Architecturally speaking, cloud native applications are broken down into smaller components that are highly dynamic, distributed and ephemeral. Because each of these components is communicating with other components inside or outside the cluster, this architecture introduces new attack vectors that are difficult to protect against using a traditional perimeter-based approach.

A prudent way to secure cloud native applications is to find a way to reduce the number of attack vectors, and this is where the principles of zero trust come into play.

With today’s multicloud and hybrid-cloud environments, networks are no longer restricted to a clear perimeter with clearly defined borders to defend. And cyber criminals are taking advantage of this fact by tricking users and systems into providing unauthorized access.

While a lot of zero trust is focused on limiting access from users and devices, organizations are now also recognizing that in the world of distributed cloud native applications, workloads themselves are communicating with each other, and the same principles of zero trust need to be extended to cloud native applications.

Because traditional security methods such as network firewalls rely on fixed network addresses, which cloud native workloads do not have, they are insufficient to protect these workloads. Traditional methods simply cannot specify access controls at a granular workload level, which is essential for cloud native application security and compliance.

Zero trust is a better security posture because the attack surface of cloud native applications is so large it’s difficult to secure.

With this in mind, let’s look at some zero-trust implementation best practices and potential pitfalls.

While there are many ways to implement zero trust in the cloud, I see the following as top best practices for implementing zero trust for your workloads.

While there is a lot of focus on zero-trust network access (ZTNA), many organizations ultimately forget that the definition of a network itself has changed substantially in the world of cloud native architectures. In fact, I would go so far as to say that the traditional network no longer exists in the cloud.

So if you’re applying zero trust controls via network firewalls or network-based WAF, you are leaving a large portion of your workloads unsecured and vulnerable. That’s why zero trust needs to be extended all the way to individual workloads to protect against attacks.

But you shouldn’t stop at extending zero trust to workloads to control access for users and devices — applications themselves are also communicating with other applications. So unless you implement the same principles of zero trust at the application level (for instance, specify in your DNS policy that a particular microservice can communicate with a particular website or third-party API), your workloads could be compromised.

By using a workload’s identity to allow/deny communication, organizations can implement zero-trust security measures to secure communication between workloads.

Check out this free zero-trust maturity assessment tool to see how you’re doing with your zero-trust security posture for cloud native workloads.

The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Tigera.