Dynamic authorisation: overcoming the limitations of zero trust technology

Dynamic authorisation: overcoming the limitations of zero trust technology

By Gal Helemski, co-founder and CTO, PlainID

Zero trust is no longer an optional extra for cyber security leaders – today it has become a fundamental way of working for modern businesses, especially in the financial services arena, where stakes are high. In enabling enterprises to optimise their cybersecurity posture, the zero trust model relies on the practical application of a golden rule: trust no-one.

With the challenges of shifting workforce dynamics, evolving business models and more complex tech environments that are increasingly vulnerable to security breaches, zero trust has gained in importance with the explosion of devices entering networks. The combination of more attack surfaces and increasingly borderless networks throws up weaknesses for organisations across all industries.

With more strategic targeting of critical infrastructure, attacks and risks are particularly increasing in IT, financial services, transportation and communication systems. Research by Sophos shows that ransomware attacks on financial services businesses have increased 34% between 2020 and 2021, with 55% of organisations hit in 2021.

While there are a variety of ways to implement a zero trust approach to security, existing solutions are focused on network-centric zero trust, and do not address the three critical access control levels – access to the network, access to applications and access to intra-application assets.

The limitations of zero trust technologies

The good news is that there are dedicated technologies to address the aspects of zero trust, especially around network access control and advanced authentication. Solutions that are most heavily promoted as supporting zero trust include gateway integration and segregation, secure SD-WAN, and secure access service edge (SASE).

But despite the protection features they provide, there are limitations of the technologies in focusing only on network-centric zero trust which means that without a comprehensive approach, true zero trust protection is simply not possible.

Today’s digital enterprises are driven by complex environments that are highly distributed with hundreds of applications, many systems, hybrid legacy and “cloudified,” microservices-driven infrastructures. This means that they support hundreds, perhaps thousands, of continually changing roles and each change requires the creation of a new access scenario.

Financial services’ approach to zero trust

The key role of a zero trust architecture is to make the critical decision about whether to grant or deny access to a resource by constantly verifying user identity, what the user is accessing and the context of the access against the access policies.

Preventing and detecting cyber threats is a central concern for financial services organisations. To have complete confidence in their zero trust framework, a financial services organisation must first understand their complex environment and vulnerabilities, as well as have a clear zero trust strategy that is widely shared throughout the organisation.

In the financial industry, zero trust eliminates some of the common assumptions made by alternative approaches, for instance, that user identities have not been compromised and that all users – once in the network – are operating responsibly. This ensures that they are not hostile insiders or threat actors.

Why dynamic authorisation matters

To this point specifically, thwarting the attempts made by increasingly intelligent hackers with a complex authorisation process – dynamic authorisation – has become the way forward to solve zero trust in financial services.

Dynamic authorisation is a superior approach that grants fine-grained access to resources, including application resources, data assets and any other asset in real time, precisely at the time of access.

It drives two processes that are essential to zero trust: runtime authorisation enforcement and high levels of granularity. For instance, when a user makes an attempt to access the network, application or assets within an application, this kick-starts the evaluation and approval process that covers key attributes. These include: User level (their current certification level, role and responsibilities) and whether they can access confidential and personally identifiable information (PII). It also includes asset attributes, such as data classification, location assignments and relevant metadata.

Also assessed is the location that the user is authenticating from, i.e. if it’s an internal or an external system. The number of authentication factors being used are also analysed, as is the time and date of authentication. There are even additional tech environment considerations, for instance the risk level of the system.

Taking into account all of these and all other relevant attributes, the policy engine makes the decision at that point of access during runtime. More than this, it makes a new decision each and every time access is attempted, – in real-time. This decision factors in all the attributes that are updated to that specific point in time with the highest levels of granularity, within the real-time context and environment, rather than judging using any attributes that were predefined by the application.

True zero trust is multi-level

In an era where the tactics and technologies employed by bad actors are becoming more challenging to address with legacy security solutions, zero trust is a mature and robust approach to reducing the risk and damage of a security breach.

However, taking the right approach to zero trust is critical. If a financial services organisation’s leaders are to have complete trust in their zero trust framework, it is essential to ensure that they are addressing each of the three levels of zero trust access control – access to the network, applications and intra-application assets with dynamic authorisation intrinsically featured as part of this process.