ABAC is an access control method that uses attributes of the requester, the resource, the environment, and the action to evaluate and enforce policies. ABAC allows for fine-grained and dynamic access control based on the context of the request, rather than predefined roles or privileges. ABAC is suitable for SaaS and PaaS, where the features within a service may vary depending on the customer's needs, preferences, and subscription level. ABAC can help implement ZT by enforcing the principle of least privilege and verifying every request based on multiple factors.

Reference=

Attribute-Based Access Control (ABAC) Definition

General Access Control Guidance for Cloud Systems

A Guide to Secure SaaS Access Control Within an Organization

After successful authentication and authorization, the client typically sends an SPA packet to the controller, which acts as an intermediary in authenticating the client's request before access to the accepting host is granted. Reference = Certificate of Competence in Zero Trust (CCZT) - Cloud Security Alliance, Zero Trust Training (ZTT) - Module 9: Risk Management

Single Packet Authorization (SPA) is a security protocol that allows a user to access a secure network without the need to enter a password or other credentials.Instead, it is an authentication protocol that uses a single packet -- an encrypted packet of data -- to convey a user's identity and request access1. A key concept of SPA is that the SPA packet must be digitally signed and authenticated by the SPA server before granting access to the user.This ensures that only authorized users can send valid SPA packets and prevents replay attacks, spoofing attacks, or brute-force attacks23.

Reference=

Zero Trust: Single Packet Authorization | Passive authorization

Single Packet Authorization | Linux Journal

Single Packet Authorization Explained | Appgate Whitepaper

SDP mitigates the risk of broken access control by mandating micro-segmentation and implementing least privilege. Micro-segmentation divides the network into smaller, isolated segments that can prevent unauthorized access and contain lateral movement. Least privilege grants the minimum necessary access to users and devices for specific resources, while hiding all other assets from their view. This reduces the attack surface and prevents attackers from exploiting weak or misconfigured access controls

A key architectural consideration that needs to be taken into account while deploying SDP is how SDP deployment fits into existing network topologies and technologies. This is because SDP deployment may require changes or adaptations to the existing network infrastructure, such as routers, switches, firewalls, VPNs, etc. SDP deployment may also affect the network performance, availability, scalability, and resilience. Therefore, it is important to assess the impact and compatibility of SDP deployment with the existing network topologies and technologies, and to plan and design the SDP deployment accordingly.

Reference=Certificate of Competence in Zero Trust (CCZT) - Cloud Security Alliance,Zero Trust Training (ZTT) - Module 7: Network Infrastructure and SDP