A policy language for context-aware access control in zero-trust network
Abstract
Evolving computing technologies such as cloud, edge computing, and the Internet of
Things (IoT) are creating a more complex, dispersed, and dynamic enterprise
operational environment. New security enterprise architectures such as those based on
the concept of Zero Trust (ZT) are emerging to meet the challenges posed by these
changes. Context awareness is a notion from the field of ubiquitous computing that is
used to capture and react to the situation of an entity, based on the dynamics of a
particular application or system context. However, there is limited research and
discussion about the overlap between context awareness and Zero Trust, with existing
literature often treating them as separate entities, leading to potential inefficiencies.
One of the main challenges in merging the two concepts is the inflexibility of the
programming languages and systems used in crafting access control policies, which
sometimes result in excessively rigid policies. Addressing this challenge could be
achieved through a new programming language specifically designed for greater
flexibility and a wider consideration of contextual factors, leading to more robust
security measures that align more effectively with the principles of Zero Trust.
This work conducts a systematic review of the previous research in context-aware
access control to identify the various ways to capture and express context across
different access control types and different application domains. Based on this review,
it identifies how context can help provide dynamic policy-based solutions for zero trust applications.
It extends a previous work which designed a policy language for risk-based access
control in zero-trust networks. Specifically, this project extends the necessary
language constructs to include and handle dynamic contextual attributes.
Finally, it provides a proof of concept to demonstrate that the extended language can
give the correct access decisions based on the evaluation of contextual information in
zero-trust network.
Collections
The following license files are associated with this item: