A CONTEXT-AWARE APPROACH TO ORGANIZING NETWORK SECURITY POLICIES IN A ZERO TRUST ARCHITECTURE
DOI:
https://doi.org/10.28925/2663-4023.2025.31.1013Keywords:
network access context, next-generation firewall, Zero Trust, user identity mapping, device/host security posture, dynamic address group.Abstract
The relevance of introducing new approaches and practices for organizing and controlling access in network infrastructures is justified by the widening gap between the requirements of modern security standards and the capabilities of network security tools that operate at Layers 3–4 of the OSI model. The paper analyzes security models recommended by contemporary standards and industry best practices for information infrastructures, and explores ways to implement them using available market tools and network access control measures. The methodological basis of the proposed approach combines the Zero Trust principles outlined in NIST SP 800-207, capabilities found in the portfolios of next-generation firewall vendors, and the author’s methodologies and practices for integrating heterogeneous security systems to enrich firewall security policies with network-access context. The approach enables adherence to Zero Trust principles while maintaining operational quality and high performance of the network infrastructure, without exceeding acceptable total cost of operation and ownership of infrastructure resources. Key components and design patterns of the security infrastructure necessary to achieve these goals are identified. The scientific novelty of the approach lies in a paradigm shift in network access control—from a model centered on a corporate node’s address to a model centered on user access control coupled with verification of the security posture of the requesting device. The paper proposes contextual attributes for security policies and optimal methods for structuring host access levels within firewall configurations. The practice of collecting and enriching policy enforcement points with network context provides the flexibility and technical means required to uphold Zero Trust principles when building a corporate security model. The drawbacks of the method include operational complexity, increased cost, and dependencies on other systems that may affect network performance and expand the compromise surface of the security stack itself.
Downloads
References
Ike, C., Ige, A., Oladosu, S., Adepoju, P., Amoo, O., & Afolabi, A. (2021). Redefining zero trust architecture in cloud networks: A conceptual shift towards granular, dynamic access control and policy enforcement. Magna Scientia Advanced Research and Reviews. https://doi.org/10.30574/msarr.2021.2.1.0032.
Kriuchkova, L., Skladannyi, P., & Vorokhob, M. (2023). Pre-Project Solutions for Building an Authorization System Based on the Zero Trust Concept. Electronic Professional Scientific Journal «Cybersecurity: Education, Science, Technique», 3(19), 226–242. https://doi.org/10.28925/2663-4023.2023.13.226242
Vorokhob, M., Kyrychok, R., Yaskevych, V., Dobryshyn, Y., & Sydorenko, S. (2023). Modern Perspectives of Applying the Concept of Zero Trust in Building a Corporate Information Security Policy. Electronic Professional Scientific Journal «Cybersecurity: Education, Science, Technique», 1(21), 223–233. https://doi.org/10.28925/2663-4023.2023.21.223233
Tsekhmeister, R., Platonenko, A., Vorokhob , M., Cherevyk, V., & Semeniaka, S. (2025). Research of Information Security Provision Methods in a Virtual Environment. Electronic Professional Scientific Journal «Cybersecurity: Education, Science, Technique», 3(27), 63–71. https://doi.org/10.28925/2663-4023.2025.27.703
Kostiuk, Y., Skladannyi, P., Rzaeva , S., Mazur , N., Cherevyk, V., & Anosov, A. (2025). Features of Network Attack Implementation through TCP/IP PRotocols. Electronic Professional Scientific Journal «Cybersecurity: Education, Science, Technique», 1(29), 571–597. https://doi.org/10.28925/2663-4023.2025.29.915
Routray, K., & Bera, P. (2025). ZTAAC : Zero Trust Adaptive Authorization with CP-ABE for Context-Aware Data Protection. 2025 17th International Conference on COMmunication Systems and NETworks (COMSNETS), 814-816. https://doi.org/10.1109/COMSNETS63942.2025.10885763.
Ahmadi, S. (2025). Autonomous Identity-Based Threat Segmentation in Zero Trust Architectures. ArXiv, abs/2501.06281. https://doi.org/10.48550/arXiv.2501.06281.
Yaganti, D. (2023). Securing .Net Microservices Through Conditional Access and Zero Trust Principles using Azure AD and OAUTH2. International Journal of Advanced Research in Science, Communication and Technology. https://doi.org/10.48175/ijarsct-18000a.
Hirai, M., Kotani, D., & Okabe, Y. (2022). Linking Contexts from Distinct Data Sources in Zero Trust Federation. , 136-144. https://doi.org/10.48550/arXiv.2209.11108.
Oluoha, O., Odeshina, A., Reis, O., Okpeke, F., Attipoe, V., & Orieno, O. (2024). AI-Enabled Framework for Zero Trust Architecture and Continuous Access Governance in Security-Sensitive Organizations. International Journal of Social Science Exceptional Research. https://doi.org/10.54660/ijsser.2024.3.1.343-364.
Xiao, S., Ye, Y., Kanwal, N., Newe, T., & Lee, B. (2022). SoK: Context and Risk Aware Access Control for Zero Trust Systems. Security and Communication Networks. https://doi.org/10.1155/2022/7026779.
Ejiofor, O., Olusoga, O., & Akinsola, A. (2025). Zero trust architecture: A paradigm shift in network security. Computer Science & IT Research Journal. https://doi.org/10.51594/csitrj.v6i3.1871.
Stojanovski, N., & Gusev, M. (2011). Architecture Of A Identity Based Firewall System. ArXiv, abs/1108.1344. https://doi.org/10.5121/ijnsa.
T. Dimitrakos et al., "Trust Aware Continuous Authorization for Zero Trust in Consumer Internet of Things," 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Guangzhou, China, 2020, pp. 1801-1812, doi: 10.1109/TrustCom50675.2020.00247.
Fadhel, A., Bianculli, D., Briand, L., & Hourte, B. (2016). A Model-driven Approach to Representing and Checking RBAC Contextual Policies. Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy. https://doi.org/10.1145/2857705.2857709.
Panda, S., Sahoo, S., Halder, R., & Mondal, S. (2023). Contextual attribute‐based access control scheme for cloud storage using blockchain technology. Software: Practice and Experience, 54, 2042 - 2062. https://doi.org/10.1002/spe.3250.
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Роман Сиротинський
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
