“This setup can validate access tokens that are sent with every request—with the API then deciding if or how to grant access to a requested action or resource,” said Yehuda Rosen, senior software engineer at nVisium, via email. However, this introduces new complexities and challenges, such as the need to build and maintain the new security service, as well as handling the access control lists across a potentially widespread number of components and applications within a microservices environment.

And, Rosen noted, zero-trust won’t work universally across APIs. Managing security for the auth service is not able to act alone as a fully zero-trust application.

Read the entire article here!