Introducing Zero Trust Posture Management (ZTPM): Extending Zero Trust Beyond Network Access

Building a Zero Trust architecture requires more than just ZTNA

By Brian Soby, CTO and Co-Founder, AppOmni

As traditional network boundaries no longer define the limits of security, Zero Trust (ZT) now serves as the overarching framework that guides enterprise security strategies. 

Zero Trust Network Access (ZTNA)—a vital component of the Zero Trust framework—implements the Zero Trust principle of “never trust, always verify.” ZTNA rigorously authenticates and authorizes each user and device before it grants them access to applications and services, irrespective of their location. 

While ZTNA plays a crucial role in establishing secure access channels to applications, organizations cannot rely on ZTNA alone to establish their Zero Trust architecture. Instead, organizations must implement an extended security approach within their applications and SaaS environments by adopting Zero Trust Posture Management (ZTPM). 

ZTPM complements ZTNA and ensures that security principles are not only applied to access, but are also intricately woven within the fabric of the applications themselves. With this approach, ZTPM reinforces Zero Trust principles and provides a more comprehensive and robust security posture.

To learn more about ZTPM, read on or watch this explainer video:

Limitations of ZTNA in SaaS Application Security

Zero Trust Network Access significantly enhances the security perimeter by authenticating and authorizing every access request. But its primary focus on securing the pathways to applications introduces certain limitations, particularly in the domain of application security. ZTNA’s core limitations include: 

Limited Scope Within Applications

ZTNA secures access to applications rather than the activities and configurations within applications. This focus on application access leaves a critical gap in security because it does not secure the interactions and transactions that occur inside the application, where sensitive data is processed and stored.

Many ZTNA implementations incorporate proxies such as Secure Web Gateways (SWGs) and Cloud Access Security Brokers (CASBs). These proxies can provide additional services, such as web content or malware filtering in the case of SWGs. Similarly, CASBs can provide inline data scanning against known patterns for Data Loss Protection (DLP) and rudimentary blocking of specific application capabilities, such as downloading reports.

However, these approaches still face the classic limitations of inline corporate proxies when it comes to securing SaaS applications. Proxies can scan web traffic for malware and can scan against a list of DLP regular expressions in an application-agnostic way, but the proxies usually do not have visibility into the functionality of those applications. 

Modern SaaS applications such as Salesforce, ServiceNow, Workday, M365, and other major platforms are both extremely broad and deep in functionality. The vast majority of this functionality is delivered to the users’ browsers using undocumented communications that are constantly in flux by the application vendors. 

In fact, many of these SaaS applications have several generations of technologies, integrations of acquired products, or other layered interfaces working in parallel to deliver functionality to users. While an external CASB vendor may be able to reverse engineer limited portions of a few selected SaaS applications, this approach will always be unsupported and at odds with the application, resulting in superficial and fragile security capabilities.

ZTNA and inline proxy solutions were never intended to provide coverage or protections within these SaaS applications to any entities beyond corporate users. As large and flexible platforms, SaaS applications are very often collaboration points between companies and their customers, partners, and prospects. These applications can have thousands or even millions of external users accessing data and other resources directly within the SaaS platform, and all of those external users are invisible to the ZTNA implementations.

In addition to external users, other risks left unaddressed by ZTNA include: 

• Data exposures directly from the SaaS applications
• Hijacked or stolen sessions of corporate users reused outside of the ZTNA stack
• Cloud-to-cloud and non-human integrations. 

SaaS Applications and Bypassing ZTNA 

Unlike on-premises applications, where access through a ZTNA stack is required for basic network transport between users and privately hosted applications, SaaS applications live on the internet and have public connectivity. SaaS applications also have independently configured and varying support for authentication capabilities, source IP address restrictions, session termination, and other application-specific configurations that are relevant to the integrity of the ZTNA implementation.

The misconfiguration of any of these options within an application undermines the integrity of a ZTNA implementation. Misconfigurations allow corporate users to simply sidestep the ZTNA proxy so they can access the SaaS application and data directly. Oftentimes, these misconfigurations can also bypass checks and enforcement around corporate or managed devices.

For example, in Salesforce, users are assigned one of many “profiles” in which IP restrictions can be defined. To maintain the integrity of ZTNA, each profile assigned to corporate users would need to be separately configured to list only the egress IPs of the ZTNA solution. Additionally, there are global settings that determine the enforcement behavior of any IP restrictions that are defined with default values that would allow ZTNA bypass after the initial login—or leave an organization susceptible to post-authentication session hijacking. IP restrictions and ZTNA can also be bypassed by using OAuth.

Beyond IP restrictions, making Single Sign-On (SSO) mandatory for Salesforce users is equally error-prone. Outside of a scenario in which unmanaged users are created in these applications without being noticed, the default configuration for SSO is as an optional and supplemental login capability. To force users through SSO—which is generally required for managed device enforcement—each profile or user must be individually opted-in to an SSO-only configuration. 

Similar patterns exist for other enterprise SaaS applications such as ServiceNow, where any user with a password value set can generally use an application component called “side_door.do” to bypass SSO and log in to the application directly.

Addressing ZTNA’s SaaS Security Limitations

ZTNA’s limitations highlight the critical need for an extended layer of protection that can secure not just the access to, but also the interactions within, applications. Zero Trust Posture Management (ZTPM) emerges as a complementary solution that addresses these gaps by extending the Zero Trust principles deeper into the application layer to ensure a comprehensive security posture that encompasses every facet of application interaction and data processing.

Bridging the Gap With Zero Trust Posture Management (ZTPM)

Zero Trust Architectures can achieve an end-to-end solution by combining Zero Trust Posture Management with Zero Trust Network Access. This combination extends the Zero Trust principles into the very fabric of applications and SaaS environments. 

ZTPM significantly enhances the overall security posture by ensuring that applications are configured and used in a manner that aligns with Zero Trust principles. ZTPM bridges the SaaS security gap because it:

Prevents Unauthorized ZTNA Bypass 

Through its comprehensive monitoring and configuration management capabilities, ZTPM protects applications against unauthorized bypasses of ZTNA. ZTPM provides visibility around mandatory SSO, multi-factor authentication (MFA), and proper access controls to identify bypasses, side-loaded accounts, and other backdoors that can compromise the security posture.

Ensures Secure Configuration Posture and Compliance 

ZTPM plays a crucial role in continuously monitoring and assessing the configuration of SaaS applications to ensure that they comply with Zero Trust principles. By detecting misconfigurations such as data exposures, misconfigured security controls, and unwanted user access entitlements, ZTPM ensures that access within the application is as rigorously controlled as the access to the application.

Dynamic Policy Enforcement and Adaptability

ZTPM leverages real-time analysis and continuous feedback to other components of the Zero Trust Architecture to enable continuous authorization decisions and dynamic enforcement of security policies. 

By adapting to changes in user behavior, application usage, and the evolving threat landscape, ZTPM ensures that security measures are always aligned with the current risk context. This adaptability is key in maintaining an effective Zero Trust posture in the face of sophisticated cyber threats.

Extends Zero Trust to Third-Party Integrations and Cloud Connections

ZTPM helps organizations extend Zero Trust principles to third-party services, non-human identities, and cloud-to-cloud integrations. By scrutinizing these connections and enforcing consistent security policies, ZTPM closes security gaps that can arise from external integrations. With ZTPM, organizations can build a comprehensive Zero Trust ecosystem.

The Future of Zero Trust

ZTPM addresses the limitations of ZTNA in application security and significantly enhances the efficacy of Zero Trust architectures. It ensures that Zero Trust security principles are not only applied at the perimeter, but are also deeply integrated into the applications and data.

In essence, ZTPM is not just an extension of ZTNA—ZTPM is a critical element that organizations need to adopt the necessary depth and breadth of security controls to protect against sophisticated cyber threats and realize the full potential of a Zero Trust architecture.

Related Resources