I am studying for a cybersecurity certification and I keep coming across the terms Policy Decision Point (PDP) and Policy Enforcement Point (PEP). In a real-world Zero Trust implementation, how do these two components communicate to authorize a user request in real-time? Is the PDP usually a cloud-based service, and how does it handle the latency involved in checking a user's permissions every single time they try to access a new microservice or resource within the cloud?
3 answers
In a Zero Trust model, the PDP is the "brain" that evaluates the access request based on pre-defined policies, user identity, and environmental context. The PEP is the "brawn" that actually blocks or allows the traffic. When a user tries to access a resource, the PEP intercepts the request and asks the PDP for a decision. To handle latency, modern architectures use "Distributed PDPs" or edge-based caching. This allows the system to make near-instantaneous decisions without a round-trip to a central server every time. This separation of concerns ensures that policies are consistent across the entire enterprise, regardless of where the resource is located.
Does your current infrastructure support "Policy as Code" to help automate the updates to the PDP whenever a new employee joins or a role changes within the company?
Think of the PDP as the judge and the PEP as the security guard. The guard doesn't make the rules; he just checks with the judge to see if your name is on the list.
Great analogy, Barbara. It really helps simplify the concept for stakeholders who aren't technical but need to understand why we are adding these verification layers to the system.
David, we’ve actually started using OPA (Open Policy Agent) for exactly that reason. By treating our access policies like code, we can version control them in Git and push updates to our PDPs across different regions automatically. This ensures that our "Access Control Lists" are never out of date. When the PDP receives a request, it evaluates the OPA logic against the current real-time data from our Identity Provider. It has greatly simplified our "Governance and Compliance" audits because we can show exactly what the policy was at any given point in time.