Download presentation
Presentation is loading. Please wait.
1
Zero Trust Access Models
Patrick Sullivan Sr. Director, Security Strategy Akamai Technologies @Akamai
2
Agenda Review of Perimeter Security Model
Zero Trust Access Architectures Questions and Answers
3
Zero Trust and the Cyber Attack Lifecycle / Kill Chain
Even without device posture, why EAA Client instead of VPN? Many different kill chains and attack lifecycles. Let’s use Mandiant’s as an example...
4
Bottom line: security perimeters belong in the past
>But at this point the industry agrees its time to move on - sec perimeters belong in past...
5
What’s Zero Trust? Key principles: Assume a hostile environment
Don’t distinguish between external & internal Never trust and only deliver applications/data to authenticated & authorized users/devices Always verify with logging & behavioral analytics >That’s where zero trust comes in… >ZT is all about removing trust from the network, embracing default deny and least privilege, while not distinguishing between internal and external >It’s all about dynamically assigning access to applications based on identity and various other factors >And ensuring that you understand what is happening in your environment
6
There is no INSIDE >End users and apps are moving outside the corporate security perimeter >Apps are moving to the cloud >All cloud app users are ultimately remote - combine that with the trend of working from anywhere and you can see why there is no inside
7
NO TRUSTED NETWORKS Google BeyondCorp and moving beyond perimeter security >Now lets look at some case studies of how companies are doing that today >You saw how Netflix is getting rid of its corporate network >Google came to a similar conclusion - but what they focused on was enabling employees to work from untrusted networks without a VPN >[Tell BeyondCorp story based on slide…] Source:
8
No Trust at Network Layer
AKAMAI GLOBAL COMPUTING PLATFORM A “Zer0 Trust” Network Since 1998 Strong AuthN Users Origin Server Strong Encryption Continuous Posture Assessment No Trust at Network Layer
9
IAP Zer0 Trust Architecture
WHY NOT ZER0 TRUST FOR OUR IT? IAP Zer0 Trust Architecture Apps Identity Aware Proxy Laptop It also assumes that the cloud stack is globally distributed, or at least able to service chain different capabilities together in a coherent and performant fashion. Ideally it would be an integrated system that an enterprise can consume as a service without having to worry about the underlying infrastructure. The cloud perimeter uses the Internet as its core network. In fact, adopting a cloud perimeter is an essential step to leveraging the Internet as WAN. And, as enterprises leverage the Internet as WAN, application optimization also needs to evolve to overcome the inherent performance and reliability challenges of the Internet. In addition, the cloud perimeter architecture and approach allows abstraction of all the complexity enterprises deal with around appliance deployment, management, patching, license counts and the list goes on and on. A cloud perimeter embraces simplicity and an inherent focus on users/devices and applications/data. Verify and never trust is a core principal of the cloud perimeter. Are users across the digital ecosystem properly authenticated? And once the user is authenticated, do they have the authorization to access the various applications available to them? Does it make sense that this particular user is trying to log into this application at 3AM from Thailand? The cloud perimeter approach fully embraces the principle of least privilege. In addition, full visibility and logging enables enterprises to not only look at positive and negative security models, but also start to think about predictive analytics and behavioural analysis. For example, is that 3AM login really a person or is it a bot? What about traffic leaving the enterprise and connecting to a domain on the Internet. Is it malware command and control communication, is it an IoT device phoning home, or is it just an employee trying to access a resource on the Internet. Full visibility is the first step to effectively apply policy and enforce compliance and reduce risk. It is also important to think about the ultimate end-user experience. The focus on reducing risk shouldn't impact it. The end-user experience should be easy, seamless, and fast regardless of security measures in place. For IT and security teams, a cloud perimeter is about abstracting complexity. A cloud perimeter enables enterprise IT and security teams to focus on what’s important. They no longer need to worry about the underlying complex, and often brittle, systems that they deal with today. It is clear that moving from one architecture to another in the blink of an eye is unrealistic and will likely cause more harm than good. So integration with existing systems—whether that's an enterprise’s identity provider or SIEM—is important. With SIEM integration and visibility, the cloud perimeter architecture also provides insight across applications and users independent of where they reside (whether that’s in the cloud or on-premises). Finally, this integrated system in the cloud needs to support single sign-on across all apps: SaaS, on-prem, and public cloud to provide visibility, security, and performance. Once a user is authenticated, traffic will pass through the cloud perimeter. In other words, not only is the cloud perimeter in the authentication path, but also the data path. Being in the data path becomes critical for adding additional security and performance capabilities, such as CASB or data loss prevention. Adding these capabilities does mean that some form of service chaining or integration is required. Micro Perimeter
10
VISIBILITY & ADAPTIVE POLICY APPLICATION
DYNAMIC & CONTEXTUAL SECURITY Adaptive access and threat protection based on multitude of signals Device posture Passive bot detection Malware C&C traffic Request syntax Time of day VISIBILITY & ADAPTIVE POLICY APPLICATION Presence/validity of client cert Authentication state Reputation Rate controls Biometrics Unsanctioned cloud storage usage Geo >That all sounds great but how do I move from a theoretical model to reality? >Let's start with one of the key components of dealing with today’s complex and continuously evolving security landscape >Time to add some context and start to make dynamic security decisions >It’s important to leverage multitude of signals to to make security decisions and adjust decisions as signals change in a continuous and adaptive policy application >As an easy example should I really allow access for this endpoint to this application based on not only their location, but other signals such as malicious traffic originating from that device or the fact that it corresponds to signals coming from a bot and not a person Transforms security architecture to enable today’s business Zero Trust Only authenticated users Only authorized apps Only trusted-devices Only non-malicious queries (KSD, WAP) Only humans (Bot Man Premier) All apps - on-prem, cloud or SaaS Agile, cloud service
11
rDNS INSPECTION IS GREAT FOR CONTINOUS MONITORING
SIMDA Botnet Family of backdoors capable of stealing information such as user names, passwords, and certificates. It also executes backdoor commands, compromising the security of the infected systems Cryptojacking High risk to system availability and potential risk to system confidentiality due to malicious cryptocurrency mining
12
Every app seems like SaaS Every office is a hotspot
No Inside No VPN No Passwords Every app seems like SaaS Every office is a hotspot >Now Akamai is just another global enterprise that is trying to move beyond perimeter based security models >Granted it is easy for us as we have a lot of technology we can leverage to do this. Now, we are not alone; organizations like Google with BeyondCorp and Netflix, 21st Century Fox, Shopify and even the US government are all ditching perimeter based security models for alternatives that work in today’s environment and are based on a foundation of zero trust But we believe what makes Akamai unique is our approach, based on our heritage We are focused on treating all corporate users and applications as external (AuthZ/N, SSO, per app vs network access, app security & acceleration, malware/phishing protection, etc.) We are also focused on getting rid of passwords (X.509 certs, MFA & Duo push) But let's not forget Akamai’s DNA - better experiences on the Internet Security is important, but just as important is the end-user experience - particularly if you want adoption of your security best practices And I am not talking just about fast apps, but also about the experience of access and authentication, and building systems for inclusivity (reference MS guidelines for inclusivity - one handed, etc.) At Akamai we are focused on redesigning security focused on users and applications For an environment where everyone is remote, where your apps are everywhere, and your operating environment is probably hostile The good news for you is we are sharing not only our lessons learned but also productizing our technology so you can join us on the journey towards no inside, now VPN and no passwords
13
Zero Trust Adoption Best Practices
1 Consider a Zero Trust Architecture Assessment Stop accumulating technical debt Begin migration of your Web apps Migrate legacy apps Decommision legacy access 2 3 4 5 Conduct a Health Check to determine exposure of devices to malware/phishing Stop accumulating technical debt by publishing new apps with a Zero Trust approach. This is easy, particularly for modern applications. Begin migration with your Web Apps, since they are so easy to move to Zero Trust. Akamai IT moved >100 Apps in < 100 days. Consider an Akamai Zero Trust Architecture Assessment with Akamai’s PS team to develop a comprehensive plan to migrate your organization from your current architecture to your goal Zero Trust architecture. Profile users and Apps Develop a customized phasing plan Once you’ve addressed low hanging fruit with new apps and web apps, work to migrate legacy apps to Zero Trust based on the plan you develop in consultation with Akamai’s experts in our Professional Services organization. Work to decommission legacy access, including VPN and privileged corporate WiFi/Ethernet segments.
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.