Zero Trust Architecture (ZTA)

What is Zero Trust Architecture?

The National Institute of Standards and Technology (NIST) has defined the Zero Trust Architecture (ZTA) model in cybersecurity as “an evolving set of security paradigms that narrows defenses from wide network perimeters to individual or small groups of resources.”

ZTA is based on the assumption that an attacker could be present in any environment, including those owned by enterprises. As such, the enterprise must enact protections to reduce the risks to its assets and business functions through constant monitoring and evaluation. ZTA comprises of the following three core zero trust principles to plan industrial and enterprise infrastructure and workflows:

  1. Never trust, always verify: every single time a user, device or application tries to make a new connection attempt, that attempt will be authorized and authenticated.
  2. Implement least privileged access: to grant users and applications the minimum amount of access needed to perform their jobs effectively.
  3. Assume breach: prepare for worse case scenarios and plan when attacks do occur.

Instead of focusing on protecting access to a network by hardening the perimeter, a ZTA model prioritizes the protection of individual resources within an organization’s network and is an example of a data-centric approach to security. It assumes threats can originate from both inside and outside the network, and continuously evaluates risks and enforces controls to mitigate them. The focus shifts downstream to user access of the specific resources and data that requires protection.

Dynamic Authorization and ZTA

A core pillar of ZTA and a data-centric approach to security is dynamic authorization.  In contrast to traditional or static authorization models, in which authorization is granted before resources are accessed and is valid for subsequent access requests, dynamic authorization re-evaluates data access policies at the time of each access request, and either grants or denies access and entitlements to the requested resource based on the evaluation result at that specific point in time.  In addition to granting access, dynamic authorization can be used to implement the ZTA principle of “Least Privileged Access” to only provide the minimum level of access needed by the user at that specific time.

Dynamic Authorization can be used to extend role-based access control (RBAC), where access is granted based on a user’s role, or to apply attribute-based access control (ABAC), in which access rights and entitlements to an organization’s resources are based on attributes of the user, environment, and the data itself.  Whether in extending RBAC or in applying ABAC, dynamic authorization can be used to implement a data-centric approach to an organization’s security, dynamically evaluating access and entitlement policies for every access request to protect specific resources at the specific time they need to be protected.  This is the essence of the ZTA principle of ‘Never Trust, Always Verify’.

Dynamic Authorization Components and Data Flow

NextLabs’ Zero Trust Data-Centric Security Suite

ZTA and Dynamic authorization are the foundation upon which the NextLabs Data-Centric Security suite of products rests.  NextLabs’ products allow our users to balance the need to share with the need to protect by allowing access to an organization’s data, network, applications, and other sensitive assets to be granted or denied dynamically in real-time.  This is done through the definition and enforcement of ABAC policies utilizing attribute values, such as the user’s clearance level and assigned role, data type and classifications, and environmental attributes such as time of day and IP address.  By evaluating ABAC policies dynamically at the time of access request, NextLabs allows organizations to grant fine-grained access and entitlement to resources, allowing users access to only what they need, and granting them the entitlements to only do what they should be authorized to do once they have that access.

NextLabs’ data-centric dynamic authorization system with ABAC significantly streamlines the management process. It removes the need to individually administer thousands or even hundreds of thousands of access-control lists and/or role and role assignments on a daily basis. Additionally, organizations do not need to deploy expensive and complex identity governance solutions. With ABAC, hundreds of roles can be replaced by just a few policies. These policies are managed centrally across all sensitive applications and systems, providing a single pane of glass over the “who, what, where, when, and why.” Centralized management makes it easy to add or update policies and quickly deploy them across the enterprise.

Authorization policies are managed externally from the NextLabs Control Center (CloudAz), so they can be modified without requiring code changes or application downtime. This enables organizations to react quickly to changes in business or regulatory environments, greatly increasing agility and flexibility, and enhancing overall data protection. Dynamic authorization with ABAC also provides central monitoring and tracking of user activity and data access providing compliance and security officers with insight into user behavior and suspicious activities.

NextLabs’ data-centric dynamic authorization allows organizations to implement the three principles of ZTA and is integrated into all NextLabs product lines, including:

  • CloudAz, a unified policy platform that centralizes administration and utilizes the “never trust, always verify” principle, ensuring data is protected at any access point.
  • Data Access Enforcer (DAE) helps enterprises protect data access from anywhere, by securing access and protecting critical data stored in databases and data lakes.
  • SkyDRM ensures persistent protection of critical files and documents to protect data on the move and at rest.
  • Entitlement Management / Externalized Authorization Management which can be used to secure applications, enforce data security controls, and simplify role management.