Unlocking Continuous Zero Trust Authorization with Strong Policy Engine

Trust can be broken at any moment. That means your approach to Zero Trust must be dynamic and flexible enough to find and account for broken trust in real-time. 

We are thrilled to announce an exciting new addition to the StrongDM Zero Trust Privileged Access Management (PAM) platform: Continuous Zero Trust Authorization. This powerful capability can help organizations leap forward in the Zero Trust journey by enabling continuous, contextual, and granular authorization and control over resources and data.

What is Continuous Zero Trust Authorization?

Continuous Zero Trust Authorization is the real-time monitoring of access and operations across your infrastructure and the ability to enforce contextual access policies in real time.

Continuous Zero Trust Authorization requires:

• Visibility into the access and operations being taken in your infrastructure and the context surrounding them.
• Flexible access controls that can consider any context in authentication decisions–whether that’s from devices, roles, attributes, or anything.
• Distributed policies that can be enforced in real time anywhere on your network, regardless of the system, tool, or location where an activity is taking place.
• Dynamic & real-time monitoring of risk and enforcement of policies in the case of something being deemed a risk.

At StrongDM, we understand the evolving needs of modern organizations, where security and access control are paramount concerns. With Continuous Zero Trust Authorization, we are taking access control to the next level, providing you with unprecedented capabilities to ensure the right individuals have the appropriate access to your critical assets.

Key Features of Continuous Zero Trust Authorization

Continuous Zero Trust Authorization builds on top of StrongDM’s already robust capabilities for delivering dynamic access to infrastructure and tools with a new policy engine, centralized policy management, and the ability to add nearly any context to real-time policy enforcement.

Strong Policy Engine

The robust Strong Policy Engine, powered by the Cedar Policy Language, enables distributed enforcement of centralized policies, creating a secure and unified access control framework across your infrastructure. The engine allows for policy evaluation with sub-millisecond response times, aligning with the high-performance standards that StrongDM users have come to expect.

Centralized Policy Management

Writing policies once and enforcing them everywhere is the dream. StrongDM simplifies policy management by extending your existing RBAC and ABAC policies with new signals and controls. This centralized approach streamlines administration, reducing the complexity of access control. With StrongDM, you can establish security measures that are uniformly enforced across all your diverse applications and infrastructure components. It builds upon the natural strengths of these resources by adding layers of security policies, thereby improving the existing controls and safeguards.

Attribute-based Authorization Models for Zero Trust

StrongDM supports various authorization models, including *BAC (Anything-based Access Control), Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Policy-Based Access Control (PBAC). You have the flexibility to choose the model or blend of models that best suits your needs.

Context-based Signals for Granular Control 

Adding context-based signals like geography, device, IP, requestor data, or resource tags to access decisions provides additional information about the requester, the resource being accessed, and the environment. Coupled with continuous trust assessment, this allows organizations to roll out an adaptive security strategy that responds to changes in real-time. 

New Context-based Signal: Device Trust

A critical context signal for determining the risk associated with access is device posture. Today, we are introducing Device Trust, which adds even more control to authorization decisions. This allows you to incorporate device posture from security solutions like CrowdStrike or SentinelOne as part of the continuous trust assessment for authorization. This enhances your security by considering the health and security status of devices when granting access.

Why Continuous Zero Trust Authorization Matters

In today's rapidly changing threat landscape, traditional access control mechanisms are no longer sufficient. Where traditional least privilege has been primarily focused on minimizing access to systems, that approach suffers the same flaw as perimeter-based access–once access has been approved, that person can do whatever they want, provided they have the associated role. 

The goal of least privilege is to reduce access to the minimum necessary for each person to perform their job effectively. While the concept is straightforward, it is frequently still overly permissive in practice. This is because, for most enterprises, access grants are static and long-lived, so the path to least privilege usually involves removing access. 

✨ Another way to think about contextual trust assessment: If privileged access management is like a security guard in an office building giving someone access to the 12th floor; then, Zero Trust PAM would be like having an escort by your side the entire visit making sure you didn’t go into an office you shouldn’t, talk to someone you shouldn’t, or write something on the white boards that was inappropriate.

The rapid evolution of cloud resources presents a significant challenge in implementing Zero Trust access across a wide variety of infrastructure. Today, organizations deal with an unprecedented number of systems, each with its own unique configuration and access requirements. The complexity doesn't end with granting initial access; it's also about continuously assessing whether that access remains appropriate.

“Software teams are building new applications for different use cases, and their security tooling must keep pace with them. They need ways to evaluate access continuously, not just at the point of entry. This includes robust security policies that are enforced in real time, all the time, and policy decisions that are informed by knowledge of the context on the ground. AWS created the Cedar policy language as a building block so that companies like StrongDM can build provable security into a new class of tools that are both easy and reliable. This next step in Zero Trust authorization has been a long time coming, and we're incredibly excited for this launch.” 

 

- Sarah Cecchetti, Head of Product, Cedar, AWS

Continuous authorization enables you to include operations executed in your environment as part of your Zero Trust initiatives. This approach ensures that access is continuously assessed and granted based on contextual factors, allowing you to make real-time access decisions that enhance security while preserving productivity.

By leveraging StrongDM's powerful capabilities, you can:

• Minimize the risk of unauthorized access and data breaches.
• Achieve granular control over resource access, reducing the potential for misuse.
• Simplify policy management and enforcement across the entire infrastructure.
• Incorporate device posture into access decisions for enhanced security. 

With Continuous Zero Trust Authorization, StrongDM empowers you to take a proactive and dynamic approach to access control, aligning with the principles of Zero Trust.

Get Started with StrongDM Today

StrongDM enables continuous, context-based authorization, and today, device posture is now available as a context signal that can be included in your authorization decisions. The new Strong Policy Engine – which will enable write once, enforce everywhere policies – is now in Beta and will be released in Q1 2024. 

Stay tuned for more updates and enhancements as we continue to evolve the StrongDM platform to meet your organization's Zero Trust PAM needs. Thank you for choosing StrongDM as your trusted partner in access control and security.

Want to see StrongDM in action? Book a demo.