chapter fifteen

15 Security, zero trust, and authorization

This chapter covers

Why Zero Trust shifts security focus from network boundaries to authorization
How PBAC enables continuous, context-aware access decisions
The roles of foundational, shared operational, and application policies in a zero-trust architecture
How policy engines evaluate these policies together to ensure consistent access control
Architectural and organizational metrics indicating progress toward Zero Trust

ACME’s Chief Information Security Officer, Sam, had grown weary of hearing the same refrain. Every conference keynote, board meeting, and analyst report seemed to boil modern security down to two words: Zero Trust. The phrase was everywhere—sometimes used thoughtfully, often as a slogan—but rarely with enough detail to help him lead meaningful change. After one particularly pointed board meeting, Sam went back to his security team and said, for what felt like the tenth time, “We need to get serious about Zero Trust. What does that actually mean for us?”

15.1 Rethinking security for the Zero Trust era

15.2 Authorization is the foundation of Zero Trust

15.3 Policies for zero trust

15.3.1 Foundational security policies

15.3.2 Shared operational policies

15.3.3 Application policies

15.3.4 Putting the layers together

15.4 Using policy to control access

15.5 Measuring progress toward zero trust

15.5.1 Policy coverage

15.5.2 Signal quality

15.5.3 Decision consistency

15.5.4 Reduced perimeter reliance

15.5.5 Decline in authorization exceptions

15.6 Beyond security: the organizational payoff

15.6.1 Better alignment between teams

15.6.2 Improved auditability and incident response

15.6.3 Greater agility for product development

15.6.4 Improved governance and transparency

15.6.5 A more resilient security posture

15.6.6 More reliable access for legitimate users

15.7 The full payoff

15.8 Summary