Signal, Decision, Enforcement — The 3 steps in Zero Trust

I talked previously about the 6 foundational elements of a Zero Trust security model: identities, devices, applications, data, infrastructure, and network.

Each of these six foundational elements is a source of signal, a control plane for enforcement, and a critical resource to be defended.

Signal is the combination of the user information (ID, group, etc.) and the device it came from. The device’s IP address, health information, and application making the call are all useful information that is then passed to the policy engine. We can no longer rely on user information alone, as the Colonial Pipeline attack showed us. In fact, 20% of attacks in 2021 were a result of compromised credentials.

The important point here with a Zero Trust approach, the signal is the credentials PLUS the device, so a set of lost credentials used from an unknown device will be treated differently than the same credential from a managed, enterprise owned system, so the unknown device (even with good credentials) would be blocked.

The policy engine is the component in the decision layer that has the power to make a decision. It compares the request coming from the enforcement component against policy in order to determine whether the request is authorized or not. Once determined, the result is returned to the enforcement piece. It leverages multiple data sources in order to compute a risk score, similar to a credit score. This score can be used to protect against unknown unknowns, and helps keep policy strong and robust without complicating it with edge cases and signatures. It is used by the policy engine as an additional component by which an authorization decision can be made.

The enforcement component sits on the “front line” of the authorization flow and is responsible for carrying out decisions made by the rest of the authorization system. Enforcement can be broken down into two primary responsibilities. First, an interaction with the policy engine must occur. This is generally the authorization request itself (e.g., a load balancer has received a request and needs to know whether it is authorized or not). The second is the actual installation and ongoing enforcement of the decision. While these two responsibilities represent a single component in the Zero Trust authorization architecture, you can choose whether they are fulfilled together or separately.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dwaine Snow

Dwaine Snow


Helping understand how cyber resiliency and Zero Trust security solutions can keep their systems and data safe, and always available.