* [Blog](https://www.paloaltonetworks.com/blog)
* [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Native Application Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-application-platform/)
* Acting on NSA Zero Trust ...

# Acting on NSA Zero Trust Guidance for Applications and Workloads

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fnsa-zero-trust-applications%2F)  
[](https://twitter.com/share?text=Acting+on+NSA+Zero+Trust+Guidance+for+Applications+and+Workloads&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fnsa-zero-trust-applications%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fnsa-zero-trust-applications%2F&title=Acting+on+NSA+Zero+Trust+Guidance+for+Applications+and+Workloads&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/nsa-zero-trust-applications/&ts=markdown)  
\[\](mailto:?subject=Acting on NSA Zero Trust Guidance for Applications and Workloads)  
Link copied  
By [Jason Williams](https://www.paloaltonetworks.com/blog/author/jason-williams/?ts=markdown "Posts by Jason Williams")  
Jun 05, 2024  
5 minutes  
[Cloud Native Application Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-application-platform/?ts=markdown)  
[Zero Trust Security](https://www.paloaltonetworks.com/blog/category/zero-trust-security/?ts=markdown)  
[Code to Cloud](https://www.paloaltonetworks.com/blog/tag/code-to-cloud/?ts=markdown)  
[NSA](https://www.paloaltonetworks.com/blog/tag/nsa/?ts=markdown)  
![The seven pillars of Zero Trust (source: National Security Agency)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/word-image-322425-1.png)  
Figure 1: The seven pillars of Zero Trust (source: [National Security Agency](https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3791171/nsa-releases-guidance-on-the-visibility-and-analytics-pillar-of-zero-trust/))

The U.S. National Security Agency (NSA) recently published the cybersecurity information sheet [*Advancing Zero Trust Maturity Throughout the Application and Workload Pillar*](https://media.defense.gov/2024/May/22/2003470825/-1/-1/0/CSI-APPLICATION-AND-WORKLOAD-PILLAR.PDF).

For many years, the cybersecurity industry has made advancements in securing networks, users and data with the "never trust, always verify" process. What I find interesting about this document is that the NSA acknowledges the need to expand beyond traditional Zero Trust pillars and shift toward securing cloud-native applications.

[Seventy-one percent of organizations acknowledge that rushed application deployments introduce security vulnerabilities](https://www.paloaltonetworks.com/state-of-cloud-native-security?ts=markdown). It's essential to design a Zero Trust architecture that secures applications from the first line of code to runtime in the cloud. Furthermore, 84% say that security processes cause delays in software development. With this in mind, security must protect applications without hindering developer productivity.

Here are some key takeaways from the NSA's guidance and what you can do to apply recommendations without slowing down development.

## Secure by Design

At Palo Alto Networks, we recognize the importance of [securing applications by design](https://www.paloaltonetworks.com/blog/prisma-cloud/vulnerability-management-innovation/?ts=markdown). We're thrilled to see that the NSA considers this important too. But what does *secure by design* really mean?

Traditionally, securing applications only meant protecting the digital assets that run in the cloud, such as compute, data, networks and identities. Meanwhile, the application lifecycle begins with code created by developers, which means that security risks can be introduced before applications run.

According to the guidance document, "Most organizations rely on software and code from sources that could contain vulnerabilities or malicious injected functionality. Having secure software that can be relied on to perform its intended functions and not be exploited to perform malicious operations is just as important, if not more important, as securing the provided software."

The NSA goes on to say, "The ZT model recommends adopting the DevSecOps framework and utilizing the continuous integration/continuous delivery (CI/CD) approach for organizations that develop applications to ensure secure development and deployment"

Palo Alto Networks believes there are a series of controls to help secure applications by design:

* **Secure the code:** Enable developers to fix flaws in code repos, such as [infrastructure as code (IaC)](https://www.paloaltonetworks.com/cyberpedia/what-is-iac?ts=markdown) misconfigurations, open-source vulnerabilities and exposed secrets.
* **Secure the pipeline:** Protect the pipeline that delivers the software by mitigating [OWASP Top 10 CI/CD Security Risks](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security?ts=markdown) and remediating hidden attack paths.
* **Secure the supply chain:** Govern the entire engineering ecosystem --- from coding languages to CI/CD platforms --- and generate [software bill of materials (SBOMs)](https://www.paloaltonetworks.com/cyberpedia/what-is-software-bill-materials-sbom?ts=markdown).

![Secure applications by design from code to pipeline to the supply chain.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/word-image-322425-2.png)
Figure 2: Secure applications by design from code to pipeline to the supply chain.

## Principle of Least Privilege

Nearly all cyber breaches have one thing in common: adversaries taking advantage of excessive privileges for lateral movement. Perhaps that's why applying the [principle of least privilege (PoLP)](https://www.paloaltonetworks.com/cyberpedia/what-is-least-privilege-access?ts=markdown) is essential to any [Zero Trust](https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture?ts=markdown) strategy.

According to the recommendations outlined in the NSA guidance, "Follow PoLP, ensuring users and applications receive only the minimum level of access required to perform their jobs."

Applying least-privileged access isn't always an easy task. Security teams are required to understand how users and applications function before enforcing policies. Otherwise, they could end up disrupting applications or hinder productivity. [Identity and access management (IAM)](https://www.paloaltonetworks.com/cyberpedia/what-is-identity-and-access-management?ts=markdown) complexity grows by an order of magnitude in the cloud, considering workloads (or machines) have identities and cloud infrastructure constantly changing.

[Cloud infrastructure entitlement management (CIEM)](https://www.paloaltonetworks.com/cyberpedia/what-is-ciem?ts=markdown) technologies emerged to help security teams apply PoLP across multicloud infrastructure. CIEM tools provide visibility into identities and access, recommend new privileges based on learned access behavior and remediate excessive permissions.
![Example of CIEM tool illustrating user and workload identities, permissions and access in a graph](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/word-image-322425-3.png)
Figure 3: Example of CIEM tool illustrating user and workload identities, permissions and access in a graph

## Container Protection

As organizations modernize applications, they're not just moving them to the cloud, they're refactoring workloads through [containerization](https://www.paloaltonetworks.com/cyberpedia/containerization?ts=markdown). "By 2025, enterprises will have adopted multiple public cloud infrastructure as a service (IaaS) offerings --- including multiple K8s offerings," according to [Gartner](https://start.paloaltonetworks.com/gartner-market-guide-cnapp).

Like applications, [container security](https://www.paloaltonetworks.com/cyberpedia/what-is-container-security?ts=markdown) requires full lifecycle security. As advised by the NSA, "When working with containerized workloads, ensure their security by regularly scanning container images for vulnerabilities, limiting container privileges, protecting container secrets, and implementing [runtime security](https://www.paloaltonetworks.com/cyberpedia/runtime-security?ts=markdown) controls."
![Security controls across the container lifecycle](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/word-image-322425-4.png)
Figure 4: Security controls across the container lifecycle

To take things a step further, a modern approach would visualize and manage risk from the lens of the software development lifecycle. This means detecting application vulnerabilities across clouds, container images, repos and software packages, and then automatically correlating them to understand the root cause of critical issues. By fixing issues at the source, or in code, security teams can prevent recurring mistakes in runtime.
![Tracing a vulnerability (e.g., Log4j) from runtime back to images and code](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/a-screenshot-of-a-computer-description-automatica.png)
Figure 5: Tracing a vulnerability (e.g., Log4j) from runtime back to images and code

# Acting on Guidance with Prisma Cloud

[Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown), a Palo Alto Networks platform, protects applications and workloads from code to cloud. The platform enables security and DevOps teams to better collaborate, ensuring that protections mirror the speed of software development. Offering full security coverage, Prisma Cloud protects code, pipelines, cloud infrastructure, workloads, data, web applications and APIs against modern threats.

To identify potential risks in your cloud, request a free [cloud security health check](https://www.paloaltonetworks.com/prisma/cloud/free-cloud-security-risk-assessment?ts=markdown). Alternatively, if you'd like to see Prisma Cloud address NSA guidance, [book a personalized demo](https://www.paloaltonetworks.com/prisma/cloud/request-a-prisma-cloud-demo?ts=markdown).

*** ** * ** ***

## Related Blogs

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/category/zero-trust-security/?ts=markdown)

[#### Empowering the RAF Association with Next-Generation Cyber Resilience](https://www.paloaltonetworks.com/blog/2026/02/raf-association-next-generation-cyber-resilience/)

### [5G Security](https://www.paloaltonetworks.com/blog/network-security/category/5g-security/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/category/zero-trust-security/?ts=markdown)

[#### Securing Critical Infrastructure in the 5G Era](https://www.paloaltonetworks.com/blog/network-security/securing-critical-infrastructure-in-the-5g-era/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [News \& Events](https://www.paloaltonetworks.com/blog/sase/category/news-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/category/zero-trust-security/?ts=markdown)

[#### Redefining Workspace: Prisma Browser Secures Leadership in Frost Radar](https://www.paloaltonetworks.com/blog/2025/12/prisma-browser-secures-leadership-in-frost-radar/)

### [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [SD-WAN](https://www.paloaltonetworks.com/blog/sase/category/sd-wan/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/category/zero-trust-security/?ts=markdown)

[#### Prisma SASE as Your New Blueprint for Modern Branch Security](https://www.paloaltonetworks.com/blog/2025/11/prisma-sase-blueprint-modern-branch-security/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/category/zero-trust-security/?ts=markdown)

[#### Setting the Standard for Zero Trust Platforms](https://www.paloaltonetworks.com/blog/2025/07/setting-standard-zero-trust-platforms/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Application Security](https://www.paloaltonetworks.com/blog/cloud-security/category/application-security/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Introducing Cortex Cloud --- The Future of Real-Time Cloud Security](https://www.paloaltonetworks.com/blog/2025/02/announcing-innovations-cortex-cloud/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language