The majority of organizations are on the road to implementing a zero trust framework to increase their overall security risk posture, according to PlainID.
However, only 50% said that authorization makes up their zero trust program – potentially exposing their infrastructure to threat actors.
Zero trust framework challenges
Historically, a zero trust framework was focused on solving the challenges associated with authentication, end point and network access security. However, identity related breaches have increased exponentially, and the convergence of identity and access management with traditional security has accelerated the need for new technical capabilities for enterprise authorization and access controls.
Authorization is a broad and complex challenge requiring a solution that can provide a multitude of capabilities such as policy management, governance, control and policy enforcement across a disparate computing environment.
Ultimately, to provide the most secure digital end user experience, authorization policies must allow for risk based decision making in real time. This extends the zero trust philosophy from time of authentication through to the final access point and target data set.
Following survey outreach, the results reflected how only 31% of respondents said they have sufficient visibility and control over authorization policies intended to enforce appropriate data access. Additionally, 45% of respondents indicated a lack of sufficient technical resources as a challenge in optimizing enterprise authorization and access control.
Essentially, organizations may have implemented a form of zero trust but they do not have the complete tool set or the on staff expertise and knowledge to have true visibility and control of their network.
Homegrown solutions under threat
Organizations are finding themselves building their own homegrown solutions which can appear cost effective. However, this leaves gaps within the overall security posture if not developed, deployed, and maintained properly – resulting in higher operational costs and enterprise risk over time.
In response to the survey, 41% of respondents said they use homegrown solutions (OPA-based) to authorize identities. Moreover, 40% of respondents also said they use a homegrown solution (fully custom) to authorize identities. Without true zero trust, organizations run the risk of leaving gaps in their security infrastructure. Security has to remain a fluid and ever evolving technology as cyber adversaries will repeatedly re-strategize and evolve to breach organizations and when there is a will, there is a way.
Next generation authorization can be the differentiator between a headache for security teams and a full blown breach. It is never a discussion of if but when hence why having homegrown solutions that are not built with the evolved threat landscape in mind and without the technical staff capable of maintaining, there may be a false layer of confidence that could lead to a betrayal of trust from partners and customers when their data is stolen.
As the demand for risk based authorization and identity aware security rises, the deficiencies of legacy home grown authorization engines are exposed. The demands from business stakeholders to keep pace with digital initiatives, while ensuring the highest levels of security and user experience, is driving change to adopt next generation enterprise authorization solutions.
Security threats are constantly evolving
Implementing an end to end zero trust architecture is a strategy that requires building a reference architecture that seeks to harden every threat vector possible. The next frontier is addressing the portion of the user journey post authentication, and beyond the borders of network access security.
Next generation authorization is poised to provide identity aware security at every layer of an enterprise computing infrastructure, while also providing central policy visibility, manageability, and policy governance.
“Zero trust must treat all identities as potential threats. While zero trust boosts higher levels of confidence, it’s imperative to pair it with a comprehensive authorization framework,” said Oren Ohayon Harel, CEO of PlainID. “Enterprises today need continuous evaluation and validation across all tech stack interaction to mitigate data breach impacts”.