The National Security Agency (NSA) is providing guidance on deploying a comprehensive zero-trust framework that focuses on the application and workload pillar of the Zero Trust Maturity Model introduced by the Cybersecurity and Infrastructure Security Agency.
The NSA explained in its Cybersecurity Information Sheet (CSI), “Advancing Zero Trust Maturity Throughout the Application and Workload Pillar" (PDF document):
"The application and workload pillar focuses on securing access at the application layer by integrating capabilities from the user, device, and network and environment pillars to prevent data collection, unauthorized access, or tampering with critical processes or services."
Here's what your application security (AppSec) team needs to know about the new NSA zero trust for AppSec initiative — along with key insights from top subject-matter experts.
[ Get up to speed fast: Complete Guide: Federal Software Supply Chain Security Initiatives ]
How NSA is advancing zero trust
The NSA's framework includes continually authenticating, assessing, and monitoring user activity patterns; understanding the health and status of devices; enabling data transparency and visibility; segmenting, isolating, and controlling the network environment with granular policy and access controls; automating security responses; and analyzing events, activities, and behaviors to derive context.
Five key areas are covered in the agency's guidance: application inventory, secure software development and integration, software risk management, resource authorization and integration, and continuous monitoring and ongoing authorizations. Within each area, the guidance recommends steps to advance from the preparation stage through the basic, intermediate, and advanced stages.
The guidance also offers detailed instructions for securing the application and workload pillar against adversarial abuse of applications and workloads:
- Identify applications/workloads within or connecting to the environment.
- Ensure that applications implement strong, continuous authentication and granular access, preferably leveraging available contextual information, as a precondition for the use of the applications and workloads.
- Follow principles of least privilege, ensuring that users and applications receive only the minimum level of access required to perform their jobs.
- Implement micro-segmentation to limit lateral movement from applications and workloads.
- Employ continuous monitoring and logging to track anomalous and suspicious behavior.
- Use strong encryption algorithms to encrypt data in transit and at rest to ensure data integrity and confidentiality.
- Implement regular patch management for all applications and workloads.
- Ensure container security for containerized workloads by scanning container images for vulnerabilities, limiting container privileges, protecting container secrets, and implementing runtime security controls.
- Secure APIs by implementing authentication, authorization, and encryption mechanisms.
- Conduct regular security assessments, including penetration testing and vulnerability scanning, to identify and remediate security weaknesses proactively.
- Ensure application development and implementation compliance with relevant mandatory regulations and standards.
- Exercise due diligence and research to determine whether IT solutions are fit for purpose, including security features and capabilities meeting quality and resiliency expectations.
The zero-trust security gap: Software
The NSA's report acknowledges the close relationship between applications and workloads in a zero-trust architecture and offers valuable guidance on enhancing security capabilities, said Eric Schwake, director of cybersecurity strategy at the API security firm Salt Security. "It emphasizes the dynamic nature of workloads and the variety of tools used to manage them."
Brian Soby, co-founder and CTO and of the security firm AppOmni, said the guidance calls out a major gap in the zero-trust approach.
"It's clear that the NSA is responding to the near-continuous stream of reported data breaches targeting SaaS and other applications that contain the crown jewels of organizations' data. The NSA correctly calls out the need for granular access controls and continuous authorization applied within these applications and workloads in order to stop this trend of breaches."
—Brian Soby
Tamir Passi, senior product director at the security firm DoControl, said the report correctly underscores the importance of shifting to a zero-trust model, moving from a network-centric to a data-centric security approach. "This shift is crucial for modern environments, which are increasingly hybrid and complex," he said. "Additionally, it highlights the need for using advanced tools such as AI predictive analytics, workload automation software, and cloud management platforms to manage and secure workloads across diverse environments."
More importantly, the NSA guidance provides a much-needed road map for achieving progressive levels of maturity in application and workload security — along with actionable steps for organizations at different stages of zero-trust implementation.
"Emphasizing continuous monitoring and ongoing authorization aligns well with the need for real-time threat detection and response, ensuring that security measures evolve with emerging threats."
—Tamir Passi
A good first pass, but there's room for improvement
While the guidance is good, it's not a complete package, said Salt Security's Schwake.
"The report could provide a more in-depth exploration of the specific challenges and security requirements of APIs, which are critical components in modern interconnected systems. While the report does mention APIs, a more thorough discussion of API security within the zero-trust framework would be helpful."
—Eric Schwake
Passi said that while the new NSA guidance provides comprehensive guidelines, it is somewhat generalized. He recommended providing more detailed information in a number of areas. For instance, practitioners would benefit from more insights into the practical challenges organizations face when implementing these recommendations. "Transitioning legacy systems to a [zero-trust] model or integrating various advanced tools cohesively can be daunting tasks," he explained.
The guidance could also include more industry-specific examples and customizations to help organizations understand how to tailor zero-trust principles to their specific operational contexts, Passi said. "Another significant omission is the discussion on extending the zero-trust model to software-as-a-service (SaaS) solutions," he said. "Given the rise in SaaS applications, it’s critical for organizations to incorporate these into their zero-trust frameworks to ensure comprehensive security."
Greater discussion of the human element of cybersecurity would be valuable, Passi added. Training and awareness programs for employees are crucial for the successful adoption of zero-trust principles and for minimizing human errors that could lead to security breaches, he said.
Zero-trust challenges continue
While guidance can be a helping hand for organizations following zero-trust principles, the process remains difficult, said Patrick Tiquet, vice president for security and architecture at Keeper Security. There are significant challenges to adopting zero trust in an organization, including knowing where to begin and having the correct personnel to implement the changes, he said. "Zero trust has many moving parts, and there are no universal implementation standards."
A Keeper Security census found that 32% of IT leaders plan to invest in zero trust, a trend that Tiquet said was growing. However, there are clear gaps when it comes to understanding the concepts and implementation — both among IT teams and the wider business, he said. "Zero-trust implementation requires buy-in from everyone in the organization, highlighting the need for cybersecurity professionals who are up to date with the latest industry standards and threat landscape," Tiquet said.
"Organizations lacking this expertise will increase their likelihood of ineffective design and implementation, leading to potential misconfigurations and security gaps in access controls and network segmentation. This can create vulnerabilities that malicious actors may exploit, compromising the organization's overall security."
—Patrick Tiquet
Expanding the scope of zero trust to software is key
Organizations need to be aware that zero trust isn't a panacea, said Dan Petrillo, vice president of product marketing at ReversingLabs. Even the most robust zero trust architectures can fall prey to supply chain attacks because while trust is explicitly granted at every step of the way, malware still makes its way to the target, Petrillo said.
Businesses pursuing zero trust need to consider this type of attack, or even modify their definition of zero trust to include the removal of implicit trust of any file or software package. Petrillo said that required security teams to shift to modern tooling such as complex binary analysis.
"Supply chain attacks have long been the Achilles' heel of zero trust because a trusted user such as a developer downloads a trusted file from a trusted source that ends up being malicious."
—Dan Petrillo
Image: universalist/Flicker
Keep learning
- Get up to speed on securing AI/ML systems and software with our Special Report. Plus: See the Webinar: The MLephant in the Room.
- Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our white paper.
- Upgrade your software security posture with RL's new guide, Software Supply Chain Security for Dummies.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.