Managing Application Security Risks with Zero Trust Network Access

Risk management is an essential component of any organization’s cybersecurity strategy, and this being the case, many organizations are focused on the risks associated with their public-facing resources.

Once an attacker gains access to the internal network, they often have free reign to access internal web applications. Since these internal applications often contain exploitable vulnerabilities, this represents a significant security risk. A vulnerable application could enable an attacker to leverage a compromised, low-level account into access to sensitive data.

Protecting against these types of threats requires a different approach to security. Instead of using a perimeter-focused security strategy, companies should implement zero-trust network access (ZTNA) or a software-defined perimeter (SDP). This restricts a user’s access to internal network resources, limiting the potential impact of an exploitable vulnerability in an internal web application.

Growing Numbers of Vulnerabilities Threaten Application Security

Vulnerabilities in web applications are not a new issue. Software is written by human beings that make mistakes. Some of these mistakes in their application’s code impact its security, making them exploitable vulnerabilities.

The problem with web application vulnerabilities is that they are becoming increasingly common. Organizations depend upon growing amounts of code, and (since the rate of vulnerabilities per the number of lines of code has not significantly declined) the number of exploitable vulnerabilities grows with them. In fact, in 2019 alone, over 22,000 new vulnerabilities were discovered and publicly reported.

Organizations must also cope with exploitable vulnerabilities that come from third-party code. The majority of the code within an application comes from libraries and other third-party sources. These vulnerabilities appear in several different organizations’ applications, making them a common target for cybercriminals wanting to maximize the impact of their attacks.

Zero Trust Network Access Minimizes Application Security Risks

Web applications, both internal and public-facing, are a prime target for cybercriminals due to their access to sensitive information. In many cases, it is easier for an attacker to take advantage of a vulnerability in an internal web application to carry out a data breach than to attempt to gain access to the database directly.

An effective attack against an internal web application requires both vulnerability and access to the application. With a large number of vulnerabilities present in modern web applications and the challenges of keeping up with patch management, organizations should focus on restricting access to vulnerable internal applications.

This is where ZTNA comes in. Under traditional perimeter-focused security models, anyone with access to the corporate network has access to everything inside it. ZTNA changes this by limiting employees’ access to what is required to fulfill their job duties. This means that, even if an application contains exploitable vulnerabilities, an attacker with access to a compromised account may not have the ability to exploit them.

Effective ZTNA Requires Enforcement

Zero trusts has become a buzzword. Many organizations know that they want it, but implementing it can be more difficult.

One of the primary reasons for this is that an effective ZTNA strategy requires security solutions capable of supporting and enforcing it. Traditional tools for creating a secure corporate WAN, such as virtual private networks (VPNs) are not up to the task.

VPNs are designed to provide a secure connection to a corporate network, not manage a user’s access inside of it. While further access management can be implemented using standalone security solutions, this increases management complexity and reliance on the security stack on the main corporate network. To manage access to cloud-based resources – which represent a rapidly-growing percentage of most organizations’ corporate networks – all traffic must either flow through this security stack (negatively impacting network performance) or access controls must be managed with a different, cloud-focused solution (which increases the complexity of security management and policy enforcement).

SASE Provides ZTNA Enforcement at Scale

The challenges associated with implementing and enforcing ZTNA policies are only one of many shortcomings of VPNs for implementing secure networks. Secure Access Service Edge (SASE) provides an alternative that addresses all of these challenges.

SASE implements networking and security functionality in an array of cloud-based points of presence (PoPs). All traffic passing through the corporate WAN enters and leaves through the PoPs closest to the point of origin and destination. Each PoP contains a fully-integrated networking and security stack, providing optimized routing through the corporate WAN and the ability to consistently perform security scanning and enforce security policies throughout the corporate WAN.

One of the security features that should be included in a SASE network is integrated ZTNA or SDP. By integrating this into the network infrastructure of the corporate WAN, an organization can strictly and consistently manage access to all of its network resources. This helps to minimize access to potentially vulnerable internal applications, making it more difficult for an attacker to exploit any vulnerabilities that they may contain.