Applications Cannot Be Trusted

(SPONSORED ARTICLE)

By 2023, over 500 million apps will be developed using cloud native approaches (IDC FutureScape). These apps are built with newer technologies like containers and microservices, which allow organizations to deploy and iterate faster than ever before.

Securing cloud native applications surfaces new challenges vs. securing traditional applications. In cloud native environments, resources are continually shifting, services are in constant communication and hybrid architectures are difficult to map. This creates serious obstacles for risk identification and securing applications.

With more and more cloud native applications interacting with each other, at the request of countless users–any one of whom could be a malicious actor looking to exploit the application and steal data–a Zero trust strategy makes more sense in this context than ever before.

The State of Applications and Security

Over these years, the concept of zero trust – never trust, always verify – has largely stayed the same. But now cloud architects, devops and security teams face a bigger challenge in securing the content and data when securing the transactions between applications.

The move to the cloud creates more interconnectivity between applications. Modern apps are leveraging microservices and APIs for building scalable and resilient applications, but security teams should not assume all allowed traffic to and from apps contain safe and legitimate content.

According to Forrester, web application exploits, such as SQL injection, cross-site scripting (XSS), and remote file inclusion, are the most common forms of external attacks. And according to AV-Test, over 160 million new malware variants were detected in 2021. By applying Zero Trust principles to all communications and inspecting the contents of each transaction, organizations can identify and prevent unsafe content from reaching applications.

Applying Zero Trust to Transactions

Embedding Zero Trust in the cloud requires continuous validation at every stage of an application or API interaction. Once access to an application has been verified and granted, the content within the transaction must be inspected to determine it is free of any malicious activity, then only the transaction should be authorized.

The Zero-Trust approach is crucial when verifying the transaction, rather than implicitly trusting the content in the transaction. Adversaries use allowed communications to execute the most common web application attacks like SQL injection and cross-site scripting (XSS) as well as recent attacks including Apache log4j exploit and Cobalt Strike command-and-control (C2) framework. Organizations adopting a Zero Trust architecture should consider verifying every transaction to increase their defenses against malicious activity within content.

The Cloud Native Opportunity for Zero Trust

As the cloud becomes the most dominant compute model, it must be emphasized that Zero Trust is a strategic approach, not a one-stop solution. In simple words: applications cannot be trusted and continuous monitoring even at runtime is necessary to validate their behavior.

It begins with monitoring your cloud resources and configurations while enforcing compliance. This then leads to understanding the level of access each user has to cloud accounts. Up next, security teams must continuously assess their cloud environments in real-time to continuously monitor for threats and anomalies. It's important to secure cloud workloads — whether it's hosts, containers, or serverless functions — from vulnerabilities irrespective of the cloud environment it is on. Lastly, organizations need to secure access, applications, and data across different cloud environments. That’s why leveraging a Cloud Native Application Protection Platform (CNAPP) is the best way to deploy a Zero Trust strategy while remaining cost-efficient.

The future of cloud computing is both exciting and challenging to predict, but one thing is for sure: cloud native applications will continue to grow in both importance and complexity, and cloud native apps require comprehensive protection. As organizations increasingly move workloads, applications, and data to the cloud, and look to adopt DevOps, now is the time to architect your security right from the beginning– eliminate implicit trust and continuously validate every stage of a digital interaction.

Mohit Bhasin is a product marketer for Prisma Cloud at Palo Alto Networks. With a background in Computer Engineering and a Masters in Business Administration, he has a passion for understanding and solving customer problems.