Zero Trust Security: Personalization of Data Access Control
Zero Trust architectures include a core capability for fine-grain data access control, which becomes fundamentally personalized due to the orientation of Zero-trust to continually verify and validate a person’s identity, access privileges and data access behavior.
Personalized by Identity: In zero trust data access is fundamentally keyed off of personal identity, which is continuously authenticated and profiled with regard to their personal attributes.
Personalized by Attribute Dimensions: With identity as the foundation, a user’s profile can be richly personalized far beyond just their role or group membership. For example, attributes from authoritative systems can be gathered into a repository for the attributes of a user – their credentials for access to sensitive data or compartments of data, their location, and even attributes about their past data access behavior. This enables ‘attribute-based access control’ (ABAC) logic with the potential for much more granularity than simpler role-based access control (RBAC).
Rather than operating at the database or server level using a service ID that pools users, it is important for policy enforcement points (PEPs) to operate at the application level where user identity can be specifically aligned with user attributes, and their access requests screened for against policy pertaining to their personal access authorization.
Personalized by Personal Consent: Under current privacy regulations, users have gained the right to consent whether they exercise the ‘right to be forgotten’ or withhold consent for their personal data to be viewed.
Personalized by Behavior: Throughout a user’s data access activity, their personal behavior may be monitored, profiled, and norms for their typical usage derived. Should a user that typically consumes 50 rows on a typical workday, suddenly come into the office on Sunday morning and request 5,000 roles this anomalous behavior can be identified, with notice to security or even automatically shut down.
Adding these requirements up, a zero-trust data access control solution needs to be able to:
- incorporate rich granularity of multiple attributes for an individual’s profile beyond mere role
- regularly synchronize attribute information gathered from authoritative sources
- accommodate rich access logic rules potentially involving complex access rules
- monitor user data usage, producing records of processing, and perform user behavior analytics.