International Research Journal of Engineering and Technology (IRJET)
e-ISSN: 2395-0056
Volume: 12 Issue: 10 | Oct 2025
p-ISSN: 2395-0072
www.irjet.net
Policy-Based Access Control in Zero Trust Architecture (ZTA) Baqi Bellah Usmani Lecturer, Computer Science faculty, Benawa University, Kandahar, Afghanistan ---------------------------------------------------------------------***---------------------------------------------------------------------
architecture, advantages, challenges, and potential areas for improvement. By integrating PBAC into enterprise networks, organizations can redefine access management strategies, achieving a more proactive, resilient, and adaptive security posture suitable for cloud-based and hybrid environments.
ABSTRACT - The Zero Trust Architecture (ZTA) is an
important change in cybersecurity, based on the principle "never trust, always verify." The basis of ZTA is Policy-Based Access Control (PBAC), which makes dynamic, context-aware access choices based on established security policies. The paper addresses the concept of PBAC within the Zero Trust framework, contrasting it with standard access control models, outlining its components and operational flow, and assessing its implementation problems and benefits. Realworld use cases and techniques are also presented, providing a thorough grasp of PBAC in modern network security. As organizations increasingly move to cloud and hybrid settings, PBAC offers a scalable and adaptive approach to access control that ensures security without sacrificing accessibility.
2. BACKGROUND AND RELATED WORK Access control lies at the heart of information security, defining who can access certain resources and under what conditions. As organizations continue to grow and their digital systems expand, choosing the right access control model has become increasingly important. Over the years, several approaches have been developed, each addressing different security needs and operational environments. The most recognized models include: Mandatory Access Control (MAC), Discretionary Access Control (DAC), Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and the modern Policy-Based Access Control (PBAC). • Mandatory Access Control (MAC): The Mandatory Access Control model is one of the oldest and most rigid forms of access management. In MAC, a central authority strictly defines how users or devices can interact with resources based on predefined security classifications or clearance levels. This model is commonly used in environments where information sensitivity is extremely high, such as military, intelligence, or nuclear sectors. Because users cannot change permissions on their own, MAC provides strong control and data protection—but at the cost of flexibility.
Key Words: (Zero Trust Architecture (ZTA), Cybersecurity, Policy-Based Access Control (PBAC), Dynamic access, Farmwork & Security policies.
1.INTRODUCTION In the modern digital era, the pervasive use of technology and the internet has greatly enhanced connectivity, communication, and data exchange across organizations. However, as interconnectivity increases, so does the complexity and sophistication of cyber threats. Traditional perimeterbased and host-based security models, which rely on the assumption that internal network entities are inherently trustworthy, have proven inadequate against today’s dynamic and evolving threat landscape. To address these limitations, the Zero Trust Architecture (ZTA) has emerged as a comprehensive security model built on the principle of “never trust, always verify.” Under this approach, no entity—whether inside or outside the network—is granted automatic trust. Instead, each access request is continuously authenticated, authorized, and validated according to contextual and behavioral factors. A critical enabler of this architecture is Policy-Based Access Control (PBAC), which replaces static, role-based access mechanisms with adaptive, policy-driven decision-making. PBAC evaluates access requests based on a combination of attributes, contextual information, and organizational policies, ensuring that access is granted only when the defined security conditions are met. The purpose of this study is to examine PBAC’s role and function within the Zero Trust framework, detailing its
© 2025, IRJET
|
Impact Factor value: 8.315
|
•
Discretionary Access Control (DAC): In the Discretionary Access Control model, the owner or administrator of a resource decides who can access it and what actions they are allowed to perform. This approach offers flexibility and user autonomy, making it suitable for smaller or less sensitive systems. However, DAC’s decentralized nature can create security inconsistencies because every user can modify permissions. This lack of central oversight often leads to policy misconfigurations and unauthorized data sharing.
•
Role-Based Access Control (RBAC): Role-Based Access Control assigns permissions to users based on their job roles or responsibilities within an organization. For example, a manager may have broader access rights than a general employee. RBAC simplifies management and improves efficiency, especially in large organizations. However, because it relies on predefined roles, it
ISO 9001:2008 Certified Journal
|
Page 530