Dynamic authorization for zero trust: are your controls keeping up?

TL;DR: Static roles and broad post-login access continue to undermine Zero Trust in cloud-native environments, even where MFA and ZTNA are already deployed, according to Cerbos. Adaptive authentication helps at the gate, but continuous, context-aware authorization is what turns Zero Trust from a slogan into operational control.

NHIMG editorial — based on content published by Cerbos: the third part of its Zero Trust series on adaptive, context-aware access controls

By the numbers:

• 96% of orgs believed MFA could have prevented or minimized an identity-related breach.

Questions worth separating out

Q: How should security teams implement dynamic authorization in cloud-native environments?

A: Start by moving the decision point out of the application and into a policy layer that can inspect request context before allowing access.

Q: Why do static roles fail under Zero Trust Architecture?

A: Static roles assume that one assignment can safely govern many future requests, but Zero Trust requires trust to be re-evaluated continuously.

Q: What breaks when MFA is treated as the only Zero Trust control?

A: MFA improves confidence at login, but it does not control what happens after the session is established.

Practitioner guidance

• Replace coarse post-login trust with action-level policy checks Require sensitive applications to evaluate each request against context such as device posture, location, and resource sensitivity before granting access.
• Use adaptive MFA as an entry control, not a complete Zero Trust model Keep conditional access for risky logins, but do not stop there.
• Externalize policy logic across distributed systems Centralize authorization rules for microservices, SaaS apps, and legacy front ends so teams can change access behavior without rewriting every application.

What's in the full article

Cerbos' full article covers the operational detail this post intentionally leaves for the source:

• Examples of adaptive access policies for business-hours, location-based, and device-aware decisions
• Practical guidance on externalizing authorization into application architectures without a full re-platform
• Discussion of policy testing, audit logging, and rollout considerations for teams building policy-as-code
• Implementation trade-offs for legacy applications that cannot natively evaluate dynamic access context

👉 Read Cerbos' analysis of adaptive authorization for Zero Trust →

Dynamic authorization for zero trust: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →