Zero Trust Authorization can be applied to networks, resources, or an organization’s data itself. Whatever the context, Zero Trust Authorization means that any access or use of resources should be authenticated at the time of access or use, and the principle of least privileged access should apply, allowing the minimal access and entitlements that are required to reduce the chances of unauthorized use or access.
By applying Zero Trust principles to resource access and use, Zero Trust Authorization works as a data-centric approach to protecting access to an organization’s resources. Instead of focusing on protecting access to a network or to physical resources, a data-centric security approach focuses on protecting access to the data itself. Therefore, data access and use policies are centered around what data is being accessed. Appropriate policies are applied based on attributes of the data being accessed, the user who is requesting access, and the environment (see our post on Attribute-Based Access Control, or ABAC for more information on how this can be done). These policies remain in effect whenever and however the data is being accessed, whether it is at rest on a local system or in a database or being shared and on the move. Zero Trust Data Security ensures that each time a user requests access to data and the request is authenticated, the entitlements granted are only the minimum required (e.g. not granting edit access if read-only access is sufficient).