CISA Zero Trust Maturity Model for the applications and workloads pillar
This section has Microsoft guidance and recommendations for CISA Zero Trust Maturity Model in the applications and workloads pillar.
4 Applications and workloads
According to the CISA definition, applications and workloads include enterprise systems, computer programs, and services that execute on-premises, on mobile devices, and in cloud environments.
Use the following links to go to sections of the guide.
- Introduction
- Identity
- Devices
- Networks
- Applications and workloads
- Data
4.1 Function: Application access
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise begins to implement authorizing access capabilities to applications that incorporate contextual information (e.g., identity, device compliance, and/or other attributes) per request with expiration. |
Microsoft Entra ID applications Adopt Microsoft Entra ID as the enterprise identity provider (IdP). Establish policy to use Microsoft Entra ID for new applications. Authorize application access with user and group assignment to applications. Microsoft Entra ID implements industry-standard protocols, when combined with Microsoft Entra Conditional Access. Incorporate contextual information per request with an expiration. - Integrate Microsoft Entra ID and apps - Tokens and claims - Assign users and groups to an app Conditional Access Use device signals such as location in Conditional Access policies for security decisions. Use filters based on device attributes to include and exclude policies. - Conditions - Filter for devices |
| Advanced Maturity Status Enterprise automates application access decisions with expanded contextual information and enforced expiration conditions that adhere to least privilege principles. |
Conditional Access Automate application access decisions with Conditional Access policies that meet enterprise requirements. Conditional Access is the policy decision point (PDP) for application or resource access. Expand contextual information for devices in access decisions. Require compliant devices or Microsoft Entra hybrid joined devices. Grant control to ensure access is for known or compliant devices. - Conditional Access - Device-based policy - Microsoft Entra hybrid join Increase automated application access decisions with expanded contextual information. Configure Conditional Access policies for applications, protected actions, and authentication. Customize expiration conditions with sign-in frequency session control. - Protected actions - Authentication developer guide - Conditional Access: Session Microsoft Intune Register devices with Microsoft Entra ID and manage configuration with Intune. Assess device compliance with Intune policies. - Registered devices - Device policy compliance Microsoft Defender for Cloud Apps Monitor and control sessions to cloud applications with Defender for Cloud Apps. - Protect apps - Session policy - Risky action authentication Configure policy for app hygiene: unused, unused credentials, and expiring credentials. App governance features Microsoft Entra app roles Design app authorization and permissions models with app roles. To delegate app management, assign owners to manage app configuration, also register, and assign app roles. Application roles |
| Optimal Maturity Status Enterprise continuously authorizes application access, incorporating real-time risk analytics and factors such as behavior or usage patterns. |
Microsoft Entra ID Protection ID Protection assesses user and sign-in risk level. In the Microsoft Defender XDR suite, real-time and offline detections determine aggregate risk level. To enforce risk-based adaptive access policies, use risk conditions in Conditional Access policies. - ID Protection - Risk in ID Protection Continuous access evaluation The continuous access evaluation (CAE) mechanism enables applications to respond to policy violations in near-real-time without a wait for token expiration. Applications that support CAE respond to critical events, including a user flagged for high user risk in ID Protection. CAE overview Global Secure Access To reduce the risk of token theft and replay attacks, configure compliant network enforcement that works with services supporting CAE. In near-real-time the app rejects stolen access tokens replayed outside the tenant compliant network. - Global Secure Access - Microsoft Entra Internet Access - Compliant network check |
4.2 Function: Application threat protections
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise integrates threat protections into mission critical application workflows, applying protections against known threats and some application-specific threats. |
Microsoft Entra ID Put Microsoft Entra ID in the path of every access request. Implement policy that mandates mission critical applications are integrated with Microsoft Entra ID. Ensure threat protection is part of application workflows. - Application management - Add enterprise apps - Migrate apps and authentication Microsoft Defender for Cloud Apps Configure Defender for Cloud Apps to detect and alert for risky OAuth apps. Investigate and monitor app permissions that users granted. Risky OAuth apps Azure Application Gateway Deploy Azure apps and APIs behind Azure Application Gateway with Azure Web Application Firewall in prevention mode. Enable Open Web Application Security Project (OWASP) Core Rule Set (CRS). Web Application Firewall Microsoft Defender XDR Defender XDR is an integrated pre- and post-breach defense suite that coordinates detection, prevention, investigation, and response actions across endpoints, identities, email, and applications. - Defender XDR - Set up XDR tools |
| Advanced Maturity Status Enterprise integrates threat protections into all application workflows, protecting against some application-specific and targeted threats. |
Microsoft Entra ID Put Microsoft Entra ID in the path of access requests. Implement policy dictating apps are integrated with Microsoft Entra ID. Ensure threat protection is applied for all apps. - Application management - Add enterprise apps - Migrate apps and authentication Microsoft Entra Conditional Access, token protection Enable token protection, or token binding in Conditional Access policy. Token protection reduces attacks by ensuring tokens are usable in intended devices. Token protection Microsoft Entra application proxy Use application proxy and Microsoft Entra ID for private apps using legacy authentication protocols. Deploy application proxy or integrate secure hybrid access (SHA) partner solutions. To extend protections, configure session policies in Microsoft Defender for Cloud Apps. - Protect legacy apps - Application proxy security considerations - Create session policy Microsoft Defender Vulnerability Management Defender Vulnerability Management agentless scanners continuously monitor and detect risk. Consolidated inventories are a real-time view of software vulnerabilities, digital certificates using weak cryptographic algorithms, hardware and firmware weaknesses, and risky browser extensions on endpoints. Defender Vulnerability Management Defender for Cloud Enable workload protections for application workloads. Use Defender for Servers P2 to onboard servers to Microsoft Defender for Endpoint and Defender Vulnerability Management for servers. - Defender for App Service - Defender for APIs - Defender for Containers - Defender for Servers Microsoft Entra Workload ID Premium To integrate threat protection in application workflows. Configure identity protection for workload identities. Secure workload identities |
| Optimal Maturity Status Enterprise integrates advanced threat protections into all application workflows, offering real-time visibility, and content-aware protections against sophisticated attacks tailored to applications. |
Microsoft Defender for Cloud Apps Configure session control policies in Defender for Cloud Apps for real-time visibility and controls. Use file policies to scan content in real-time, apply labels, and restrict file actions. - Cloud app visibility and control - File policy Defender XDR, Microsoft Sentinel Integrate Defender XDR and Sentinel. - Defender XDR - Sentinel and Defender XDR for Zero Trust Fusion in Sentinel Fusion is a multistage attack detection analytics rule in Sentinel. Fusion has a machine-learning correlation engine that detects multistage attacks, or advanced persistent threats (APTs). It identifies anomalous behaviors and suspicious activities. Incidents are low-volume, high-fidelity, and high-severity. - Multistage attack detection - Customize anomalies - Anomaly detection analytics rules Global Secure Access Ensure secure access to applications and resources, while continuously monitoring and managing user access in real-time. Integrate with Defender for Cloud Apps for visibility and control of software usage and security. Prevent sophisticated attacks such as stolen replayed tokens with the compliant network check for a tenant in Conditional Access. Support productivity and achieve location-based security checks. Prevent Security Service Edge (SSE) bypass for software as a service (SaaS) apps. - Global Secure Access - Compliant network check |
4.3 Function: Accessible applications
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise makes some of their applicable mission critical applications available over open public networks to authorized users with need via brokered connections. |
Microsoft Entra ID Put Microsoft Entra ID in the path of access requests. Implement policy that mandates mission-critical apps are integrated with Microsoft Entra ID. - Application management - Add enterprise apps - Migrate apps and authentication Microsoft Azure Migrate and modernize applications by bringing them into Azure. - App migration - Modernize apps and framework - Build a migration plan Microsoft Entra application proxy Configure application proxy to publish internal mission-critical web applications, accessed over public network connections, by users authorized by Microsoft Entra ID. - Application proxy - Configure single sign-on (SSO) for apps Microsoft Defender for Cloud Apps To monitor and restrict sessions, use session policies to broker app connections with Defender for Cloud Apps. - Defender for Cloud Apps - Connect apps to Defender - Create session policy Microsoft Entra Conditional Access Configure policy to authorize access to apps integrated with Microsoft Entra ID. Configure Conditional Access app control to require use of cloud access security brokers (CASBs) in Defender for Cloud Apps. - Conditional Access - Application control |
| Advanced Maturity Status Enterprise makes most of their applicable mission critical applications available over open public network connections to authorized users, as needed. |
Use the guidance in the Initial Maturity Status, and include the most mission-critical applications |
| Optimal Maturity Status Enterprise makes all applicable applications available over open public networks to authorized users and devices, where appropriate, as needed. |
Use the guidance in the Initial Maturity Status, and include all applications. Conditional Access Configure Conditional Access policy that requires compliant devices for applications. Access for noncompliant devices is blocked. Require compliant devices |
4.4 Function: Secure application development and deployment workflow
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise provides infrastructure for development, testing, and production environments (including automation) with formal code deployment mechanisms through CI/CD pipelines and requisite access controls in support of least privilege principles. |
Azure landing zones Establish environments for development and enforce resource configuration policies with Azure Policy. - Landing zones - Azure Policy Establish a formalized code deployment mechanism with continuous integration and continuous delivery (CI/CD) pipelines such as GitHub or Azure DevOps. GitHub Enterprise GitHub Enterprise tools support collaboration, security, and administration. Use features like unlimited repositories, project management capabilities, issue tracking, and security alerts. Control repository and project information while enhancing collaboration among teams. Streamline security policies and simplify administration with flexible deployment options. GitHub Enterprise Cloud Connect GitHub to Microsoft Entra ID for single sign-on (SSO) and user provisioning. To ensure least privilege principles, disable personal access tokens. - Enterprise managed users - Single sign-on (SSO) integration for GitHub Enterprise - Enforce personal access token policy Azure DevOps Bring people, processes, and technology together to automate software delivery. It supports collaboration and processes to create and improve products faster than traditional development approaches. Use features like Azure Boards, Repos, Pipelines, Test Plans, and Artifacts. Streamline project management, version control, CI/CD, testing, and package management. Azure DevOps Connect an Azure DevOps organization to Microsoft Entra ID and ensure least privilege principles. Disable personal access tokens. - Connect an organization to Microsoft Entra ID - Manage personal access tokens with policy |
| Advanced Maturity Status Enterprise uses distinct and coordinated teams for development, security, and operations while removing developer access to production environment for code deployment. |
Microsoft Entra ID Governance If your development and production subscriptions use the same Microsoft Entra tenant, assign role eligibility using access packages in entitlement management. Enable checks to ensure users can't access development and production environments. Separation of duties Access reviews To remove developers with access to a production environment, create an access review using Azure production roles. Create an access review |
| Optimal Maturity Status Enterprise leverages immutable workloads where feasible, only allowing changes to take effect through redeployment, and removes administrator access to deployment environments in favor of automated processes for code deployment. |
Azure DevOps release gates, approvals Use release pipelines to continuously deploy applications across different stages, with lower risk and a faster pace. Automate deployment stages with jobs and tasks. Release gates, checks, and approvals Azure resource locks To protect Azure resources from accidental deletions and modifications, apply CanNotDelete, and ReadOnly, resource locks to subscriptions, resource groups, and individual resources.Protect infrastructure with locked resources GitHub Actions With GitHub Actions, assign Azure roles to managed identities for continuous integration and continuous delivery (CI/CD). Configure jobs that reference an environment with required reviewers. Ensure jobs wait for approval before they start. - Deploy with GitHub Actions - Review deployments Microsoft Entra Privileged Identity Management Use PIM Discovery and Insights to identify privileged roles and groups. Manage discovered privileges and convert user assignments from permanent to eligible. PIM Discovery and Insights Access reviews To reduce eligible administrators in a production environment, create an access review using Azure roles. Azure resource-role access reviews |
4.5 Function: Application security testing
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise begins to use static and dynamic (i.e., application is executing) testing methods to perform security testing, including manual expert analysis, prior to application deployment. |
Microsoft Threat Modeling Tool The Threat Modeling Tool is part of the Microsoft Security Development Lifecycle (SDL). Software architect identify and mitigate security issues early, which reduces development costs. Find guidance to create and analyze threat models. The tool facilitates security design communication, analyzes potential security issues, and suggests mitigations. - Threat Modeling Tool - Getting started Azure Marketplace developer tools Follow secure application development practices. Use tools from the Azure Marketplace to assist with code analysis. - Develop secure apps - Azure Marketplace GitHub Actions, Azure DevOps Actions Use the CodeQL analysis engine to automate security checks in your continuous integration and continuous delivery (CI/CD) pipeline. GitHub Advanced Security for Azure DevOps is an application security testing service native to developer workflows. - CodeQL scanning - GitHub Advanced Security for Azure DevOps |
| Advanced Maturity Status Enterprise integrates application security testing into the application development and deployment process, including the use of periodic dynamic testing methods. |
GitHub Advanced Security To enhance code security and development processes, use code scanning in Advanced Security and Azure DevOps. - Advanced Security - Advanced Security for Azure DevOps - Code scanning Microsoft Defender for Cloud Enable workload protections for subscriptions with application workloads. - Defender for Cloud - Defender for Containers - Defender for App Service Defender for Cloud DevOps security Use Cloud Support Plan Management (CSPM) features to protect applications and code in multi-pipeline environments. Connect organizations and assess your DevOps environment security configurations. - Defender for Cloud DevOps security - Connect Azure DevOps environments to Defender for Cloud |
| Optimal Maturity Status Enterprise integrates application security testing throughout the software development lifecycle across the enterprise with routine automated testing of deployed applications. |
Defender for Cloud DevOps security Use cloud security posture management (CSPM) features to protect applications and code in multi-pipeline environments. Assess your DevOps environment security configurations. - Defender for Cloud DevOps security - Map container images - Manage attack paths |
4.6 Function: Visibility and analytics
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise begins to automate application profile (e.g., state, health, and performance) and security monitoring for improved log collection, aggregation, and analytics. |
Azure Monitor Configure Azure Policy to enable diagnostics and use Azure Monitor for application workloads deployed in Azure. - Azure Monitor - Azure Policy definitions Azure Monitor Application Insights Enable Application Insights to investigate application health, analyze logs, and view Azure app usage patterns. Application Insights Microsoft Defender for Cloud Enable Defender for Cloud for Azure and multicloud environments. Use Microsoft Secure Score to identify gaps and improve the security posture. - Defender for Cloud - Secure score |
| Advanced Maturity Status Enterprise automates profile and security monitoring for most applications with heuristics to identify application-specific and enterprise-wide trends and refines processes over time to address gaps in visibility. |
Defender for Cloud Use Microsoft Secure Score to assess and improve your cloud security posture. Use risk prioritization to remediate important security issues. Deploy monitoring components to collect data from Azure workloads and monitor vulnerabilities and threats. - Defender for Cloud - Data collection from workloads - Secure score - Risk prioritization Microsoft Sentinel Connect Defender for Cloud to Sentinel. Ingest alerts to Sentinel |
| Optimal Maturity Status Enterprise performs continuous and dynamic monitoring across all applications to maintain enterprise-wide comprehensive visibility. |
Defender for Cloud Integrate infrastructure and platform workloads with Defender for Cloud, including resources in non-Microsoft cloud and on-premises. Maintain comprehensive enterprise-wide visibility. - Connect on-premises servers - Connect Amazon Web Services (AWS) Accounts - Connect Google Cloud Platform (GCP) Projects Defender for Cloud workload protections Enable workload protections for your application workloads. - Defender for App Service - Defender for APIs - Defender for Containers - Defender for Servers |
4.7 Function: Automation and orchestration
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise periodically modifies application configurations, including location and access, to meet relevant security and performance goals. |
Azure Resource Manager ARM is a deployment and management service for Azure. Automate configuration changes using ARM templates and Azure Bicep. - ARM overview - ARM templates - Bicep |
| Advanced Maturity Status Enterprise automates application configurations to respond to operational and environmental changes. |
Azure App Configuration Manage application settings and feature flags from a central location. Azure App Configuration Azure App Service To test deployed apps in production, use deployment slots. Respond to operational and environmental changes. Stage environments Microsoft Defender for Cloud Use Microsoft Secure Score to assess and improve your cloud security posture. Use Defender for Cloud remediation capabilities. Remediate recommendations |
| Optimal Maturity Status Enterprise automates application configurations to continuously optimize for security and performance. |
Azure Chaos Studio Use this service for chaos engineering to help measure, understand, and improve cloud application and service resilience. Integrate Azure Load Testing and Azure Chaos Studio into workload development cycles. - Azure Chaos Studio - Continuous validation |
4.8 Function: Governance
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Enterprise begins to automate policy enforcement for application development (including access to development infrastructure), deployment, software asset management, ST&E at technology insertion, patching, and tracking software dependencies based upon mission needs (for example, with Software Bill of Materials). |
GitHub Actions Standardize DevSecOps processes for a software bill of materials (SBOM) with a continuous integration and continuous delivery (CI/CD) pipeline. - GitHub Actions - Generate SBOMs Use GitHub Dependabot and CodeQL to automate security checks and scan for dependency vulnerabilities. - Code scanning - Secure supply chain GitHub Actions, Azure DevOps Actions Use CodeQL to automate security checks with your CI/CD pipeline. GitHub Advanced Security for Azure DevOps is an application security testing service native to developer workflows. - Code scanning - GitHub Advanced Security for Azure DevOps Software bill of materials generation tool Use the build-time SBOM generator that works across operating systems: Windows, Linux, and MacOS. It uses the standard Software Package Data Exchange (SPDX) format. - Open sourced SBOM generation tool - SBOM tool on GitHub |
| Advanced Maturity Status Enterprise implements tiered, tailored policies enterprise wide for applications and all aspects of the application development and deployment lifecycles and leverages automation, where possible, to support enforcement. |
Azure Policy Help enforce standards and assess compliance. See the compliance dashboard for an aggregated view of the environment. Azure Policy Microsoft Defender for Cloud Protect Azure and non-Azure workloads with Defender for Cloud. Use regulatory compliance and Azure Policy to assess infrastructure continuously with configuration standards. Prevent configurational drift. - Assign security standards - Multicloud environments Management groups Use management groups to help enforce access policies and compliance for Azure subscriptions. Subscriptions and management groups |
| Optimal Maturity Status Enterprise fully automates policies governing applications development and deployment, including incorporating dynamic updates for applications through the CI/CD pipeline. |
Defender for Cloud Deploy monitoring components to collect data from Azure workloads and monitor vulnerabilities and threats. - Defender for Cloud - Data collection from workloads Policy in Defender for Cloud consists of standards and recommendations to help improve your cloud security posture. Standards define rules, compliance conditions for those rules, and actions when conditions aren't met. Security policy Infrastructure as Code Use continuous integration and continuous delivery (CI/CD) to deploy IaC with GitHub Actions. Azure infrastructure with GitHub Actions Azure Policy To deploy Azure Policy as code define, test, and deploy its definitions. Policy as code workflows |
Next steps
Configure Microsoft Cloud Services for the CISA Zero Trust Maturity Model.
- Introduction
- Identity
- Devices
- Networks
- Applications and workloads
- Data