Simplifying ZTA Adoption with a Log-Based Policy and Decision Engine
Abstract
The microservices architecture and the growing adoption of cloud service providers have introduced new cybersecurity challenges. Dynamic network perimeters, expanded attack surfaces, and complex communications invalidate traditional models based on static perimeters. This paper presents two access control approaches as starting points for adopting Zero Trust: one based on a policy engine with multifactor quotas and another leveraging log analysis and alerts to define penalties. Adding intelligence to standard proxies with the proposed architectures enables the Zero Trust adoption maturity level to be increased from base or intermediary to advanced in several aspects. They were also evaluated in simulated environments and the results demonstrate effectiveness in identifying irregularities and enhancing system security, blocking attacks in as little time as 4 seconds, as well as feasibility in terms of latency and ease of adoption.References
Athena, J. and Sumathy, V. (2017). Survey on public key cryptography scheme for securing data in cloud computing. Circuits and Systems, 8(3).
Borchert, O., Howell, G., Kerman, A., Rose, S., Souppaya, M., Ajmo, J., Fashina, Y., Grayeli, P., Hunt, J., Hurlburt, J., Irrechukwu, N., Klosterman, O., Slivina, O., Symington, S., Tan, A., Scarfone, K., Barker, W., Gallagher, P., Palermo, A., Balaji, M., Cerini, A., Barosin, J., et al. (2024). Implementing a zero trust architecture: High-level document. Special Publication 1800-35, National Institute of Standards and Technology. CODEN: NSPUE2.
Chandramouli, R. (2020). Security strategies for microservices-based application systems. Technical Report NIST SP 800-204, US Department of Commerce, National Institute of Standards and Technology.
de Mello, E. R., de Chaves, S. A., da Silva, C., Wangham, M. S., Brito, A., and Henriques, M. A. A. H. (2022). Autenticação e Autorização: antigas demandas, novos desafios e tecnologias emergentes, pages 1–50. Sociedade Brasileira de Computação.
Dimitrakos, T., Dilshener, T., Kravtsov, A., La Marra, A., Martinelli, F., Rizos, A., Rosetti, A., and Saracino, A. (2020). Trust aware continuous authorization for zero trust in consumer internet of things. In 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pages 1801–1812.
DoD (2022). Zero trust reference architecture. Technical report, Defense Information Systems Agency (DISA) and National Security Agency (NSA). Prepared by the Zero Trust Engineering Team.
Feldman, D., Fox, E., Gilman, E., et al. (2020). Solving the Bottom Turtle — a SPIFFE Way to Establish Trust in Your Infrastructure via Universal Identity. SPIFFE, 1 edition. Disponível em: [link]. Acesso em: 12 mar. 2025.
Ferreira, R. (2022). Policy Design in the Age of Digital Adoption: Explore how PolicyOps can drive Policy as Code adoption in an organization’s digital transformation, chapter 3. Packt Publishing Ltd.
Freitas, L., Coelho, K., Nogueira, M., Vieira, A., Nacif, J., and Silva, E. (2024). Controle de acesso sensível ao contexto e zero trust para a segurança em e-health. In Anais do XLII Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, pages 770–783, Porto Alegre, RS, Brasil. SBC.
IBM (2024). Cost of a data breach report 2024. [link]. Acesso em: 01/04/2025.
MarkWide (2025). Cloud microservices market analysis-industry size, share, research report, insights, covid-19 impact, statistics, trends, growth and forecast 2025-2034. Accesso em: 01/04/2025.
Mhetre, N. A., Deshpande, A. V., and Mahalle, P. N. (2022). Experience-based access control in ubicomp: A new paradigm. Journal of Computer and Communications, 10(1).
NIST (2012). Guide to attribute based access control (abac) definition and considerations. NIST Special Publication 800-162. Disponível em: [link]. Acesso em: 11/04/2025.
Rose, S., Borchert, O., Mitchell, S., and Connelly, S. (2020). Nist special publication 800-207: Zero trust architecture. Technical report, National Institute of Standards and Technology (NIST), Gaithersburg, MD. Acesso em: 10/4/2025.
SPIFFE Project (2025). The x.509 spiffe verifiable identity document. GitHub repository: standards/X509-SVID.md. Accesso em: 4/05/2025.
Xiao, Y., Jia, Y., Liu, C., Cheng, X., Yu, J., and Lv, W. (2019). Edge computing security: State of the art and challenges. Proceedings of the IEEE, 107(8):1608–1631.
Borchert, O., Howell, G., Kerman, A., Rose, S., Souppaya, M., Ajmo, J., Fashina, Y., Grayeli, P., Hunt, J., Hurlburt, J., Irrechukwu, N., Klosterman, O., Slivina, O., Symington, S., Tan, A., Scarfone, K., Barker, W., Gallagher, P., Palermo, A., Balaji, M., Cerini, A., Barosin, J., et al. (2024). Implementing a zero trust architecture: High-level document. Special Publication 1800-35, National Institute of Standards and Technology. CODEN: NSPUE2.
Chandramouli, R. (2020). Security strategies for microservices-based application systems. Technical Report NIST SP 800-204, US Department of Commerce, National Institute of Standards and Technology.
de Mello, E. R., de Chaves, S. A., da Silva, C., Wangham, M. S., Brito, A., and Henriques, M. A. A. H. (2022). Autenticação e Autorização: antigas demandas, novos desafios e tecnologias emergentes, pages 1–50. Sociedade Brasileira de Computação.
Dimitrakos, T., Dilshener, T., Kravtsov, A., La Marra, A., Martinelli, F., Rizos, A., Rosetti, A., and Saracino, A. (2020). Trust aware continuous authorization for zero trust in consumer internet of things. In 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pages 1801–1812.
DoD (2022). Zero trust reference architecture. Technical report, Defense Information Systems Agency (DISA) and National Security Agency (NSA). Prepared by the Zero Trust Engineering Team.
Feldman, D., Fox, E., Gilman, E., et al. (2020). Solving the Bottom Turtle — a SPIFFE Way to Establish Trust in Your Infrastructure via Universal Identity. SPIFFE, 1 edition. Disponível em: [link]. Acesso em: 12 mar. 2025.
Ferreira, R. (2022). Policy Design in the Age of Digital Adoption: Explore how PolicyOps can drive Policy as Code adoption in an organization’s digital transformation, chapter 3. Packt Publishing Ltd.
Freitas, L., Coelho, K., Nogueira, M., Vieira, A., Nacif, J., and Silva, E. (2024). Controle de acesso sensível ao contexto e zero trust para a segurança em e-health. In Anais do XLII Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, pages 770–783, Porto Alegre, RS, Brasil. SBC.
IBM (2024). Cost of a data breach report 2024. [link]. Acesso em: 01/04/2025.
MarkWide (2025). Cloud microservices market analysis-industry size, share, research report, insights, covid-19 impact, statistics, trends, growth and forecast 2025-2034. Accesso em: 01/04/2025.
Mhetre, N. A., Deshpande, A. V., and Mahalle, P. N. (2022). Experience-based access control in ubicomp: A new paradigm. Journal of Computer and Communications, 10(1).
NIST (2012). Guide to attribute based access control (abac) definition and considerations. NIST Special Publication 800-162. Disponível em: [link]. Acesso em: 11/04/2025.
Rose, S., Borchert, O., Mitchell, S., and Connelly, S. (2020). Nist special publication 800-207: Zero trust architecture. Technical report, National Institute of Standards and Technology (NIST), Gaithersburg, MD. Acesso em: 10/4/2025.
SPIFFE Project (2025). The x.509 spiffe verifiable identity document. GitHub repository: standards/X509-SVID.md. Accesso em: 4/05/2025.
Xiao, Y., Jia, Y., Liu, C., Cheng, X., Yu, J., and Lv, W. (2019). Edge computing security: State of the art and challenges. Proceedings of the IEEE, 107(8):1608–1631.
Published
2025-09-01
How to Cite
FREITAS, Abraão; GUIMARÃES, Davi; BRITO, Andrey.
Simplifying ZTA Adoption with a Log-Based Policy and Decision Engine. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 25. , 2025, Foz do Iguaçu/PR.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 822-838.
DOI: https://doi.org/10.5753/sbseg.2025.11482.
