Zero trust: there is more than one attack surface

A woman at a laptop with a floating image of zero-trust image profiles.
(Image credit: iStock)

The security of your home will improve significantly when you complement the lock on your front door with an alarm and video surveillance system that tracks everyone knocking at your door, passing through it, and moving around your house. But this will not stop criminals from breaking your windows and quickly grabbing everything within reach, trying to manipulate and deactivate your alarm system remotely, or watching your every move to gather sensitive information. Similarly, a zero-trust network architecture (ZTNA) is an important first step to enhance business security, but a comprehensive zero-trust strategy requires taking additional steps.

Perimeter 81 is a Forrester New Wave™ ZTNA Leader 

Perimeter 81 is a Forrester New Wave™ ZTNA Leader 

Ditch your legacy VPN hardware and automate your network security with ZTNA.  Secure remote access from anywhere with just a few clicks. Onboard your entire organization in minutes, not days. Learn why Perimeter 81 is one of TechRadar's choices for the best ZTNA security providers. Download the report.

About the author

Chris Mayers, Chief Security Architect at Citrix.

ZTNA closes the door on network-level attacks that would otherwise endanger business processes. It secures the access paths to critical business resources – on-premise or in the cloud – by employing multi-factor authentication, machine learning-based analysis, and continuous monitoring. However, in many companies, the network isn’t the weakest link: the vast majority of reported vulnerabilities are found in applications, not in the network. Some of these weaknesses are well known and have been around for years, others are a result of the new ways of work and of consumerization.

So, businesses must think beyond ZTNA and consider application security, too. A good start is fixing the most critical known application flaws. In a world that is gradually moving away from monolithic applications to cloud-based micro service architectures, it makes sense not only to focus on in-house applications, but also on the new public cloud- or hybrid cloud-based micro services. 

In securing apps and micro-services, artificial intelligence and machine learning are powerful tools to detect sophisticated attacks including zero-day attacks much faster than human intervention alone ever could. Another critical building block for application security is a web application firewall (WAF). In the age of the hybrid cloud, the WAF should be just as easily deployed on-premises as in the cloud – and it should provide low latency along with high performance, guaranteeing a frictionless user experience in spite of continuous security monitoring happening in the background.

Another increasingly critical attack surface is application programming interfaces (APIs). APIs are universally used to allow applications to communicate with each other and to automate cross-application workflows. Therefore, APIs provide access to a wealth of company data. Leaving them unprotected means putting critical data, and ultimately business itself, at risk – and without API monitoring, data exfiltration may even remain unnoticed. In addition to data theft, there is also the risk of API abuse: overloading APIs can bring business to a halt.

API security

For solid API security, the first step is an inventory to discover unknown (or ‘shadow’) APIs, and enforcing company-wide API access control using standardized authentication mechanisms. In a next step, APIs can be protected from abuse by setting API call thresholds. Additionally, continuous monitoring collects important information regarding API usage, performance, errors, authentication failures, etc. Here, too, machine learning provides a powerful mechanism to gain insights, protect APIs, and enforce their desired state. By protecting APIs, authorities, for example, can define rules to reject any requests that originate from other countries, reducing the potential for abuse. Companies and service providers across industries can prevent their applications being slowed down – or even taken down – by excessive API traffic.

After closing the doors on application and API-level attacks, another important measure is banning malicious bots from the property. Not all bots are bad – many enterprises, for example, utilize chat bots and voice bots to handle incoming customer messages and calls. But adversaries use bot technologies as well: within minutes of going online, a new business site will be scanned by malicious bots for weaknesses and information that can be harvested. According to security researchers, bots account for 38 percent of Internet traffic. This means that more than a third of the time, business applications are not serving customers.

To avoid this, the first step is to distinguish malicious bots from the harmless ones. This can be done by filtering out the bad bots based on reputation score, geolocation, or so-called bot fingerprinting – using multiple parameters to distinguish them from humans and check for anomalies in their behavior. Modern application delivery management (ADM) technologies help to do so, being able to identify even sophisticated bots. Therefore, bot mitigation technology is a critical component of online security. For example, it allows online retailers to be alerted whenever competitors are trying to automatically collect pricing information from their websites, while it improves the customer experience and cuts cost by minimizing unwanted bot traffic.


Zero trust is state-of-the-art in cybersecurity. But a zero-trust environment cannot be achieved by simply deploying a zero-trust network architecture: while ZTNA will fortify the front door to the company network, application security, API security, and bot mitigation will help to close windows of opportunity that may still be left open for attackers. Security is only as good as its weakest link, so companies need to employ a comprehensive zero-trust strategy to avoid putting their business at risk. Just like at home, the best approach is to be proactive – and not wait until a burglar is already in the house.

Chris Mayers, Chief Security Architect at Citrix.