Hi, I'm gal co-founder of plain ID, plain IDs, the authorization company. And today I'm going to discuss about dynamic authorization in a zero trust, a architecture. I bet you heard a lot about zero trust. You're going to continue hearing about zero trust because zero trust is one of the main initiatives today in the iden identity and access management space and cybersecurity.
So, so to first of all, understand what the topic is about. I want to talk about what is dynamic authorization, what is zero trust? How do they fit together? And then we'll go over architecture patterns where those two support each other. So zero trust. And this is, this have taken from a Forester early this year. They've published and updated description of zero trust. And please note, they mention, first of all, deny access by policy only. And we'll talk about the policy concept for everything, for data, for workloads, for users, for devices, and some other listing here.
But those are the fundamentals of zero trust. It's important to understand in order to achieve efficient security architecture, we need to follow those fundamentals. And the core component of those fundamentals is the policy. Now you have heard about policy also in previous sessions, Jill and policy is widely used in our space. I'm talking specifically about authorization policies and we'll see what I mean in a second. Let's talk about dynamic authorizations. What are dynamic authorizations?
Dynamic authorizations are what ma what defines the connections between identity to the digital assets. Those are dynamic authorizations. Okay. So to begin with an identity secure, as it might be, has no trust. Okay. Think about an identity that has gone through the authentication process has gone through multifactor, whatever strong authentication process we had in place. We want this identity to be able to access data, to access services, to access applications.
What defines the connection is authorization and more specifically dynamic authorization, dynamic authorization define the trust, the trust between the identity, the secured identity to what that identity can access. Okay, so you can, you can start seeing why dynamic authorizations are so crucial for the zero trust initiative.
Now I mentioned policies and again, policies are widely used in our industry. I'm specifically talking about authorization policies, policies that are used to define the connection between identities to those digital assets.
Now, I mentioned that those are dynamic authorizations in order to manage dynamic authorizations efficiently, you need policies more specifically policy based access control, also known as feedback, which is today the most efficient method to manage the connectivity between identities, to what identities can access. So what is a policy and authorization policy? The authorization policy, first of all, looks at the identity. Who is the identity? Is it an employee? Is it an external user? Is it a consumer, a partner? What do we know about the identity?
We know the identity has as a specific certification level. We know the identity is from a specific department or a company. Whatever we know about the identity can be part of our policy next, what the identity is trying to access the identity is trying to access medical records.
The identity is trying to access financial data. What is the resource? The identity is trying to access.
Now, this would also be part of our policy on top of that. We can add from where the identity is accessing, what device they use, the identity is using any environmental conditions, like what day of the, what time of the day, what date it is, location. And so on. All those together would build our policies in addition to compliance data. So authorization policies eventually would define, for example, doctors can access their medical records. Account managers can access their accounts. Those are business policies that support your dynamic authorization.
So we have the fundamentals, we know the fundamentals of zero trust, the fundamentals of dynamic authorization and policies, authorization policies that supports them. How are we going to use that? So let's look at the flow. On one side, we have our identity, which is like I said, our employee, our partner, our consumer, eventually this identity needs to, to access resources, whether those application object, objects, data services, whatever the objective is, not just accessing the application.
It's not just opening the door.
It's also entering the application, using whatever the application has to offer. So in order to do that, the identity needs to go through whatever device, maybe some network access application, and additional controls. There is a journey, okay? And that journey needs to be controlled by who the identity is and what the identity can see and do together together. They would provide the full set of controls required to secure that access. And this is the full zero trust path. Okay.
Up until now, we have heard in the market, many vendors, which have been speaking about zero trust, and they've been doing really great, great jobs, but they have stopped at the gate. They have stopped maybe at the network gate or the application gate. What I'm arguing is that zero trust needs to be all the way in. If you want really to implement zero trust, you need your data asset to understand who the identity is. And then based on that grant, the relevant access, it needs to be supported all the way in often authentication and authorizations working together.
We'll see how, and, and that's just what I was saying in order to complete the zero trust framework to provide a complete and robust, you need to enforce access in all layers in the network layer, in the application layer and in the services layer as well.
How would you do that? You would do that by incorporating an authorization solution as part of your security or IM stack the same way as you have your IDP there, right? The majority of the organizations today have a, a well defined authentication solution.
You have, you have a solution that authenticates the users, a solution that creates those, whatever tokens, open Aconnect or some whatever, and basically opens the door to the application. But then what, what happens afterwards? And that's the responsibility of the authorization solution. An authorization solution would continue that security into the application, and it can be implemented in the different levels of the technology stack.
It can be implemented on the application level, on the API level, the microservice level, and obviously the data level, there are different deployment patterns today supported by authorization solutions, for example, plan a in order to make that process efficient and scalable.
But the main point here is that authorization should be implemented all the way in another, another topic I'd like to touch. When I say authorization most let's say the common know is authorizations is a yes, no answer. Okay. I'm asking about, can I do that? And the answer would be, yes, no. So that's not true.
Authorizations are much, much more than just a yes, no answer. And it's important to understand there are many patterns for authorization, actually not many for not just, I'm saying that you can, you can read that also in different publications, there are four patterns for authorizations. Why? Because they need to be supporting the different use cases. Sorry. The different deployment patterns I was sharing before and authorization decision can be very precise. Yes. No authorization decision can be more elaborated to support the relevant use cases.
I'm showing you that to emphasize how authorizations specifically dynamic authorizations have evolved, evolved over the years.
It started by.
Yes, no question. Very basic, very static. Today. We are speaking of dynamic authorizations that can support your data, access microservices, APIs, and much more. And there are options here to make the development process and implementation process process much, much simpler. I want to move on to a sample use case. I think that would really emphasize how authorizations fit into that architecture and why they're so important. So let's look at a sample case study, right? How to implement API access control with dynamic authorization to enable zero trust.
Typically, this is just a sample, right? So a typical architecture pattern would defi would have an application layer. Then the application might call APIs whether through an API gateway, maybe there are some microservices down below, right? So we have also service to service communication. Majority of implementations have authentication in place. We know who the identity is.
The identity is authenticating to the application at the entry point, but then what happens when the application wants to use services? When the application wants to use data, it uses a very general account.
We lose the identity. We do not know who the identity is. Whether we go through the API get way, or between the services in a microservice cell protection, we don't know who the identity is. And if we don't know who the identity is, who are we trusting? We can't implement zero trust. If we don't know who the identity is at that level, eventually that microservice down below is the one accessing the data is the one granting access. We need to know who the identity is at that level, by implementing an authorization solution, a right authorization solution.
You can, you can use the identity context all way through the identity is known at the start at the entry point.
The identity is known all the way through the services. The microservices and authorization are enforced correctly. Security is enforced in the right way in the way it should. Okay.
And again, this is just one pattern to emphasize why authorizations is so important. Well authentication ends and where authorization takes the lead. Zero trust enabled is enabled only by dynamic authorizations. So some key key takeaways, eh, for this session, first of all, dynamic authorization is a crucial part of zero trust in order to really implement zero trust all the way through. It's not enough just to implement it at the network level or the application level. It has to be up to the data services, resources level that's one.
And in order to achieve that in an efficient way, the most efficient method is by managing those decisions in a central way with decentralized enforcement. Why is that? Because if you remember the polyus slide, they show authorizations are enforced in different patterns, the way which you enforce authorizations for APIs, for data, for microservices, for applications is not the same different technologies. So the objective of a good authorization solution is to provide that one central management layer with the decentralized enforcement capabilities that can speak to all those levels.
This is the only way you can really achieve zero trust all the way through. Thank you.