Leo Taddeo|April 22, 2022

The CISA Zero Trust Maturity Model Series – Part 4: Application Workload

This is part four of a five-part series on the Cybersecurity and Infrastructure Agency’s (CISA) Zero Trust Maturity Model. The previous blogs covered the first three pillars (Identity, Device, and Network). This blog delves into pillar #4: Application Workload. And you can finish the series by reading the fifth blog installment on Data.

The recent warning issued by the National Security Agency (NSA), Department of Energy, CISA and the Federal Bureau of Investigation (FBI) about the discovery of a system designed to attack industrial facilities in the U.S. highlights the urgent need for organizations to move toward a Zero Trust security model to protect our nation’s most vital systems.

Last year, CISA released its Zero Trust Maturity Model, which reinforces the guidelines set forth by the U.S. Office of Management and Budget (OMB) in its final strategy for federal agencies to move toward a Zero Trust security architecture by the end of fiscal year 2024.

The maturity model focuses on Zero Trust security implementation across five key pillars (Identity, Device, Network, Application Workload and Data) with each pillar having three stages of maturity (traditional, advanced and optimal). Today, we cover pillar #4: Application Workload.

Application security starts further down the stack

At a high level, agencies will have achieved the following in each stage of the Application Workload pillar:

  • Traditional: access based on local authorization; minimal integration with workflow; some cloud accessibility
  • Advanced: access based on centralized authentication; basic integration with application workflow
  • Optimal: access is authorized continuously; strong integration into application workflow

As agencies progress through the levels of maturity, we see a focus on the following areas:

  • What kind of access authorization is given at the application layer?
  • What kind of threat does that access create? How can agencies mitigate the threat against certain types of workloads?
  • How are applications accessed? Are they available via the internet (the optimal stage goal)?
  • How can agencies generate better analytics and reporting to help support improved protection and decision making?

As we look at these characteristics of advancing security in the Application Workload pillar, it’s important to remember that application security really starts further down the stack. And that tight integration with layers 3 and 4—Network and Transport, respectively, in the Open Systems Interconnection (OSI) stack—will help advance Zero Trust maturity. Put simply: you need to protect Layers 3 and 4 to protect layer 7 (the application layer).

Integration is key

In a Zero Trust model, if an organization only addresses layer 7 and not layers 3 and 4, it leaves common attack planes, such as the console, open to attack. And if it is using an older technology like a virtual private network (VPN) that doesn’t cloak the access—leaving the console exposed and vulnerable—or integrate into the total security profile, then an attacker does not need to get to the data layer to wreak havoc. They can seek the most open and exposed places, take over and blackmail the organization for access.

Integration between the application layer and network layer is critical. As organizations advance on their Zero Trust journeys, they should choose solutions that work together across these layers—because application security is not just about the application, it’s about what gets you to the application.

This is where Appgate SDP works exceptionally well. It enables secure access across any network including the common internet, which is considered a critical part of the Application Workload pillar. It obscures infrastructure, making the network invisible to attackers. It microsegments the network so users and devices only have access to the resources they are authorized to see.

Appgate SDP enables flexible, dynamic policy enforcement, allowing organizations to assess security posture throughout an interaction to continuously authorize access—an important feature of the optimal maturity level of this pillar. It enables organizations to tie all this functionality together so when they authorize access at the application layer, they can be confident they’re enabling a secure connection all the way up the stack.

Improved analytics spurs better decision making

Tight integration between the application and network layers also helps generate more useful threat data. If a user does something wrong at the application layer and your security tool there identifies the risk, should the connection at the network layer still exist? Probably not. If your Zero Trust technologies are connected across these layers, your threat vector intelligence becomes much stronger and you have a unified view that enables more automated protection.

Secure access via the public internet

At the optimal maturity level in this pillar, all agency applications should be directly accessible to users over the internet. This aligns with the Department of Defense’s (DoD) approved Cloud-Native Access Point (CNAP) architecture, which is designed to provide secure, authorized access to DoD resources in a commercial cloud environment, from anywhere on any device, by leveraging a Zero Trust approach to security. This reduces latency and provides a much better user experience.

In operating over the public internet, ensuring communication paths are not compromised is critical. To ensure that communications are safe from prying eyes, Appgate SDP leverages Mutual Transport Layer Security (mTLS) to confirm that the parties at the end of a network connection are who they claim to be—preventing man-in-the-middle attacks and enabling secure connections over the public internet.

Application security throughout the lifecycle

This pillar also notes that agencies should integrate application security testing throughout the development and deployment process, with regular automated testing of deployed applications.

As organizations are building more and more cloud-native applications, the development process can move very quickly, and security is often an afterthought. This pillar underscores the importance of baking security into the development process. If an organization is using tools for Zero Trust that can be deployed as code, as Appgate SDP can, then they can bake security more easily into their development and deployment processes, tearing down siloes that previously had a negative impact on application security.

As we’ve seen throughout this blog series, none of the pillars in the CISA Zero Trust Maturity Model stand alone. To advance on the maturity curve, agencies must choose security solutions that integrate across each layer to improve visibility, intelligence and their cybersecurity posture.

For more on how our Appgate Federal Division assists agencies on their Zero Trust security journey, visit

Additional resources:

Blog: The CISA Zero Trust Maturity Model Series—Part 1: Start with Identity
Blog: The CISA Zero Trust Maturity Model Series—Part 2: Devices
Blog: The CISA Zero Trust Maturity Model Series—Part 3: Network
Blog: Federal march to Zero Trust security
Ebook: Zero Trust Network Access: Everything you need to know
Blog and Podcast: Zero Trust for critical infrastructure

Receive News and Updates From Appgate