We’ve been strategically aligning how access is governed for our critical digital resources (Data, Applications, Assets, and Services – DAAS) with the programmable capabilities of Software-Defined Storage (SDS). In Activity 4.7.1, “Integrate DAAS Access with SDS Policy Part 1,” we focused on the development of a DAAS access policy, ensuring its sufficiency for Zero Trust outcomes and its alignment with the enterprise SDS policy. That phase established the “what” and the “why” of our access rules, leveraging SDS attributes for granular decisions. Now, in Zero Trust Activity 4.7.2: Integrate DAAS Access with SDS Policy Part 2, we move from policy development to implementing that DAAS policy in a fully automated fashion.

This activity represents operationalizing dynamic, attribute-based access control across on your most valuable digital assets. It ensures that the DAAS access policies developed in 4.7.1 are actively enforced by systems leveraging automation. The core mandate here is to put the policies into action programmatically, reducing manual intervention and increasing response speed.

This activity ensures that granular access policies for Data, Applications, Assets, and Services are consistently and rapidly enforced, minimizing human error and enabling near real-time adaptation to changes in risk or context.

The outcome for Activity 4.7.2 Part 2 highlights this shift to automation:

1. Attribute-based fine-grained DAAS Policy implemented in an automated fashion.

The ultimate end state signifies robust, automated control over access to your digital resources, building on the foundation of 4.7.1 and leveraging capabilities like SDS tools and DRM integration: A mature system where DAAS access is managed through automated, attribute-driven policies, ensuring continuous and secure control.

Solutions for Achieving Integrate DAAS Access with SDS Policy Part 2 (Zero Trust Activity 4.7.2)

Implementing Activity 4.7.2 demands the deployment of intelligent policy enforcement engines and their deep integration with attribute sources and the programmable infrastructure:

1. Implementing Centralized Authorization Platforms (PDPs/PEPs) for DAAS –
   1. Role: Deploy and configure Policy Decision Points (PDPs) that can interpret the attribute-based DAAS policies developed in 4.7.1. These PDPs evaluate attributes of the user, device, application, and crucially, the data/asset (leveraging SDS attributes) to make real-time access decisions. Policy Enforcement Points (PEPs) then execute these decisions.
   2. Solutions: Centralized Authorization Platforms, ABAC (Attribute-Based Access Control) systems, or robust features within your Enterprise IdAM solution.
      
2. Automating Policy Deployment via Policy as Code (PaC) –
   1. Role: Transform the DAAS access policies developed in 4.7.1 into Policy as Code (PaC). This allows policies to be version-controlled, tested, and automatically deployed to enforcement points within your CI/CD pipeline (from Activity 3.2.2).
   2. Process: This ensures consistency and rapid updates to policies.
   3. Solutions: Policy as Code (PaC) tools integrated with CI/CD Automation Servers/Platforms.
      
3. Integrating with Attribute Sources for Real-time Decision-Making –
   1. Role: The automated policy enforcement requires real-time access to accurate attributes.
   2. Process: Ensure seamless integration between your PDPs/PEPs and your various attribute sources:
      1. Enterprise IdP/IdAM: For user and NPE identity attributes.
      2. UEM/Device Posture/EDR: For device health and compliance attributes.
      3. Software-Defined Storage (SDS) Platforms: For data attributes (classification, criticality, owner)  and storage-related context, often exposed via SDS APIs.
      4. Data Classification & Tagging Tools: For data-specific attributes.
         
4. Leveraging Programmable Infrastructure for Enforcement –
   1. Role: Utilize the programmable nature of your network (SDN from 5.2.2) and SDS to enforce DAAS policies dynamically.
   2. Process: For data stored on SDS, the SDS platform itself might act as a PEP, enforcing policies based on its own attributes or integrating with a separate PEP. DRM tools (from 4.5.1, 4.5.2) can enforce policies on data usage. Application Delivery Control Proxies (from 5.2.2) and Segmentation Gateways (from 5.2.2) can enforce policies for applications and network access to assets.
   3. Solutions: The APIs of your SDS platforms, DRM tools, ZTNA solutions, NAC solutions, and Application Gateways are consumed by automation platforms to enforce policy.
      
5. Establishing Automated Response Workflows –
   1. Role: Integrate policy violations or suspicious access attempts related to DAAS with your security operations for automated response.
   2. Process: Alerts from enforcement points (like a denial based on policy) are fed into your SIEM, which can trigger automated investigation or response workflows in your SOAR platform. These workflows can use APIs to dynamically restrict access, quarantine users/devices, or remediate non-compliant assets.

Key Items to Consider:

• Complexity of Automating Fine-Grained Policies: Implementing attribute-based, fine-grained policies automatically across DAAS elements is technically challenging. Rigorous testing of automated workflows is essential.
• Real-time Attribute Synchronization: The accuracy and timeliness of attributes from all sources directly impact the effectiveness and correctness of automated policy decisions.
• Policy Governance for Automation: Define clear processes for how DAAS policies are authored, approved, versioned, and automatically deployed through CI/CD.
• Performance Impact: Evaluate the potential latency introduced by real-time policy evaluation for every DAAS access attempt.
• Integration Scalability: Ensure your IdAM, SDS, and policy enforcement tools can scale to handle the volume of requests and data needed for enterprise-wide automation.
• Unified Visibility: All automated policy decisions, alerts, and actions must be logged and fed into a central SIEM for comprehensive monitoring and auditing.

For the Technical Buyer:

Activity 4.7.2 is the realization of automated, fine-grained access control for your entire digital estate (Data, Applications, Assets, Services) within your Zero Trust architecture. It’s about taking the DAAS policies developed in 4.7.1 and implementing them in a fully automated fashion, leveraging the programmable capabilities of SDS and other infrastructure. For technical buyers, success here demands deploying robust centralized authorization platforms, embracing Policy as Code for your DAAS rules, and ensuring seamless integration between all your attribute sources (IdP, UEM, SDS, etc.) and policy enforcement points via automation tools like SOAR. This activity guarantees that your attribute-based fine-grained DAAS Policy is implemented in an automated fashion, providing continuous, secure, and incredibly responsive control over access to your most valuable digital resources.

Pillar: Data

Capability: 4.7 Data Access Control

Activity: 4.7.2 Integrate DAAS Access with SDS Policy Part 2

Phase: Target Level

Predecessor(s): 

• 4.7.6 Implement SDS Tool and/or integrate with DRM Tool Part 1
• 4.7.1 Integrate DAAS Access with SDS Policy Part 1

Successor(s): 4.7.3 Integrate DAAS Access with SDS Policy Part 2