Common Misconceptions About Zero Trust Security for Applications

When most people think of zero trust, they think of network security. All users and devices attempting to access the network are considered threats until their identity is verified and access rights validated. Access rights are strictly limited to what users need to do their jobs.

However, networks are not the only vulnerable elements of the IT environment. In fact, applications are typically the initial targets of attackers. Users normally access applications after they are authenticated, but authentication alone does not provide adequate protection against threats. Applications are still vulnerable to SQL injection, cross-site scripting and other attacks, as well as the lateral movement of hackers who have gained access to the network.

That’s why it’s critical for organizations to protect their applications as part of their zero trust strategy. Problems arise when organizations do this with a monolithic firewall.

Interested In Learning More?

Risks of a Monolithic Firewall

When building a zero trust environment, organizations typically want east-west traffic inspection. They’ll route all traffic through a monolithic firewall to each of their applications. One of the big myths is that this approach is more cost-efficient than a distributed architecture. In reality, it’s extremely difficult to manage and a disaster waiting to happen.

The monolithic firewall becomes a single point of failure that is highly complicated, with hundreds of thousands of rules about each application. If you get a rule wrong, you expose something you shouldn’t have.

The better way is to distribute your security appliances along with the applications. Each application gets its own account that serves as a virtual private cloud. That VPC has an edge, and only the edge is allowed to talk to the rest of the world. Each application also has a private section where all of its associated servers and apps exist. The only way to get from the edge to the private section is through the security appliance.

Benefits of a Distributed Approach

The distributed approach allows you to use smaller, more affordable security appliances, and much simpler rules that allow those appliances to operate more efficiently. More importantly, each appliance only needs to know the rules about its application, making it easier to maintain. You may spend a little more on compute in order to have multiple copies of a firewall, but you’ll be spending significantly less on manpower.

You’re also getting much stronger security. In the monolithic model, if an intruder gets into the environment, he can typically find ways to route between one application and another directly and bypass your monolithic firewall. If an admin makes a mistake and leaves a route in place, you’ve broken your zero trust model. With the distributed approach, that’s impossible to do because there is no connection between the various application groups without going through a firewall.

Enabling Greater Automation

Because you’re only dealing with the rules for a single application in a distributed model, you can automate much of the process. Developers can write a small JSON object that defines the applications that connect to their software and the ports their software uses. The developer doesn’t need to know any details about where the other applications exist. Automated tools go into the application’s firewall and insert the addresses of other applications that are allowed to connect to it, and keep everything updated on the fly.

This eliminates the need for the security team to do in-depth code reviews and enables much greater agility. It also provides stronger security because you’re only opening the gateway to the correct inbound objects. In addition, you get a detailed database of every connection that exists in the environment.

A zero trust environment is critical to securing applications, but a monolithic firewall approach can actually weaken security while creating more management overhead. Let DeSeMa help you architect a distributed zero trust model that reduces complexity, increases agility and enables greater automation.