The simple magic of app cloaking

Editor’s note: The following is a guest contribution from Zscaler Security Architect Aoibh Wood.

Often overlooked by security professionals, app cloaking is a powerful technique for strengthening security posture by making high-value private applications go dark from the public internet. Fundamental to the Zscaler approach to zero trust architecture, app cloaking reduces an organization’s attack surface and prevents lateral movement by threat actors, safeguarding sensitive applications and the data they hold.

What is app cloaking?

App cloaking hides applications and their IP addresses from the public internet. By concealing private applications, CXOs can significantly reduce their exposure to malicious activities like vulnerability scanning, denial-of-service teardrop attacks, single-packet exploits (which enable secure access to a protected resource by requiring the sender to authenticate themselves through a single packet), PowerShell commands used in credential theft, and other zero-day attacks of the moment.

In a broad stroke, the principle behind app cloaking can be likened to secure messaging services like ThreeMa or WhatsApp that provide end-to-end encryption for texts and calls and enable you to control who sees your information and who can call you. If you haven’t explicitly accepted an individual as a contact, they can’t communicate with you. Similarly, app cloaking only allows connectivity to authorized applications based on identity and context.

How does app cloaking work?

To better understand app cloaking, let’s consider a traditional network setup in which applications are directly exposed to the internet for access. This exposure makes them vulnerable to attacks such as scanning, probing, and exploitation—even if they sit behind a firewall. Attackers can always find ways to bypass the firewall by exploiting vulnerabilities or by using stolen login credentials to launch an attack, for example.

With app cloaking, the target application is isolated from the internet. Then the application is integrated with a zero trust access solution like Zscaler Private Access (ZPA). ZPA puts the application behind an app connector, which acts as a broker, routing traffic through the Zscaler Zero Trust Exchange platform. Next, a virtual IP address is assigned to the device, making the application inaccessible directly. The connection is inside-out, with no inbound internet connections permitted. The virtual IP is only exposed via the brokered application tunnel, not to the internet at large. This creates secure, identity-based access for authorized users. 

Essentially, app cloaking removes any internet presence of an application in favor of a private network in a secure DMZ that’s still accessible to the user. You take applications that previously could have been accessed via a VPN or a wide area network (WAN) connection and remove those connections. Once you place a device behind ZPA, it works automatically, ensuring that the application and the device that is accessing it remain invisible to the outside world. Applications and IP addresses are never exposed to the internet, rendering them invisible to attackers. In other words, if an entity isn’t authorized to access an application, they shouldn’t know it exists, let alone be able to send a packet to it.

App cloaking vs. VPN

App cloaking offers a critical advantage over traditional VPNs, which expose entire corporate networks to potential threats. App cloaking hides applications from the internet, making them invisible to malicious actors. Additionally, app cloaking enables granular access control, allowing you to limit access to specific applications and users. This level of precision is not possible with VPNs, which typically grant broad network access, thereby expanding the attack surface.

App cloaking aligns with zero trust principles by verifying every user and device before granting access. Access can also be continuously evaluated in an adaptive fashion allowing for step-up authentication, remote browser interception, or even termination of access based on the user's and the device's risk profiles.

Finally, app cloaking offers a seamless user experience without the need for complex VPN configurations, which can be cumbersome and impact network performance.

OT devices are a great example of how app cloaking can provide more secure access while cutting costs and complexity. Often, OT devices are in remote locations and need to connect to the corporate data center to get updates or send telemetry. To enable this, a typical traditional solution involves an expensive VPN setup, so, in the end, there is still exposure to the internet. A far better solution we’ve seen is installing SIM cards in OT devices, which then use ZPA to directly access corporate resources.

Real-world use cases

Let’s look at some practical applications of app cloaking:

• Hospitals: Safeguarding sensitive patient records from data breaches and ransomware by  isolating critical applications.
• Banks and other financial institutions: Shielding core banking systems from the internet to prevent the risk of fraud and cybercrime.
• Government agencies: Protecting sensitive government information and blocking cyberattacks that could disrupt essential services.
• Critical infrastructure and manufacturing organizations: Hiding the presence of OT devices from attackers so these devices are not exposed to vulnerability scanning and other exploits, thus minimizing the possibility of internet-based attacks and ensuring continuity of operations. 

The benefits of app cloaking

App cloaking offers many benefits to organizations:

• Reduces attack surface: Hides applications from the internet to significantly reduce the attack surface, making it harder for attackers to identify and target vulnerabilities.
• Enhances security posture: Strengthens security posture by limiting application access to authorized users and devices.
  Improves compliance: Enforces strict access controls to comply with industry regulations like HIPAA, GDPR, and PCI DSS.
• Simplifies network management: Reduces network management complexity by decreasing the number of exposed endpoints and streamlining security policies.
• Protects legacy systems: Safeguards older systems that are critical to operations yet are too expensive to replace or may be difficult to patch because they are at end of life (EOL) or end of support (EOS).
• Frees up teams: Since devices with app cloaking are invisible to the internet, they have no exposed vulnerabilities, making them last on the patch list, enabling your security experts to focus on more urgent, higher-risk priorities.
• Enhance the user experience: Offers seamless access to applications, improving productivity and satisfaction by providing a reliable, secure connection to corporate resources that are relevant to their jobs.

Hide private applications, gain peace of mind

App cloaking can significantly improve your organization’s security posture. By understanding the underlying technology and its benefits, CXOs can make informed decisions to protect their organization’s sensitive data and applications. Choosing between security and productivity is impossible. But ZPA lets you adopt zero trust network access (ZTNA) that delivers fast and seamless user connectivity, minimizes risk, and mitigates lateral movement.