Akamai Diversity

The Akamai Blog

Zero Trust Security Architectures

This introduction is Part 1 of a 5 part blog series.

Jump to Part 2: Network Micro-Segmentation 

Jump to Part 3: Software Defined Perimeter

Jump to Part 4: Identity Aware Proxy

Jump to Part 5: Akamai's Approach to Zero Trust 


Most enterprises today operate hundreds of applications that support core business practices and were developed years ago with the same assumption in mind - that anyone inside the perimeter will get single sign-on access to any application or resource with legacy authentication schemes. The people who developed these applications couldn't foresee a rapid access paradigm shift with user diversification that would come rapidly in the future, and therefore could not anticipate the requirements that technology advancements would bring to market.

The modern workforce is often highly distributed and mobile. Users do not only reside on the corporate network, but work from home, while travelling, basically from anywhere. And applications and data increasingly reside outside the corporate network, in the cloud. 

With any location being valid for both users and resources, we must work to preserve a uniform user experience from anywhere to anywhere. Users should be able to access any type of application, either hosted on-prem or in the cloud - seamlessly and securely. To address the access needs, organizations must look beyond the traditional perimeter and VPN.

What is Zero Trust?

The term zero trust networking was first attributed to Forrester analyst John Kindervag back in 2010. While the concepts centering around zero trust security have been around in some form for decades - think network segmentation, firewalls, certificates, ACLs, corporate owned devices, and VPN - the paradigm for zero trust turns the traditional perimeter security model on its ear by focusing on the secure delivery of data to the right person instead of building and securing access to a network.

The main concept is that trust should never be assumed based on where a user is in a network. The concept of a user or device being trusted because it is inside, goes away. Instead, every request to access a network resource must be authenticated and authorized.

There are various ways to achieve this. Google has been quite prominent in promoting awareness of zero trust concepts by publicly announcing their internal BeyondCorp security model, which has eliminated the use of VPNs for most of their employees, and essentially treats all networks (even their own corporate networks) as untrusted by default.

Architectures Overview

Google's Zero Trust architecture is an identity aware proxy (IAP) model. This model is also one part of the approach taken by Akamai for our own corporate security and with our Enterprise Application Access (EAA) cloud product. Akamai's zero trust architecture goes beyond just identity and application access to include:

-       single sign-on with multi-factor authentication

-       increasing application performance while keeping those apps hidden

-       protecting end users against malware and phishing

This is all while also securing access to apps through inline data inspection, bot management, web application firewall (WAF), and advanced threat protection. You can learn more about Akamai's approach to Zero Trust Security.

Outside of the IAP model, there are two other major architectures being promoted by various vendors or developed by enterprises.

The first alternative approach to zero trust is micro-segmentation of the network. This model expands on the traditional firewall approach by using next generation firewalls (NGFWs) and slicing up the network into smaller and smaller segments, where access to applications and other resources can be controlled based on rules defined in the NGFW. Firewall vendors have tried to address micro-segmentation and Zero Trust by introducing segmentation gateways - hardware that performs various security functions within micro-perimeters.

The second alternative architecture for zero trust is the software defined perimeter (SDP). The SDP model borrows concepts from virtualization technology, and other software-defined architectures. A controller functions as a broker of trust between a client and a gateway, which can flexibly establish a transport layer security (TLS) tunnel terminating on the gateway inside the network perimeter, allowing access to applications.

An overview of each of these three architectures will be instructive to any organization working to map out their security roadmap. Stay tuned for the next three posts in this series to learn more.