In May 2021, the U.S. federal government released an executive order aimed at improving the nation’s cybersecurity. The order directed federal agencies and contractors to strengthen their cybersecurity defenses by implementing a Zero Trust model and recommended that the private sector follow suit. Zero Trust has been a buzzword for a while, but why does it matter?
What is Zero Trust?
Zero Trust is a principle, as the name states. It’s a strategy that assumes no user, device, application, or service should be trusted. Created by John Kindervag, an industry analyst at Forrester, the concept centers on the belief that trust is a vulnerability, and security frameworks must be designed with the strategy “Never trust, always verify,” the subject of a recent DigitSec blog. Zero Trust is an overarching cybersecurity framework that emphasizes the ideology that access is a potential breach. Zero Trust means no one in front of or behind the firewall is trusted.
Zero Trust assumes that every attempt to access your network is a threat until confirmed otherwise, adopting a “least privilege” access model and inspecting, logging, and auditing every network call, file access, and email. While traditional or perimeter network security focuses on building multiple layers of defenses to keep attackers out, Zero Trust calls for organizations to understand who every user is and what endpoint they’re coming from. Zero Trust draws on technologies such as multi-factor authentication, IAM, orchestration, analytics, encryption, scoring, and file system permissions.
Why does Zero Trust matter?
By adopting a Zero Trust mindset, businesses increase their capability to detect malicious threats and stop attackers before intrusion occurs. They also gain visibility into users, devices, and workloads across their environment, reducing the risk of cloud and container deployment and improving governance and compliance.
It also addresses more recent challenges, such as securing remote workers and hybrid cloud environments. One of the strategic goals of cybersecurity is to reduce the organization’s attack surface by allowing authorized and authenticated users to access the network and its assets.
The Seven Pillars of Zero Trust
Application – The Forgotten Pillar?
Let’s focus on the Application pillar. In a 2023 Forrester blog, it was noted that many have a mindset that appsec and Zero Trust are mutually exclusive. It continues by noting that attackers often exploit applications, which are a top cause of breaches, and that DevSecOps is a necessity for the Zero Trust model. Although application security is part of the Zero Trust model, it has not been prioritized as the other pillars within the framework.
The importance of application security and the absence of the Zero Trust model were made public in March 2024 when HSE experienced a data breach on its COVID-19 vaccination portal built on Salesforce. According to HSE, development teams were under time pressure to get the portal up and running to meet the vaccination campaign timeline. If a Zero Trust model had been implemented, cybersecurity and development teams would have worked together to identify vulnerabilities and mitigate risk. This is a classic example of how threat actors exploit vulnerabilities to exfiltrate valuable PII and place users at risk.
Zero Trust and the Drift Breach
The Drift Breach shows why organizations must embrace Zero Trust Architecture (ZTA) to prevent advanced attacks that bypass traditional security.
First, let’s briefly summarize the Drift Breach for context:
- The Attack: Attackers compromised a SaaS platform called Drift, which was used by an organization for internal employee communications.
- The Technique: They stole the session cookies of Okta employees from the compromised Drift environment. These cookies were still valid and active.
- The Breach: The attackers used these stolen cookies to impersonate the authenticated employees and gain access to the organization’s internal systems, including its customer support case management system. This led to a further breach of customer data.
This attack completely bypassed traditional perimeter-based security—not by stealing a password or exploiting a network vulnerability, but by leveraging valid, authenticated sessions. Zero Trust mitigates such threats by requiring ongoing validation of user identity and device health, limiting lateral movement, and ensuring that access to sensitive data is tightly controlled. This exposes a critical flaw in legacy security approaches and underscores why adopting Zero Trust is not just an option, but a necessity for organizations serious about protecting their assets.
The Drift Breach was a classic case of over-trusting an authenticated session. Zero Trust Architecture fundamentally solves this by:
- Eliminating implicit trust based on network location.
- Continuously validating every access request based on user identity, device health, and other contextual signals.
- Enforcing least privilege to ensure that even if one credential is compromised, the attacker’s movement is severely restricted.
In a mature Zero Trust environment, the stolen cookies from the Drift breach would have been useless to the attackers, effectively neutralizing the attack.
How Digitsec Can Help Deliver Zero Trust to Salesforce Application Development
DigitSec is a comprehensive Salesforce code and config security scanning platform that is easy to use, delivers immediate value, and provides a positive business impact. DigitSec is an ideal solution for cybersecurity teams and developers to find security vulnerabilities, recommend corrective action before deployment, and enable faster delivery of secure applications. DigitSec is SOC 2 Type 2 compliant, following internal best practices of security controls, policies, and procedures.
To find out how organizations can secure the forgotten pillar and mitigate the risk of emerging threats in Salesforce application development, visit us at www.digitsec.com or email us at sales@digitsec.com.
