- 1. Implement Centralized Identity, Access Authentication and Authorization
- 2. Implement Micro-Segmentation and Run-Time Threat Protection
- 3. Apply Application Security – Secure Design, Development, Build & Deployment of the Application
- 4. Integrate Continuous Security Monitoring
- 5. Secure Data Access
To fully understand the “application workload” pillar of zero trust architecture (ZTA) one must start by defining the term “workload.”
A workload is a tightly coupled group of resources that run and securely support an application or capability. This footprint of an application as it consumes computing resources in of the form of CPU, memory, I/O, and network is its “application workload.” An application’s workload encompasses CPU, memory, I/O, and network characteristics – all running through a group of virtual machines or containers that interface with network and storage infrastructures that allows the application to perform it functions or capabilities. Related, a cloud workload is an application, service, capability, or a specified amount of work that consumes cloud-based resources (such as computing or memory power).
So, when we look at securing software on a network, we must also look at securing the workload associated with it to protect the network and, by extension, the enterprise or agency itself.
And it stands to reason, right? Software vulnerabilities are on the rise. From the SolarWinds and Log4j exploits to data breaches at major retailers, bad actors are using increasingly sophisticated techniques – or leveraging zero-day vulnerabilities – to do harm. It’s therefore incumbent upon cybersecurity professionals to use every tool in our toolboxes as well.
Enter, zero trust for application workloads.
Zero trust is a security approach that requires that all users and services, whether they are inside or outside an organization’s network, must be continuously validated to access applications. Those looking to apply zero trust to application workloads can take five important steps to do so, and to improve the overall cybersecurity posture of their organizations at the same time.
The current reality for most federal agencies is that many legacy applications are not designed to take advantage of identity, credential and access management ( ICAM), even if it exists in the enterprise. Legacy applications typically assume identities are based on usernames and passwords. This is a major risk in the current cybersecurity environment where attackers can use multiple techniques to obtain the usernames and passwords of admin-level access staff. We recommend implementing centralized ICAM, a framework of policies built into an organization’s information technology infrastructure that allows system owners to have assurance that the right person is accessing the right information at the right time for the right reason from any device anywhere. Next, we counsel our customers to implement multi-factor authentication (MFA), assuring the credentialed identity of the individual seeking access. MFA is typically implemented by codes sent to users via email or text SMS messaging and is supported by many common software security libraries and frameworks. Finally, it’s important to also implement role-based access control (RBAC), which is focused on least-privileged access – only authorizing access to the data and applications required for a specific need or task.
Broadly, zero trust focuses on the concept of micro-segmentation – a virtual network security technique that enables security architects to logically divide a data center into distinct security segments – even down to the individual application workload level – and then define security controls and deliver services for each unique segment. Micro-segmentation can be used to protect every virtual machine (VM) in an enterprise network with policy-driven, application-level security controls. Because security policies are applied to separate application workloads, micro-segmentation software can significantly bolster a company’s resistance to attack. We recommend that our customers implement runtime application self-protection (RASP) which is used to protect applications from malicious attacks and unexpected deviations in their behavior. RASP tools can operate within the application’s runtime environment, allowing them to get visibility inside the application to detect and block any malicious attacks or any deviations in expected behavior.
During application design, we recommend focusing on security planning that considers all relevant security standards, including the Risk Management Framework and NIST 800-53 security controls. Emerging security products can help automate security control identification and compliance, threat modeling, and vulnerability management. For the development, build and deployment phases, teams should apply AppSec – to include defining agency secure coding practices and oversight, establishing secure artifact repositories, and shift-left security testing as part of continuous integration and delivery. This includes using trusted libraries and automated vulnerability scanning – this encompasses static, dynamic, and interactive application security testing, software composition analysis, container scanning, and secrets management. Finally, teams looking to apply zero trust to application workloads can implement policies designed to secure the software supply chain, in line with the 2021 Cyber Executive Order. Emerging software supply chain integrity frameworks enable agencies to create software bill of materials (SBOMs); to manage the use of open source and third-party software and components more proactively and efficiently; and help to establish “provenance” of all software components and libraries.
When it comes to security monitoring, we recommend that customers implement continuous application security monitoring for log management, container runtime behavior drift detection, and Kubernetes configuration change monitoring to ensure all workload elements are operating as defined by hardened configuration baselines. Cloud-native log aggregation, analysis, and auditing tools should also be incorporated, including centralized logging and telemetry that includes extract, transform, and load (ETL) capabilities to normalize log data.
Finally, zero trust includes a data security pillar – promoting the concept of an enterprise understanding of data and its categories. This data pillar is focused on protecting data at enterprise level – not the application level. Data access security is paramount, and data should be encrypted both in transit and at rest, and each data element should be managed by its access, view, and modification controls determined by the zero trust identity.
Application workloads, while sometimes overlooked, can be an essential part of an overall zero trust strategy that improves both cyber response and resilience. Amid increasing and increasingly sophisticated attacks, it’s more important than ever for organizations and agencies to protect their networks and assets at every possible juncture.