The basic concepts of zero trust security are relatively simple: trust nothing, verify everything, and maintain consistent controls. But, for CISOs and CIOs charged with transforming their legacy moats and castles architecture to one that allows their enterprises to embrace all of the benefits of zero trust, this is not a simple forklift change. Many enterprises Akamai that consults on zero trust are on transformational journeys, resulting in multi-year projects that require various pieces of the zero trust jigsaw to be put in place.
One critical aspect of the transformation to a zero trust security model is ensuring users remain safe from the vast number of threats that lurk at every click - such as malware, ransomware, and phishing - when they connect to the Internet.
In the good old days when users were tied to the corporate network and used managed devices, this was as simple as rolling out endpoint antivirus, installing a stack of appliances in a data center, and then backhauling all of the traffic for inspection and control. But now, users have left the building, devices are unmanaged, and the Internet is quickly becoming the corporate network of choice. Direct to Internet (DIA) connectivity means central control and inspection security solutions can no longer protect users against these threats.
One approach to solving this problem is to replicate your security appliance stack at each location. I will leave you to calculate how many appliances that might be for your organization. For most large enterprises, it would run into hundreds. That's a lot of hardware to deploy, manage, and maintain. The added complexity of that approach is unlikely to deliver the security consistency that's a cornerstone of zero trust.
A Better and More Elegant Solution for DIA and Roaming User Security
Today, Akamai is announcing significant enhancements to its Enterprise Threat Protector service that delivers a simpler, faster, and more cost-effective approach to securing that DIA traffic instead of deploying multiple security appliances at each Internet breakout. Enterprise Threat Protector is a Secure Internet Gateway that proactively protects your users wherever they are against advanced threats and is their safe onramp to the Internet.
Additionally, Enterprise Threat Protector uses a very different approach than legacy security appliances, such as Secure Web Gateways (SWG), which can incur problems. Specifically, proxying all Internet traffic in a SWG is not always simple and straightforward; bigger, more complex web pages and increasing levels of HTTPS content can lead to deployment challenges, such as network latency and broken web pages and applications.
The Enterprise Threat Protector approach is to only proxy risky traffic for control and inspection. This is done by inspecting every DNS request users make, blocking requests to malicious domains, allowing requests to safe domains to proceed as normal, and forwarding requests for risky domains to an Akamai Cloud Proxy for further inspection. When the HTTP/S request is received by the proxy, the requested URL is inspected and compared to Akamai's proprietary threat intelligence and any malicious URLs are blocked.
For all other requested URLs in the risky domain, the proxy retrieves the web content and sends it to an inline payload analysis that uses multiple malware analysis engines. These engines use a range of detection techniques - signature, signature-less, and machine learning - to identify and block known threats and previously unknown "zero-day" threats. By having a range of detection methods, it means we are able to payload to the most suitable engine (or engines) depending on the content type, which ensures optimal detection rates and delivers a low rate of false positives.
The approach of using a smart selective proxy that uses DNS as the on-ramp to the Internet, and as a first layer of security defense enabling safe traffic to go straight to the Internet, blocking bad traffic, and only proxying risky traffic delivers:
- Simplified security
- Lower latency & better performance
- Fewer broken web pages and applications
What Customers Have Found
One enterprise who participated in our beta program had tried to secure DIA traffic using an endpoint AV and firewall security stack, but found that it was too complex, time consuming, and delivered inconsistent security. They deployed Enterprise Threat Protector in minutes, and now have cloud-based security that meets the cornerstone principles of zero trust, can be easily managed centrally, and delivers consistent protection globally across all locations.
Want to find out just how quick and effective Enterprise Threat Protector is and how it can help accelerate your zero trust security transformation? Sign up to receive a free 30-day trial.