Akamai's John Summers, VP & CTO, spoke at the recent Evanta Global CIO Executive Summit, a gathering of 75 major organization CIOs. His session was titled, "Cloud Security - Adopt Zero Trust and Put Asset-Level Safeguards in Place." Here are some of the key questions he addressed.
How do you describe zero trust?
Zero trust is all about the disappearing distinction between inside and outside. You can't trust a communication based upon where it's coming from. So whether it's inside your network or outside, before that communication gets set up, it has to go through the same level of strong authentication and authorization checks. Simply approaching everything as untrusted goes a long way towards dealing with transition state organizations are in, where an application that's in your data center this month will be in the cloud next month. And the user who is in your zone of control today is working from someplace else tomorrow. Trust nothing and verify everything - that's the essence of zero trust.
What does it take to implement?
Security policy and controls have to be applied where they work best, which is with the digital assets being protected - infrastructure, apps, data, and their users, including employees, customers, and third-party partners. Those assets have "jumped the moat" of perimeter security and are out in the cloud and no longer subject to traditional controls. Most security professionals have grown up in the network management world. They have to break the habit of trying to encode security primarily at the network level. The application level is where business-defined and risk-adjusted policy and control are best enforced. At that level, security controls are portable to wherever the assets are.
What does zero trust mean for the business?
Zero trust creates unprecedented visibility into what's happening with digital assets and users, not just what's happening in the network. That enables more comprehensive security - it's more consistently built in. It also enables better network performance by simplifying network management and letting the managers focus on performance of the digital experience being delivered. It provides more granular understanding of business processes and transactions operating online, which can yield improvements far beyond the realm of security. And it enables the business to be more agile, to proceed with greater speed and confidence in all of its digital initiatives.
Where should organizations get started?
Some of the best use cases arise when there's need to reconfigure networks in a big way. A major restaurant chain needed to launch new business capabilities and better security controls across over 10,000 locations. A zero trust approach leveraging the cloud accelerated implementation while minimizing changes to the network. As another example, after a merger or acquisition, success often depends on the ability to merge technology and applications quickly. A zero trust architecture can overlay accessibility and controls without need to identify all the new assets to the old networks. Similarly, after a complete or partial divestiture, access to assets can be securely separated or selectively shared.
Why are you excited about zero trust?
At Akamai we're enthusiastic because we know it works and we have experience doing it. As the company was building out its highly distributed and Internet-based content delivery network, we had to assume that no transmission was to be trusted in order to guarantee performance to our customers. Nobody called it "zero trust" twenty years ago, but that's the approach we've been taking since day one. Now we're excited about helping our customers take security to that level.