Cyber Security

What is the role of Policy Decision Points (PDP) in a Zero Trust Architecture framework?

BR Asked by Brandon Taylor · 10-11-2023
0 upvotes 8,979 views 0 comments
The question

I am studying for a cybersecurity certification and I keep coming across the terms Policy Decision Point (PDP) and Policy Enforcement Point (PEP). In a real-world Zero Trust implementation, how do these two components communicate to authorize a user request in real-time? Is the PDP usually a cloud-based service, and how does it handle the latency involved in checking a user's permissions every single time they try to access a new microservice or resource within the cloud?

 

3 answers

0
CY
Answered on 12-11-2023

In a Zero Trust model, the PDP is the "brain" that evaluates the access request based on pre-defined policies, user identity, and environmental context. The PEP is the "brawn" that actually blocks or allows the traffic. When a user tries to access a resource, the PEP intercepts the request and asks the PDP for a decision. To handle latency, modern architectures use "Distributed PDPs" or edge-based caching. This allows the system to make near-instantaneous decisions without a round-trip to a central server every time. This separation of concerns ensures that policies are consistent across the entire enterprise, regardless of where the resource is located. 

0
D
Answered on 14-11-2023

Does your current infrastructure support "Policy as Code" to help automate the updates to the PDP whenever a new employee joins or a role changes within the company? 

CH 15-11-2023

David, we’ve actually started using OPA (Open Policy Agent) for exactly that reason. By treating our access policies like code, we can version control them in Git and push updates to our PDPs across different regions automatically. This ensures that our "Access Control Lists" are never out of date. When the PDP receives a request, it evaluates the OPA logic against the current real-time data from our Identity Provider. It has greatly simplified our "Governance and Compliance" audits because we can show exactly what the policy was at any given point in time.

0
BA
Answered on 18-11-2023

Think of the PDP as the judge and the PEP as the security guard. The guard doesn't make the rules; he just checks with the judge to see if your name is on the list. 

BR 19-11-2023

Great analogy, Barbara. It really helps simplify the concept for stakeholders who aren't technical but need to understand why we are adding these verification layers to the system.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

World globe icon Country: Canada

Book Free Session