Securing applications according to the Zero Trust Framework

Dennis Vendel
20 Nov, 2023

A brief refresher

Time for a brief refresher. Securing according to the Zero Trust Framework means:

  1. trust must always be demonstrably earned (explicitly verify),
  2. access must be tailored so that a person can access only what is currently needed (use least-authorized access),
  3. and reasoning must be based on detecting, reducing and repairing damage, because trouble can never be prevented (assume an intrusion).

These principles for securing IT assets can be applied to all six underlying layers of the Zero Trust Framework. Dennis Vendel, Strategic Consultant in our Modern Work & Security team, shows how this is done for application security.

Put the three Zero Trust principles into practice to enhance application security

Simply put, applications are the tools for working pleasantly with data. As a result, applications also come in all shapes and sizes, and one application can also have different guises. Take Microsoft Teams, for example, which not only has a mobile app, but also apps for desktops, Web browsers, digiboards and meeting devices. However, almost all applications do have one thing in common: they ultimately connect to the same cloud service.

Therein also lies the immediate opportunity to put the three Zero Trust principles into practice. Microsoft's toolbox includes Microsoft Defender for Cloud Apps (MDCA) for this, for example. Previously, this was called MCAS. With Defender for Cloud Apps, a sharper view of the application landscape emerges and corresponding rules of the game can be created that take context into account.

Two examples to make this concrete:

  • With Entra ID Conditional Access, you can set ground rules such as 'use a trusted device' or 'also hand over an MFA at login'. MDCA can add other kinds of ground rules, such as: 'documents with sensitive content can only be viewed online from an unattended device', or 'you seem to be downloading large quantities of documents, is that the intention?'
  • Cloud apps make it easier than ever before for employees to make far-reaching changes themselves. In just two clicks, you can activate an online Kanban plan board or arrange some extra storage space from another cloud service. Including an add-on that requests permission to read your user profile. You can't stop that as a management organization, nor should you want to. What you do have to want is to have a clear understanding of it. That way, the rules of the game can then be tightened.

Microsoft's toolbox for application security includes other components, but the importance of the big picture deserves attention as well. The six layers of the Zero Trust Framework are: Identities, Endpoints, Applications, Network, Infrastructure and Data. Applications - as part of the six layers - are not a separate piece of a puzzle, as the layers are in fact one cohesive whole.

Why wait?

Assess your Security Framework today!

To make sure you get that whole thing right, these aspects are important:

  • All cloud apps must be linked to Entra ID so that sign-in works based on the same login accounts and access policies.
  • All other (older) applications must also be linked to Entra ID, for example by putting something like an app proxy between them or putting the apps on a virtual desktop. All with the same goal: unified and secure access management.
  • There must be a plan for the application landscape. What applications are important to the organization? Which applications can be got rid of and how do you do it? In short, know what to put your energy into.
  • Cloud apps often 'talk' through an app or web browser, but there are obviously other flavors available. Is it sufficiently clear which local desktop apps are currently in circulation?
  • After all, applications contain bugs and vulnerabilities. And hackers make good use of these. So make sure you're on top of updating applications, because with applications, that's still security measure number one!

Connect with our Security experts!

Want to know more about making applications more secure? Our teams are ready to help your organization take an active stance on IT security.

By using this form you agree to the storage and processing of the data you provide, as indicated in our privacy policy. You can unsubscribe from sent messages at any time. Please review our privacy policy for more information on how to unsubscribe, our privacy practices and how we are committed to protecting and respecting your privacy.

Discover more

From our Infrastructure and Security experts