, the ability to grant access on a per-session basis, and the ability to strictly enforce these decisions before access is granted. And when it comes to those components of the zero-trust architecture, most businesses still have a long way to go.

In a nutshell, the reason the above-listed specifications matter is that—in the decade since zero trust thinking rose to prominence, and especially in the years since the pandemic—the digital enterprise has grown ever more complex. Peer into the inner workings of any organization, and you’ll find hundreds of interconnected applications, countless systems, on-premises and remote multi-cloud storage, and thousands of continually shifting roles belonging not just to employees but also to partners, contractors, customers, and more.

In an environment like this, every attempted interaction with your business, no matter how small, needs to be treated as its own potential threat event and evaluated accordingly in real-time. Static authorization approaches like role-based access control (RBAC) can only take you so far here— they’re a blunt hammer when what’s needed is something much more sophisticated.

Why Dynamic Authorization is the Answer

Suppose traditional RBAC functions much like an old-fashioned keycard. You plug in your user information, and if you’ve been preassigned access, you’re waved in. Dynamic authorization takes in a much more complex set of variables– not just for the network but also for application resources, data assets, and any other assets. Thus, for the first time making NIST’s definition of zero trust architecture an attainable reality for most businesses.

Where RBAC is 2D, dynamic authorization, like policy-based access control (PBAC), is 4D, considering not just who but also what and when before making an access decision. It evaluates not just the person making the request but also what that person is trying to access, what that access enables them to do within the system, and —taking a bird’s eye view— the established system-wide conditions for that access, and only then does it come to a final access decision. This hugely complex process—which, in practice, is completed in seconds—is repeated every single time someone attempts to make contact with your environment. The key word here is granularity: making a decision with the highest levels of granularity possible in order to keep your company (and your customers) safe.

Again, this technology exists right now, but far too few companies are taking advantage of it. According to the survey referenced earlier, only 31 percent of respondents said they have sufficient visibility and control over authorization policies intended to enforce appropriate data access. Dynamic authorization can provide that visibility and more— finally fulfilling the promise of zero trust architecture and keeping their assets out of the hands of bad actors.