Updated August 2, 2023

What is Zero Trust Authorization?

Zero Trust Authorization applies the principles of Zero Trust to authorization, and to managing the access and privileges of users after that authorization has been granted. Zero Trust is a cybersecurity model that eliminates the concept of ‘trust’ present in traditional security models. Essentially, it means “Never Trust, Always Verify”. The idea is that an organization’s cybersecurity framework should never trust that a user or application is authorized to access a network, resources, or data, and that if authorized to access the resource it should never be assumed they should be able to do anything they want with it. Instead, a Zero Trust Authorization approach should re-authorize every request at the time of the request and enforce a model of least privileged access, or only providing the minimum level of access that is required. This prevents a malicious actor from subverting one security measure, and then leveraging that access to gain unauthorized access to other networks, resources, or data. It also prevents malicious actors from compromising the credentials of a peripheral user of protected data and using those credentials to change, delete, or download that data when the user doesn’t require that level of access. The Zero Trust model can be applied to multiple domains, such as Zero Trust Architecture (ZTA) for internal networks, Zero Trust Network Access (ZTNA) for network access, Zero Trust Data Protection which governs access and use of protected data, and Zero Trust Authorization.

Zero Trust Authorization can be applied to networks, resources, or an organization’s data itself. Whatever the context, Zero Trust Authorization means that any access or use of resources should be authenticated at the time of access or use, and the principle of least privileged access should apply, allowing the minimal access and entitlements that are required to reduce the chances of unauthorized use or access.

By applying Zero Trust principles to resource access and use, Zero Trust Authorization works as a data-centric approach to protecting access to an organization’s resources. Instead of focusing on protecting access to a network or to physical resources, a data-centric security approach focuses on protecting access to the data itself. Therefore, data access and use policies are centered around what data is being accessed. Appropriate policies are applied based on attributes of the data being accessed, the user who is requesting access, and the environment (see our post on Attribute-Based Access Control, or ABAC for more information on how this can be done). These policies remain in effect whenever and however the data is being accessed, whether it is at rest on a local system or in a database or being shared and on the move. Zero Trust Data Security ensures that each time a user requests access to data and the request is authenticated, the entitlements granted are only the minimum required (e.g. not granting edit access if read-only access is sufficient).

How Can Organizations Implement Zero Trust Authorization?

Zero Trust Authorization requires that users are not authorized by default, and access is only granted when sufficient conditions are met. The following principles should be following when implementing Zero Trust Authorization:

  1. Apply Authorization Policies at the Granular Level – Defining authorization policies to grant access at the most granular level possible, that access can follow the principles of least privileged access, granting no more access or entitlements than are absolutely necessary
  2. Enforce Authorization Policies Everywhere – Authorization policies should be defined to protect access and entitlements to all resources, regardless of whether inside an organization’s network or outside the network.
  3. Enforce Policies for All Access Types – Authorization requests can come from many sources, such as users who are accessing resources directly or applications that are requesting access. Authorization policies should be aware of the context around the origins of the access request, and grant access and entitlements accordingly. For instance, programmatic access to resources may be more limited than manual access to the same resources.
  4. Automate policy enforcement and logging – Authorization policy evaluation and enforcement should be as automated as possible and all access requests, whether granted or denied, should be logged for later auditing and analysis. This significantly reduces the time and cost requirements of policy development and maintenance, as well as the effort to identify any potential malicious activity.