Partner Content: Why application security and zero trust go hand-in-hand
According to Salesforce's State of IT report, the estimated number of applications across a typical enterprise soared by 26% to 1061 in 2023.
Users now expect to have apps at their fingertips both in their working and personal lives. While this can contribute to positive user experiences, app sprawl can introduce new security vulnerabilities to organisations if not properly configured and protected.
Ravit Greitser, Senior Product Marketing Manager at Akamai told CRN:
"As we get more connected, it increases the attack surface and makes the enterprise more vulnerable. Anything can be a vector of attack partners, vendors, employees, everything can attack the applications.
"The playing field has completely changed over the past 15 years. We've seen the rise of cloud computing, and the internet of things has become part of our lives from connected cars to healthcare. Remote work has increased, and generative AI has also changed the way we work and the way we secure."
In this context, security must be baked into all stages of the application development lifecycle to ensure weaknesses are fixed before they are exploited, and the right security controls must be in place. Just one unsecured app among a thousand is enough for adversaries to gain unauthorised access.
The importance of APIs
A key building block of application security is APIs. APIs allow applications to communicate with each other, and have become a target for attackers as they enable access to sensitive data. Organisations must therefore regularly test for API vulnerabilities.
"API security is a subset of application security" explained Greitser. "They are the connectors that allow different software applications to communicate and share data. If an API is not secure, it can become an entry point for attackers to access the underlying systems and data. Overall, businesses rely more and more on APIs to enable digital transformation and to integrate various services. So API security is becoming even more important. When these APIs are poorly secured, they can lead to data leaks, unauthorised access and other security issues."
Akamai recently acquired top API security vendor Noname. The company hopes to accelerate its ability to meet growing customer demand and market requirements as the use of APIs continues to expand.
Never trust, always verify
Greitser champions the implementation of a zero trust security model for securing applications and other elements of an organisation's infrastructure.
Zero trust is based on three key tenets: untrusting all entities by default and verifying every access request, awarding least privileged access, and continuous security monitoring. This is in contrast to VPN or firewall security, which assumes that those within an organisation's perimeter can be trusted.
"We at Akamai have identified four reasons to go to zero trust" said Greitser. "The first one is an increase in ransomware attacks. Zero trust is the best approach to handling ransomware attacks because once we assume breach, even if an attacker has managed to breach your network they won't be able to move laterally because with zero trust we segment the network in a way that an attacker will not be allowed anywhere other than the specific point of entry. The second one is the move to a distributed workforce. Working from everywhere has required us to adapt to new ways of approaching access and securing these workers. We also have the move to cloud computing which requires new ways of securing.
The zero trust model helps organisations ensure that apps and their data remain protected by taking a "never trust, always verify" approach to application access.
However, with IT teams already overstretched or lacking the relevant resources or expertise, implementing zero trust may appear out of reach for some.
"I have a few tips that can facilitate and simplify the move to zero trust" said Greitser. "First the most important thing for us is that you adopt a phased approach. You don't say ‘I'm going to do zero trust on my entire network'. You don't need to do this. You should do it in stages. You start with the most critical applications, the crown jewels, and then gradually you extend it to the rest of the network. We at Akamai say: focus on quick wins, things that don't take a long time and don't require reshuffling your entire workforce. Take those quick wins and go from there."
"Next is to align your zero trust investment with your most pressing business needs. This goes hand-in-hand with the gradual approach. If you identify those needs usually you won't need to rip and replace everything you have. Our approach is we want to integrate with your security stack. There's no reason to start everything afresh."
This article is sponsored by Akamai