Context-Based Access Control and Zero Trust: Key Insights from the CSA White Paper

Eunjee Choi — Thu, 13 Mar 2025 01:35:06 +0000

Introduction

Cloud Security Alliance (CSA)released a white paper on Context-Based Access Control (CBAC) and its role in advancing Zero Trust security models. The paper underscores the necessity of shifting from static, trust-based access control to real-time, adaptive authentication that evaluates risk dynamically, and Pomerium was highlighted as a key player in the CBAC space.
We’ll break down the white paper’s key findings and explore how Pomerium aligns with this modern security framework.

Why Traditional Access Controls Fall Short

Historically, access control has been based on predefined roles and entitlements. The Role-Based Access Control (RBAC) model assigns permissions to roles rather than individual users, simplifying management but failing to adapt to real-time threats. Attribute-Based Access Control (ABAC) improves on RBAC by considering user attributes, but it still lacks dynamic risk assessment and real-time adaptability.
The CSA paper highlights how modern identity-based attacks, such as credential theft and lateral movement, exploit these traditional models. Attackers can obtain valid credentials and operate within an organization undetected, as access decisions are based on static rules rather than continuous evaluation.

What is Context-Based Access Control (CBAC)?

CBAC represents a paradigm shift in access control. Instead of granting access solely based on identity or static attributes, CBAC evaluates real-time contextual signals to determine whether a request should be approved. These signals can include:

User behavior: Is the user accessing resources in a typical pattern?
Device health: Is the device compliant with security policies?
Location & network conditions: Is the request coming from a familiar or risky location?
Time & frequency: Is access being requested at an unusual time or with an abnormal frequency? By continuously analyzing these factors, CBAC minimizes implicit trust and ensures that every access request is assessed based on current risk factors rather than static policies.

Read more about CBAC vs. RBAC vs. ABAC, the CBAC Maturity Model, and Pomerium's role as a zero trust, context-aware access solution on our blog.

What You Need to Know From the 2024 ITRC Data Breach Report

Eunjee Choi — Thu, 27 Feb 2025 00:34:43 +0000

Every year, the Identity Theft Resource Center (ITRC) publishes its Data Breach Report, and every year, the numbers tell a familiar story: breaches are still rampant and personal data is still getting exposed.

The statistics and trends revealed in the ITRC’s 2024’s Data Breach Report help us understand where we are, where things are headed, and—most importantly—what we can do about it.

The Big Picture: 2024 Was a Year of Massive Exposure

If there’s one number you take away from the report, it’s 3,158.

3,158 data compromises were recorded in 2024, just 44 short of the all-time high set in 2023. While the total number of breaches did not increase, the number of victim notices skyrocketed by 312%—meaning the scale of each breach is growing.
In fact, six “mega-breaches” accounted for 85% of all victim notices in 2024.

The Biggest Data Breaches of 2024

Ticketmaster – 560 million victim notices
Advance Auto Parts – 380 million victim notices
Change Healthcare – 190 million victim notices
DemandScience – 121 million victim notices
AT&T – 110 million victim notices

Although these massive incidents were the stars of the show last year, the reality is that thousands of smaller breaches are happening constantly, many of which go unnoticed by the public.

What’s Changing? Key Trends from the Report

1. Companies Won’t Tell Us How They Got Hacked
70% of cyberattack-related breach notices in 2024 failed to disclose how the attack happened—a significant jump from 58% in 2023. This lack of transparency makes it more difficult for other companies to learn and strengthen defenses.

2. Financial Services Overtakes Healthcare as the #1 Target
For the first time since 2018, the Financial Services sector suffered more breaches than Healthcare. Although this could indicate improvements in healthcare security, it’s more likely that there’s been a shift in attacker focus. Banks, insurance providers, and payment processors hold valuable data and may be more vulnerable than the healthcare sector that has endured innumerable attacks in the past years.

3. Credential-Based Attacks Are Still the Top Problem
Four of the six biggest breaches in 2024 were caused by stolen credentials—something that could have been prevented through Multi-Factor Authentication (MFA) and passkeys. According to the report, 94% of all devices now support passkeys, but adoption is slow, and companies continue to rely on passwords that attackers can guess or steal.

4. AI is Helping Hackers—But Also Defenders
While no breaches were officially attributed to AI-powered attacks, it’s clear that AI is being used to enhance phishing attempts, automate attacks, and find vulnerabilities faster than ever. At the same time, AI-powered security tools are improving at detecting threats, creating an ongoing arms race between attackers and defenders.

Read more on the historical context, what needs to change, and the importance of Zero Trust security models on our blog.

DEV Community: Eunjee Choi

Context-Based Access Control and Zero Trust: Key Insights from the CSA White Paper

Introduction

Why Traditional Access Controls Fall Short

What is Context-Based Access Control (CBAC)?

What You Need to Know From the 2024 ITRC Data Breach Report