Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Zero Trust Score-based Network-level Access Control in Enterprise Networks

Leonard Bradatsch, Oleksandr Miroshkin, Natasa Trkulja, Frank Kargl

TL;DR

This paper tackles the gap in enterprise Zero Trust implementations by defining a comprehensive 29-attribute trust framework and a mathematical weighting model to quantify attribute impact. It introduces a dynamic risk-level threshold, RL, and compares a straightforward additive trust algorithm with a Subjective Logic–based approach that yields per-entity trust scores for user, device, and communication channel. The SL-based method offers finer-grained decision capabilities and prevents cross-entity trust compensation, while the dynamic risk level aligns access control with evolving threat conditions. Performance results from a proof-of-concept show the SL approach and dynamic threshold incur only modest overhead relative to the additive baseline, supporting practical deployment in enterprise networks.

Abstract

Zero Trust security has recently gained attention in enterprise network security. One of its key ideas is making network-level access decisions based on trust scores. However, score-based access control in the enterprise domain still lacks essential elements in our understanding, and in this paper, we contribute with respect to three crucial aspects. First, we provide a comprehensive list of 29 trust attributes that can be used to calculate a trust score. By introducing a novel mathematical approach, we demonstrate how to quantify these attributes. Second, we describe a dynamic risk-based method to calculate the trust threshold the trust score must meet for permitted access. Third, we introduce a novel trust algorithm based on Subjective Logic that incorporates the first two contributions and offers fine-grained decision possibilities. We discuss how this algorithm shows a higher expressiveness compared to a lightweight additive trust algorithm. Performance-wise, a prototype of the Subjective Logic-based approach showed similar calculation times for making an access decision as the additive approach. In addition, the dynamic threshold calculation showed only 7% increased decision-making times compared to a static threshold.

Zero Trust Score-based Network-level Access Control in Enterprise Networks

TL;DR

This paper tackles the gap in enterprise Zero Trust implementations by defining a comprehensive 29-attribute trust framework and a mathematical weighting model to quantify attribute impact. It introduces a dynamic risk-level threshold, RL, and compares a straightforward additive trust algorithm with a Subjective Logic–based approach that yields per-entity trust scores for user, device, and communication channel. The SL-based method offers finer-grained decision capabilities and prevents cross-entity trust compensation, while the dynamic risk level aligns access control with evolving threat conditions. Performance results from a proof-of-concept show the SL approach and dynamic threshold incur only modest overhead relative to the additive baseline, supporting practical deployment in enterprise networks.

Abstract

Zero Trust security has recently gained attention in enterprise network security. One of its key ideas is making network-level access decisions based on trust scores. However, score-based access control in the enterprise domain still lacks essential elements in our understanding, and in this paper, we contribute with respect to three crucial aspects. First, we provide a comprehensive list of 29 trust attributes that can be used to calculate a trust score. By introducing a novel mathematical approach, we demonstrate how to quantify these attributes. Second, we describe a dynamic risk-based method to calculate the trust threshold the trust score must meet for permitted access. Third, we introduce a novel trust algorithm based on Subjective Logic that incorporates the first two contributions and offers fine-grained decision possibilities. We discuss how this algorithm shows a higher expressiveness compared to a lightweight additive trust algorithm. Performance-wise, a prototype of the Subjective Logic-based approach showed similar calculation times for making an access decision as the additive approach. In addition, the dynamic threshold calculation showed only 7% increased decision-making times compared to a static threshold.
Paper Structure (21 sections, 5 equations, 3 figures)

This paper contains 21 sections, 5 equations, 3 figures.

Table of Contents

  1. Introduction
  2. Background
  3. Trust Entities
  4. Trust Attributes & Trust Scores
  5. User Trust Attributes
  6. Device Trust Attributes
  7. Communication Channel (CC) Trust Attributes
  8. Risk Attributes & Risk Level
  9. Additive-based Trust Algorithm
  10. Trust Score
  11. Risk Level
  12. Access Decision
  13. Subjective Logic-based Trust Algorithm
  14. User Trust Score
  15. Device Trust Score
  16. ...and 6 more sections

Figures (3)

  • Figure 1: Decision-making process in a ZT network, adapted from NIST RoBo20
  • Figure 2: Decision-making time in the case the PIP queries all attributes from the database. For the measured times, the quartiles are presented.
  • Figure 3: Decision-making time in the case the PIP holds all attributes in the cache. For the measured times, the quartiles are presented.