Disconnected apps challenge a Zero trust (ZT) strategy, mainly because they fall outside centralized identity management systems like Okta and Entra ID. In the first blog of this two part series, we explored the security risks that disconnected (nonfederated) apps introduce, from compliance gaps to security blind spots. Now, let’s look at how you can move your organization toward a more mature ZT posture in five steps.
Step 1: Discover and inventory disconnected apps
ZT requires complete visibility, yet disconnected apps are often hidden from centralized monitoring. According to Ponemon, 49% of organizations don’t track the number of disconnected apps they have, and among those that do, only 21% are confident they know all the apps in use. Identifying and inventorying disconnected apps across departments is the critical first step toward closing this visibility gap.
How do you do this? Typically, with a combination of tools like CASBs and your IdP, along with your procurement department who can tell you what is being paid for, and old-fashioned conversations with the line of business leaders where you ask, “What are some of the critical apps your department uses to get their job done?”And “How is access managed to these applications?”
For organizations aiming to mature their ZT approach, this aligns with the Initial to Advanced stages of the Zero Trust Maturity Model (ZTMM), as visibility and analytics are foundational to progress in any ZT pillar. Consistently scanning and business conversations with the line of business leaders as part of an active governance program for disconnected apps enables IT and Security teams to shift from reactive to proactive, allowing for governance and monitoring improvements across all applications.
Figure 1: CISA’s Zero Trust Maturity Model
Step 2: Extend identity management and enforce access controls
Once identified, bringing disconnected apps into your identity infrastructure is essential. This is where platforms like Cerby come in. Extending identity management enables ZT’s “never trust, always verify” principle by enforcing strict identity and access controls. According to the Ponemon Report, over half of disconnected apps don’t support SSO (Single Sign-On), increasing the risk of untracked access to critical business applications. By bridging disconnected apps into your identity perimeter, you can:
- Centralize access control for all applications, including those not built with standards like SAML or SCIM.
- Enforce consistent policies across applications, ensuring disconnected apps meet the same security standards as ones built with full support for modern IAM standards.
Centralized identity integration also facilitates movement from Initial to Advanced maturity on the ZTMM, primarily through automating authentication and dynamically managing access based on real-time risk factors.
Figure 2: CISA’s Zero Trust Maturity Model Pillars
Step 3: Implement least-privilege access and automation
Zero trust relies heavily on the least-privilege principle, ensuring users only have the necessary access. Disconnected apps, however, typically require manual access control, which slows operations and increases security risks. Ponemon found that it takes 7 hours to provision access to standard apps on average, with deprovisioning taking longer because admins have to find applications from role creep manually. For disconnected apps, this often involves a labor-intensive process prone to delays and errors. Addressing these issues through automated, least-privilege access involves:
- Defining clear access levels and roles based on job functions and specific permissions.
- Automating provisioning and deprovisioning to reduce human error and administrative workload.
This improves security and aligns with the Advanced maturity stage on the ZTMM, where access controls adapt to risk levels dynamically.
Step 4: Monitor and continuously evaluate risk
ZT isn’t static; it requires continuous monitoring and risk assessment to stay effective. This is especially true for disconnected apps, which often fall outside traditional security monitoring frameworks. With 52% of organizations reporting a cybersecurity incident due to insecure, disconnected apps (Ponemon), monitoring disconnected apps is essential to mitigate threats as they arise.
Achieving Optimal maturity in the ZTMM entails comprehensive, automated monitoring across all applications, including disconnected ones, to secure every part of your environment in real time.
Step 5: Achieve compliance and security across the app ecosystem
Disconnected apps often handle sensitive data, making compliance a significant concern. Whether your organization is subject to SOX, HIPAA, or GDPR, ensuring all apps meet regulatory standards is essential to avoid penalties. According to Ponemon, 47% of organizations fail to meet regulatory requirements due to the inability to secure these applications. With centralized oversight and consistent policies, compliance teams can:
- Streamline audits with a unified view of all application access and activity.
- Automate reporting and access tracking to reduce compliance overhead and ensure no app falls outside audit standards.
Building compliance into your app ecosystem helps push your organization toward the Advanced and Optimal stages on the ZTMM, where policies are automated and visibility is continuous, reducing risk across the board.
Bringing it all together
Disconnected apps don’t have to be the barrier to your zero trust maturity. By integrating them into your identity infrastructure and applying zero trust principles, you create a unified perimeter that covers all apps—whether SaaS, legacy, IT, OT, or on-premises. This holistic approach helps you progress through the Zero Trust Maturity Model journey, elevating your organization’s security posture. These five steps today ensure your organization is better protected and more resilient to emerging cyber threats tomorrow.
Ready to discover how Cerby can help you secure any app in your organization, no matter how disconnected? Book a demo with us today.
