Download Publication

Who it's for:
- IAM Architects, Engineers, and Administrators
- Zero Trust Architects
- Security Operations Team
Context-Based Access Control for Zero Trust
Release Date: 01/15/2025
Traditional access decision-making is agnostic to both Zero Trust and context. Historically, security teams based access decisions on trust. The common access management formula was to entrust digital identities to a given entity, assign entitlements to that entity, and then check access requests only against those entitlements. Even with the improvements of Role-Based Access Control (RBAC), entitlements remained static and implicit trust remained.
Today, Zero Trust aims to remove all trust and assumptions from access decisions. To align with Zero Trust principles, teams should evaluate each access request based on risk and approve each request based on evidence. This is known as Context-Based Access Control (CBAC). CBAC enhances security by making real-time, risk-based access decisions using dynamic signals. These signals can include user behavior, device health, location, network conditions, and more.
This document provides guidance on implementing CBAC in Zero Trust architectures. It shows how CBAC improves security by assessing contextual factors for every access request, removing implicit trust. It also compares CBAC with other access control models and highlights CBAC’s stronger alignment with Zero Trust. Finally, the publication outlines a maturity model for CBAC, offers solutions for scaling and managing operational overhead, and explores various AI enhancements.
Key Takeaways:
- The failures of traditional access control
- What is Context-Based Access Control (CBAC)
- The key advantages of CBAC, including adaptability and intelligence
- How CBAC supports Zero Trust principles
Download this Resource
Related Resources
Acknowledgements

Michael Roza
Risk, Audit, Control and Compliance Professional at EVC
Michael Roza
Risk, Audit, Control and Compliance Professional at EVC
Since 2012, Michael Roza has been a pivotal member of the Cloud Security Alliance (CSA) family. He has contributed to over 125 projects, as a Lead Author or Author/Contributor and many more as a Reviewer/Editor.
Michael's extensive contributions encompass critical areas including Artificial Intelligence, Zero Trust/Software Defined Perimeter, Internet of Things, Top Threats, Cloud Control Matrix, DevSecOps, and Key Management. H...
Are you a research volunteer? Request to have your profile displayed on the website here.
Interested in helping develop research with CSA?
Related Certificates & Training

For those who want to learn from the industry's first benchmark for measuring Zero Trust skill sets, the CCZT includes foundational Zero Trust components released by CISA and NIST, innovative work in the Software-Defined Perimeter by CSA Research, and guidance from renowned Zero Trust experts such as John Kindervag, Founder of the Zero Trust philosophy.
Learn more
Learn more