How Zero Trust Architecture (ZTA) can be strengthened with ABAC
Zero trust has been gaining popularity within the cybersecurity space.
The global zero trust market will most likely expect a growth from USD 27.4 billion in 2022 to USD 60.7 billion by 2027, as observed by the research firm, Markets and Markets. Zero trust architecture (ZTA) requires users to be authenticated and authorized before given access. As Attribute-Based Access Control (ABAC) ensures that users are granted access based on various attributes of each user, it upholds the principle of zero trust to “never trust, always verify.”
Sowmya Narayanan Deenadayalan, a Senior Manager at Deloitte’s Risk Advisory group has 16 years of experience in Risk, Controls, Cyber and Governance, Risk and Compliance (GRC) implementation and optimization programs. At Deloitte, he has led transformation roadmaps for multiple global Fortune 500 organizations for Identity, access and process controls transformations. His focus area has been predominantly on Identity and Access management (IAM), application security, and authorization and access management.
In Episode 3 of NextLabs’ Cybersecurity Expert Series, we sat down with Sowmya to gain some insights about the recent paradigm shift to ZTA, how ZTA impacts authentication and authorization, along with how ABAC and dynamic authorization technologies can enhance ZTA. Read his insights below or watch the full Q&A video on our YouTube.
Q1: Why do we have the recent paradigm shift to ZTA?
The paradigm shift we are seeing towards Zero Trust is caused by two factors. The first being that the interaction point with customers and the partner ecosystem has expanded dramatically. Of course, this has led to an increased threat landscape. Companies now need to re-evaluate their network access control models, and it is no longer sufficient to secure data in this dynamic environment.
The second factor is caused by the migration to the cloud resulting in the removal of the traditional network boundaries. This has coupled with an increased user population, number of devices, and need to access data from anywhere. All of these have led to the explosion of access points and cross-boundary traffic. The traditional network, as well as access control, is no longer sufficient across. That is what we see in the recent paradigm shift for Zero Trust.
Q2: How does Zero Trust impact authentication and authorization?
The lack of this true security perimeter means that the users cannot trust internal connections in their networks. Because of this, Zero Trust fundamentally requires each access request to be validated based on context, subject, as well as the resource, being accessed.
Zero Trust simply will not work without a trustworthy identity. That means that authentication of the identity must always be on and reliable, as we need stronger authentication methods like multi-factor authentication. Furthermore, NIST recommends each interaction to be validated with risk-based authentication so authentication becomes significant.
Going beyond risk-based authentication, Zero Trust also requires the authorization model to be real-time and dynamic. That takes us to the concept of Attribute-Based Access Control or ABAC, which provides fine-grained access control models, coupled with dynamic authorization to evaluate access policy based on attributes and determine this access in real-time. So, Zero Trust has actually significantly modified authentication and authorization, the way we perceive them in a traditional model.
Q3: How can ABAC and dynamic authorization technologies strengthen Zero Trust?
As opposed to single validation to enter the network in the network-based access control model, Zero Trust requires each request to be validated. In order to be able to do this, we need an authorization engine that can operate dynamically based on attributes of the subject, as well as understand what resource attributes that they are accessing. We should also consider the environmental factor.
Traditional access control models and technologies tend to be role-based, static in nature, and not able to scale to meet the demand of access and pace of change. Organizations also face an explosion of access policies when they use this old role-based access model, as it becomes more complex to manage and it is error prone when they try to utilize it.
However, with the Attribute-Based Access Control model, these enterprise’s access policies are multi-dimensional in nature; this coupled with dynamic authorization policy engine enforces access decisions based on policies driven by attributes of the subject, resource, action, as well as the environmental context. In simple terms, ABAC basically allows admins to implement granular, policy-based access control, using different combinations of attributes to create conditions of access that are as specific or broad as the situation calls for, and also mitigates a lot of role explosion because it is going to be single-access policy or fewer access policies that a greater number of roles to control or implement the same.
Q4: Is ABAC going to replace Role-Based Access Control?
ABAC was around before Zero Trust, in fact, ABAC was introduced to supplement RBAC or Role-Based Access Control. ABAC is no silver bullet — as a matter of fact, we have been advising our clients to apply ABAC in tandem with RBAC.
A key advantage of ABAC is that it can simplify the authorization management processes across a multitude of applications, primarily by externalizing authorization policies of various applications into a centrally managed policy system.
In the past, we had applications built with their own individual access control models. With the advancement of Zero Trust, it becomes very costly for us to scale these applications to make them become more granular. Hence, there is a need for ABAC to externalize authorization, which provides the ability to incorporate additional logic for fine-grained access control policies. By doing so, the applications will be able to perform just in time access evaluations that are managed centrally.
Eventually, the idea should be that you should apply both ABAC and RBAC together, so that you can achieve a dynamic, and at the same time, you would also have an effective existing access management model. I think that is going to be the solution for us to pass through Zero Trust and take on these complex challenges.
This concludes Episode 3 of the Cybersecurity Expert Series with Sowmya on How ZTA Can Be Strengthened with ABAC. Stay tuned to Episode 4 where we will cover more on how ABAC can enhance dynamic data protection. To learn more about why ZTA is important, watch our episode with Alper Kerman, a security engineer from NIST.
Discover more from NextLabs’ Expert Series, featuring industry experts in educational and thought-provoking conversations on Data-Centric Security, Zero Trust Architecture, Safeguarding AI, and more.
To comment on this post
Login to NextLabs Community
NextLabs seeks to provide helpful resources and easy to digest information on data-centric security related topics. To discuss and share insights on this resource with peers in the data security field, join the NextLabs community.
Don't have a NextLabs ID? Create an account.