This is Part 5 of a 5 part blog series.
In the first part of this blog series, we covered an overview of zero trust security architecture concepts. The main concept is that trust should never be assumed based on where a user is in a network. The concept of a user or device being trusted because it is inside goes away. Instead, every request to access a network resource must be authenticated and authorized. For more information, please read the Part 1 Introduction post.
Parts 2 through 4 describe three architectural approaches to zero trust.
This post will explain Akamai's approach, which is based on an Identity Aware Proxy (IAP) architecture in the cloud.
When Akamai first moved toward a zero trust model, we began with a network micro-segmentation approach. However, we found it complex and difficult to manage, and quickly pivoted to the IAP model. In part because we already had a proxy platform of over 240,000 servers, but also because we believe it is the most extensible architecture allowing us to insert additional services. Whether that is application security today, or data inspection and policy enforcement tomorrow.
Much like Google's Beyond Corp model, Akamai has adopted an IAP architecture for our own corporate security. Our Enterprise Application Access (EAA) cloud product makes this architecture available to our customers as well.
Akamai's zero trust architecture goes beyond just identity and application access to include Single Sign-On with multi-factor authentication within EAA. By leveraging other products on the Akamai Intelligent Platform, we can increase application performance and security for enterprise applications while keeping those apps hidden from unauthorized users. Enterprise Threat Protector (ETP) adds protection for end users against malware and phishing, rounding out our zero trust architecture.
Akamai's Approach to Zero Trust
Akamai's approach to zero trust is unique in breadth of scale and depth of capability. Akamai's platform provides a security framework that only delivers apps and data to authenticated and authorized users, allows inline inspection and logging of traffic, prevents malware and DNS-based breaches, protects end users from phishing attacks, can identify and block bot traffic, connects to modern SaaS applications as well as legacy data center apps, seamlessly integrates with a Web Application Firewall (WAF) for advanced threat protection, and provides clientless application access while ensuring those applications are fast and reliable.
Because of the application-layer and web-based capabilities of the IAP model that EAA employs, it is possible to use Akamai's cloud security solution set to layer services; creating a zero trust framework that fits any enterprise, and in any stage of their digital transformation.
- Enterprise Application Access - Provide simple and secure access to applications
- Enterprise Threat Protector - Block users from accessing malicious domains/IPs
- Ion for Web Performance - Accelerate delivery of websites and mobile apps
- Kona Site Defender - Protect websites/APIs against DDoS and web application attacks
- Web Application Protector - Safeguard web assets from web application and DDoS attacks
- Bot Manager - Flexibly manage bot traffic based on the needs of your business
Akamai Zero Trust Architecture
Provide Secure Access to Applications
EAA allows enterprises to provide access to private applications over the internet, whether hosted in the cloud or in a data center and enforce the "need to know" principles of least privilege and zero trust. Only authenticated users and devices have access to the internal applications they are authorized to access, and no inbound firewall ports need to be opened or maintained. EAA integrates data path protection, single sign-on, identity access, application security, and management visibility and control into a single cloud-based service backed by the Akamai Intelligent Platform. It ultimately secures private enterprise applications and creates an air gap between those applications and the Internet, thus minimizing the attack surface and making the enterprise infrastructure and data invisible to the public.
EAA provides enterprises with the benefits and scalability of an IAP and isn't tied to VPN-based clients (or any clients for most apps) or open holes in firewalls like SDPs. Because it's a cloud-based service, there is no hardware to install. As a layered security approach, a micro-segmentation strategy may also be employed with EAA but can be more coarse in its implementation than only relying on micro-segmentation to secure the network.
From an application level perspective, along with all the other benefits of IAPs, the EAA architecture allows for a few key advantages over other zero trust solutions:
- SaaS security service in the cloud based on a massive globally distributed platform
- SaaSification of legacy data center applications and access to modern web-based apps from a single pane of glass
- Service insertion that includes traditional Akamai services - advanced threat protection, web application firewall, web performance, bot management - as well as third party value-add security services
Unlike software defined tunnels that utilize point to point VPNs, EAA is clientless for web-based applications. All that is required is an HTML5 compliant web browser, the Akamai Intelligent Platform and a reverse proxy component (the Akamai Enterprise Connector - AEC) in the data center or IaaS (virtual private cloud). The Enterprise Connector requires no local management and has no inbound open tunnels or ports to the enterprise. It is a pre-configured, hardened virtual machine supporting most hypervisors and containers. It mutually authenticates with the Akamai Platform over TLS. For identity management, EAA integrates with any identity store such as Active Directory or a SAML IdP.
The user authenticates, using Multi-Factor Authentication (MFA) if required, through the browser over TLS with the Akamai Platform and the enterprise's identity store. Once securely authenticated, Akamai simply stitches together the user's TLS session with the Enterprise Connector's over the Akamai Platform to provide access only to the authorized applications on the enterprise network, and nothing else. Single Sign-On may also be utilized to provide seamless app access.
Enterprise applications hosted behind the firewall are now accessible to verified remote users, without exposing the entire enterprise network. This mitigates unrestricted lateral movement across applications on the network, that tunnel-based access provides.
Beyond Identity and Access
One of our key differentiators is the strength of our platform, which allows us to take a very holistic approach to zero trust and expand beyond what our competitors can bring to the table.
Protect Users from Malware, Phishing, and Command & Control Domains
While EAA protects a company's assets in the data center or in the cloud, many threats come from how users and systems access resources on the Internet. The growth of advanced persistent, and sometime targeted, threats to the enterprise from malware and phishing attacks has been explosive.
Enterprise Threat Protector (ETP) provides an additional layer of protection from these threats using the Domain Name System (DNS). Our Cloud Security Intelligence (CSI) is based on the trillions of DNS queries we process daily, as well as the threat traffic we see on our platform. A team of threat researchers and data scientists use big data tools to develop algorithms to detect malicious domains and IP addresses. By combining Akamai's carrier-grade recursive DNS service, and our CSI, ETP provides customers with a cloud-based policy system that can block users from accessing dangerous sites. Threats are stopped earlier in the "kill chain", offloading work from downstream security measures, and detecting new zero-day threats from known malicious domains that signature-based systems can't handle.
For more info on ETP, visit here..
EAA allows for secure, easy access to enterprise applications without the need of a VPN. And while as a standalone product EAA does not inherently protect against unusually heavy traffic, integrating EAA with Ion helps customers optimize performance for remote users with poor Internet connectivity back to the applications.
Protect and Perform on Top of EAA
Integrating EAA with Kona Site Defender (KSD), Web Application Protector (WAP), or Bot Manager extends the security products that our web customers know and love into the enterprise.
Many internal data center applications have not been architected with the security that public web application developers are accustomed to including. Providing additional protection for these applications can add a great deal of value. If the customer is already using our web security products, it may be a very easy fit.
As with most security architectures, there are plenty of choices and options available when designing a zero trust network; these options do not need to be mutually exclusive. A strategy around defense in depth, along with a layered security approach, are keys to architecting scalable and secure networks built around zero trust.
Akamai has built its cloud-based zero trust model around an IAP because of the security controls and reductions in attack surface, simplicity of deployment, the value of service insertion from an application-layer approach, ease of operations and maintenance, and identity-based security.
By taking an application-centric, cloud-native approach, Akamai is able to help enterprises with their digital transformation, legacy application modernization, and cloud migration initiatives - while implementing zero trust security in a meaningful and scalable way, without sacrificing user experience or application performance.
As noted, Akamai's vision for zero trust goes beyond application access and adds secure access to Internet resources, improved application performance, and enhanced security.
Find out how with Zero Trust Security.