03 June 2024

Breaking Down the NSA’s Guidance on Zero Trust Implementations for the Applications and Workloads Pillar

A look at how the NSA’s guidance aims to simplify incorporating Zero Trust principles into enterprise networks

Mack Wartenberger
Mack Wartenberger Security Architect LinkedIn
Eric Jackson
Eric Jackson Principle Security Architect LinkedIn

For any organization looking to improve their Zero Trust maturity, prioritizing cybersecurity for both applications and workloads is one of the best places to start. But how do we prioritize those efforts? One of the biggest challenges we hear from cybersecurity practitioners looking to adopt Zero Trust best practices is a lack of clear guidance for driving their efforts. Luckily, the National Security Agency (NSA) posted exactly that this month, and it offers the kind of practical guidance we’re fans of here at Aquia.

The NSA’s cybersecurity information sheet (CSI), “Advancing Zero Trust Maturity Throughout the Application and Workload Pillar”, provides recommendations for achieving progressive levels of Application and Workload pillar capabilities within a comprehensive Zero Trust (ZT) framework. It guides National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) owners in maturing their application and workload security.

While more traditional approaches to application security are static in nature, the ZT model shifts to a “never trust, always verify” approach that hinges on dynamic updates and analysis to ensure security. This model supports hybrid clouds, edge locations, and container deployments. This emphasizes integrated security architecture focused on protecting data, applications, assets, and services (DAAS).

What is the Application and Workload Pillar, and Why is it Important?

There are several different ‘flavors’ of Zero Trust guidance available today. For example, the DoD has seven pillars, whereas CISA has five, each with their own slightly different points of emphasis. The Application and Workload pillar, however, is a stalwart in all Zero Trust Models. This pillar focuses on securing applications and the computational tasks they perform. Granular access control, visibility, continuous monitoring (ConMon), and security across application layers and workloads are all emphasized in a ZT approach. By integrating capabilities from other pillars, it prevents unauthorized access and data tampering. Robust identity management and continuous automated monitoring provide full visibility and control over every transaction and workload.

Workloads encompass computational tasks performed by multiple programs or applications, often involving complex environments with cloud services and APIs connecting to third parties. These complexities are managed using advanced tools like backend APIs, workload automation software, AI predictive analytics, and cloud management platforms. While these tools enable interconnectedness, scalability, and usability, they also create opportunities for malicious actors to target business applications and workloads.

What is the NSA Saying?

The ZT Application and Workload pillar aims to secure and protect applications and workloads from adversarial abuse. The NSA CSI outlines the following recommendations to help cyber defenders achieve these goals:

  • Identify applications and workloads within or connecting to the environment.
  • Implement strong continuous authentication and granular access decisions based on contextual information.
  • Follow the principle of least privilege (PoLP), ensuring minimum necessary access.
  • Implement micro-segmentation to limit lateral movement.
  • Employ continuous monitoring and logging to track anomalous behavior.
  • Utilize strong encryption algorithms for data protection.
  • Conduct regular patch management and security assessments.
  • Ensure container security by scanning for vulnerabilities and implementing runtime controls.
  • Utilize static containers to run workloads, and replace the container rather than patching.
  • Secure APIs with authentication, authorization, and encryption.

Key Areas to Implement Zero Trust

NSA’s CSI really shines in how it breaks down its guidance across key “protect” areas of the Applications and Workloads pillar, offering granular insights into what defines the varying levels of maturity.

Application Inventory

“Organizations must identify and categorize applications needed for critical workflows.”

You can’t protect what you can’t see. Conducting a thorough inventory of applications and workloads is crucial for ZT implementation. This involves identifying and categorizing the criticality of the data and workload to prioritize cybersecurity protection for critical assets. The NSA outlines that the maturity of application inventory practices progresses from establishing a basic inventory and mapping workflows to maintaining automated and comprehensive lists with detailed Software Bills of Materials (SBOMs). Robust systems should have a comprehensive inventory of applications and workloads with up-to-date SBOM documentation, direct component dependencies, and automated tools to track and verify remediation of identified vulnerabilities. This enables security teams to quickly and efficiently identify vulnerabilities and remediate them — effectively reducing long-term organizational attack surface.

C-SCRM (Cybersecurity Supply Chain Risk Management) Taking the concept of strong application inventory a step further, the CSI emphasizes the need for visibility into the supply chain that builds an application. When it comes to C-SCRM, the NSA advises that managing software risks includes evaluating and mitigating risks from third-party and open-source components. Organizations should implement a C-SCRM program, incorporating continuous monitoring and threat intelligence to manage and validate the security of software components throughout their lifecycle. Security teams can accomplish this by using tools or services to research multi-tier relationships and risk attributes of suppliers before purchasing, and then continuously monitoring that software (with integrated threat intelligence) for vulnerable configurations while in use. Compromises exposed through this approach can be mitigated before they impact business objectives. This effort should also include static application security testing (SAST) and software composition analysis (SCA) tools.

CI/CD and DevSecOps Once you’ve decided how to securely build your applications, the NSA delves into specific guidance on how to develop and deploy it. Adopting continuous integration/continuous delivery (CI/CD) and DevSecOps best practices ensures that organizations can develop and deploy secure software. This emphasis on secure software deployment starts at inception, and includes integrating security controls throughout the development process, using strong encryption, and maintaining digital signatures for application integrity. This can be accomplished by ensuring that applications are digitally signed, using static and dynamic application security testing into CI/CD workflows, and deploying automated software analysis and identification of all software dependencies via SCA tooling.

Automated Risk-Based Authorization Applications built with security in mind are less vulnerable, but they still need carefully managed access control. Secure access can be achieved by implementing automated, risk-based access controls. Allowing dynamic authorization decisions based on contextual information and real-time risk assessments is a cornerstone of Zero Trust. This shifts from static, manual authorizations to continuous, automated processes that profile access behaviors for human and non-human entities, in order to implement contextual access control. This approach enhances security and responsiveness. The NSA guidance strongly emphasizes the value of this context-based access control (CBAC) supporting applications and workflows. Once access is granted, robust enterprises should enforce time-based access, and integrate real-time risk analysis and behavioral analytics.

Continuous Monitoring and Ongoing Authorizations Rounding out some of the NSA’s guidance on secure application deployment and use is continuous monitoring of applications and workloads. Continuous monitoring and ongoing authorizations are essential for maintaining security in dynamic environments. Automated tools and processes should monitor the health, status, and behavior of applications and workloads by providing real-time alerts and enabling rapid response to anomalies and threats. By implementing fully automated continuous authorizations, monitoring based on anomalous behavior detection and threat intel, and integrating real-time assessment of application risks, security teams can expand automated capabilities to revoke/limit access automatically.

Securing Apps and Workflows to Enhance Zero Trust

By advancing ZT maturity in the Application and Workload pillar, organizations can better defend against sophisticated cyber threats and enhance their overall security posture. The NSA continues to assist NSS community members in piloting ZT capabilities, coordinating with NIST, CISA, and DoD, and developing additional ZT guidance to support system developers. This guidance aims to simplify incorporating ZT principles into enterprise networks, ensuring robust and comprehensive cybersecurity.

Through the recommendations and best practices outlined in the NSA’s guidance, organizations can create a resilient security framework that is adaptable to the evolving digital landscape. By implementing these strategies, organizations will not only meet federal mandates but also position themselves to effectively counter emerging threats and secure their critical applications and workloads.

Are you looking for support in creating and implementing a comprehensive Zero Trust strategy? Let us put our experience to work for you.

If you have any questions, or would like to discuss this topic in more detail, feel free to contact us and we would be happy to schedule some time to chat about how Aquia can help you and your organization.


Zero Trust Security Supply-Chain-Risk Development ConMon Cyber Resiliency