The fine-grained nature of cloud native deployments requires fine-grained authorizations at each component. However, this may require security policies to be centrally defined and the configurations reflecting them to be defined in each microservice to enable uniform, consistent enforcement across the entire system which is hard to model and maintain.
Next-Generation Access Control (NGAC), developed by the U.S. National Institute of Standards and Technology (NIST), enables a systematic, policy-consistent approach to access control, granting or denying users administrative capabilities with a high level of granularity. It is based on the assumption that you can model the system you want to protect in a graph that represents the resources and your organizational structure, in a way that has meaning to you and that adheres to your organization semantics. On top of this model you can overlay fine-grained policies and also do effective auditing on access decisions.
This talk will offer an overview of NGAC and its advantages over more traditional RBAC and ABAC—like mitigating role explosion and indeterminate or surprising access verdicts— in the context of Zero Trust, as well as practical examples of how to use it to rationalize enterprise access control in ways that are easy to reason about, author, enforce and audit.