Best Practices for Application Security in a Zero Trust Environment

Best Practices for Application Security in a Zero Trust Environment

By Dr. Edward Amoroso

CEO, TAG Cyber

This is the third of a series of five blog posts by analysts from TAG Cyber, a trusted cybersecurity research analyst firm, providing unbiased industry insights and recommendations to security solution providers and Fortune 100 enterprises. This chapter discusses the best practices and procedures for securing user access to important business applications hosted locally on premises or across multi-cloud infrastructures. 

Total Access Control (TAC) allows users to reach applications and workloads safely and securely without compromising the need for single sign-on (SSO), role-based access control (RBAC), multi-factor authentication (MFA), or even a virtual desktop.

Modern enterprise users tend to define their work by the applications and workloads they access both locally and in the cloud. In this sense, applications have become the new day-to-day interface for most employees, contractors and suppliers in a typical business environment.

While this access might have been secured previously by a traditional perimeter, with users visiting applications across a flat enterprise local area network, today, this access must be secured in the context of a Zero Trust architecture. This implies the need for a fundamentally different approach to application security.

Next-Generation Secure Reverse Proxy

The good news is that despite the changes inherent in the modern shift from a perimeter-based security philosophy to Zero Trust, many of the best security methods to provide secure access are based on familiar techniques. This is beneficial for enterprise security teams trying to develop a protection architecture without having to completely modify their approach. One aspect of this familiar toolset is the reverse proxy, which is commonly applied across existing enterprise architectures.

The use of reverse proxy methods to service applications in a Zero Trust scheme remains relevant—albeit implemented in a way that is consistent with digital transformation and cloud hosting.

PortSys Total Access Control (TAC)

One commercial implementation of next-generation reverse proxy for application access comes from PortSys. The solution, called Total Access Control (TAC), allows users to reach applications and workloads safely and securely without compromising the need for single sign-on, role-based access control (RBAC), multifactor authentication (MFA) or even a virtual desktop. 

PortSys does this with a reverse proxy that supports browser-agnostic application delivery across any multi-cloud-based hybrid infrastructure. An advantage of TAC is that is consolidates many existing or planned secure access solutions into one common Zero Trust platform, which helps reduce cost and complexity. In addition, legacy applications are handled in a more flexible and secure manner with a browser-agnostic solution.

Application Security Architecture

The most common architectural deployment for TAC starts with applications hosted either on premise, in the cloud, or in a SaaS-based infrastructure (as shown in the graphic above). Laptops, mobile phones or other devices can then locally or remotely access these applications using the TAC solution, which offers local support for authentication and SSO, as well as cloud/SaaS support via SAML/OAuth.

TAC includes cloud identity integration with major commercial identity and access management (IAM) providers such as Okta, Ping and OneLogin. The platform also supports secure access to IaaS/PaaS workloads hosted in the cloud, such as Azure and AWS. These include secure access via RDP or VPN gateways, along with integrated support for Active Directory (AD). The entire capability is governed by security policy definition.

Action Plan for Secure Application Access

Enterprise teams are advised to review their existing secure access implementation to determine whether Zero Trust principles are being properly addressed. Too many enterprise security teams remain solely dependent on local protections based on perimeter controls from the public Internet.

From a TAG Cyber perspective, we believe that secure access via next-generation reverse proxies as implemented by PortSys TAC is a promising option. Enterprise security and network security experts should take the time to review the platform and consider potential integration into their evolving architecture.