SC: If Zero Trust means you only allow data to go to authorised devices, apps and users, does that not mean doing away with BYOD and introducing whitelisting of all Apps?
PS: "Not at all. Zero Trust really runs counter to a classic network perimeter strategy, where trust is a binary decision based on location in the network topology. In that model, internal network users are given private IP addresses and are ‘trusted'. Remote users leverage VPN technology to be granted a private IP address on the corporate network and achieve the same, dangerous, binary level of trust at the network layer. The network perimeter was created at a time when corporate computers were used within an office, and apps, data and email servers were housed within the trusted four walls of that corporate network as well.
"BYOD, flexible working, cloud and SaaS, are all trends which drive enterprises to look away from that classic network perimeter security model of ‘Castle and Moats', and to consider Zero Trust. In a Zero Trust model, a request from a remote user leveraging a personal device can be given a much more nuanced and dynamic level of trust. Zero Trust allows device posture to be part of the granular trust and access decision. Perhaps a developer on a BYOD would be granted access to email and HR applications, but not source code repositories. The same developer could power up her company-issued laptop that is fully patched and running the expected endpoint protection, and based on the posture of that device, perhaps she would then be granted access to code repositories."
SC: A zero trust model might work for the police in relation to suspects, but if that's how we treat our staff, do we not risk alienating them - especially if we increase friction and reduce ease of use? Is that not a recipe for encouraging shadow IT and 'work-arounds' by people in a hurry to get their job done?
PS: "A properly implemented Zero Trust architecture really shouldn't alienate people or increase user friction. While optional, we do recommend multifactor authentication, implemented as part of a Zero Trust implementation. Multifactor authentication is a security and user convenience decision that the security team must make, and it does generate some friction. At its core, Zero Trust is based on one of the primary cornerstones of security, known as least privilege. Least privilege calls for security to grant users access to things they need to complete their job, but only those things. If a user needs read access, don't give them read, write and admin access. Or, as in our previous example, if your developer needs access to a code repository then give it to her, but don't give her access to sensitive financial reporting data required by accounting. No one expects to be able walk into the HR director's office and read through everyone's compensation details – that's not alienating, it's simply about giving employees what they need –
"This type of granular access is granted in the Zero Trust architecture at the application layer; by contrast a VPN would give a user binary access to the entire network and allow easy lateral movement to data and applications that specific users groups don't require. That network layer access violates security best-practice least privilege that everyone in InfoSec learned. This violation of sensible security philosophy is repeatedly exploited by attackers and red-teamers alike as nearly all attacks include “lateral movement” as a predictable phase of the attack methodology.
"Akamai's Zero Trust architecture does come with some nice performance boosts for end-users, in fact that is often a primary reason customers are adopting this model. In 2017 many users work outside of corporate HQ and the corporate applications they leveraged have long since left the corporate data center in favour of cloud hosting, SaaS, or other models.
"The classic VPN model forces the end-user's traffic back to corporate HQ to hit a VPN concentrator and a series of appliances comprising the ‘security stack'. From there, the traffic exits the corporate HQ network back out to the public internet and onto its destination at a cloud datacentre. That is a highly inefficient path, further burdened by the encapsulation of VPN traffic with overhead generating wrappers. Akamai offers customers a cloud perimeter where remote user traffic can be inspected milliseconds from any internet connection in the world, and then routing optimisations are applied as the traffic is routed to the nearest cloud datacentre.
"There are other cases where Zero Trust reduces user friction. In order to grant a contractor or 3rd party to corporate applications, many organisations procure a corporate laptop running VPN software to allow the contractor access. In a Zero Trust solution, that contractor could use their own machine with no need for client software and be granted application access to the handful of corporate apps they need."
SC: So, does this approach mean that access control becomes the primary means of ensuring information security?
PS: "I don't think it changes the overall role of access control, but it does allow IT teams to more effectively control their access control policy."
SC: Is zero trust a new concept, or simply articulating what the CISOs currently practice - but usually without being so explicit?
PS: "Zero Trust isn't a new concept and it's grounded in old-fashion security best practice policy of least privilege. On the other hand, Zero Trust is a disruptive concept as most organisations still operate with the castle and moat inspired network security perimeter where Firewalls and VPN's separate trusted networks from untrusted public internet. Zero Trust challenges the assumption that the internal network behind the Firewall/VPN is ‘trusted'. Zero Trust philosophy assumes every network segment is hostile, that attackers have compromised a user in that ‘trusted' network already and are working hard to move laterally and leverage that trust to pivot to apps and servers on the trusted network. In a Zero Trust architecture, apps and data would be in their own micro-perimeter with a proxy evaluating each request for access at the application layer and considering a wealth of data as part of the security policy it enforces."
SC: Is it a model that will be harder to introduce in some environments that others? I am thinking of the difference between say a defence establishment and a hospital.
PS: "There are differences, but these don't exist between different verticals, they are manifest between companies of different sizes and maturity. We expect it would be easier for a new start-up to implement Zero Trust, as they are more likely to design for current trends like cloud and BYOD from the start, and there tends to be less ‘Castle and Moat' legacy architecture and philosophy. Getting started with Zero Trust access is easy, but we envision organisations migrating to this architecture over time. For example, it took Google several years to implement its ‘BeyondCorp' Zero Trust implementation for its internal IT, following the Aurora attacks that targeted them. Akamai's IT migrated more than a hundred apps to this architecture in a quarter, but we have more work to do to get to our goal architecture.
"We usually work with enterprises to develop a roadmap, often starting with web applications and higher risk populations, such as 3rd parties and contractors."
SC: Can you explain what Akamai means by a cloud perimeter?
"Akamai's Cloud Perimeter is built upon our massively distributed deployment of over 240k Servers in 1000+ ISPs located in more than 100 countries. We think that this platform offers the most efficient architecture for security inspection given that so many applications, including internal apps moving to Office 365 and external applications moving to CSPs, have migrated from the corporate datacentre and into cloud. Additionally, so many employees work remotely. The Akamai Cloud perimeter can inspect end-user traffic in the cloud very close to the end user rather than backhauling it to corporate HQ for security inspection by the stack of hardware security appliances. In addition to the performance and cost advantages, Akamai gains tremendous threat intelligence based on over two trillion web deliveries per day and more DNS requests than any other provider. That intelligence helps better security decisions than isolated hardware appliances that don't have access to this intelligence.
"Akamai's Cloud Perimeter is an integrated suite of services including:
- Web Application Firewall
- DDoS Mitigation
- Managed Security Services
- Bot Management(anti-automation Fraud mitigation),
- Zero Trust Access and Identity
- DNS Firewall services that evaluates recursive DNS requests for signs of communication with C&C or domains serving malware/phishing. Command and control."
Patrick Sullivan is Akamai's global director of security strategy. In his 12 years at Akamai, he has held a number of leadership positions including leading the Enterprise Security Architect team. Sullivan and his team work with customers when they come under attack and designs security architectures to protect them from threats. He holds a variety of security certifications including CISSP, GSLC, GCIH, and GWAPT plus an Electrical Engineering degree from Virginia Tech and a graduate degree from George Mason University and a Graduate Certificate from Stanford University. Prior to Akamai, Patrick held various leadership positions at AT&T, Savvis, and Cable and Wireless.