Our customers are moving more workloads to the cloud. No surprise there. The siren song of agility, scale, and cost savings can't be resisted. But as we highlighted earlier, security fundamentals are key to a successful cloud migration. In fact, we also shared marketectures to successfully migrate apps to the cloud and the top best practices for securing cloud workloads. While there are plenty of areas to dive into across how temporary is the new permanent, why RTFM is always relevant, and why understanding the shared responsibility model is key to any eyes wide open cloud migration, today I am going to focus on my favorite: digital trust.
At the end of the day, the vast majority of our security decisions and models are based on defining, establishing, and validating trust. Obviously, trust has been getting a bit of coverage lately thanks to predictions from industry pundits that trust is really a vulnerability, which is why many follow the adage never trust and always verify. You gotta love Zero Trust security. We certainly do.
Recent events have highlighted how inherently assigning trust to entities in "trusted" environments can lead to all sorts of trouble. But that leaves the question, how do we establish and validate trust? Maybe it's some sort of credential, although these days, I'm not sure that is a viable strategy anymore. Haven't we all asked haveibeenpwnd and not gotten a great response? There's also plenty of Akamai threat research around credential stuffing that requires us to take notice of how we establish and validate trust.
So how do we more successfully establish trust beyond what you know?
Security fundamentals dictate that we move to include additional signals to establish trust. The candidates usually are something you have and something you are. Both are staples for additional authentication factors to continuously evaluate and establish trust. While multi-factor authentication is a no-brainer--particularly in the context of user app access--establishing and validating trust requires a deeper look at another key dimension: context. Taking into account context--in addition to what you know, have, and are--to establish trust clearly makes sense.
For example: Is this request coming from a bot or a human? Is the request malformed, coming from an IP with a bad rep or hostile location, or is this particular entity making a lot of requests? Seems like basic info, but we all know how challenging it is to create effective automated positive security models for security controls like web app firewalls. But when this type of information is augmented with a broader view of other signals such as identity, or device signals such as the presence/validity of a client certificate, or even threat protection signals (think EDR or Akamai's Enterprise Threat Protector) the resulting context becomes incredibly powerful.
Context enables you to more effectively establish and continuously validate trust; particularly trust in entities and users making access requests outside the traditional sphere of enterprise control. Because, at this point we all know, there is no inside...
That's one of the reasons we are believers in starting out with never trust, but quickly moving into always verify, based on as many security signals as possible. And that couldn't be more applicable as you move workloads to the cloud.
As workloads move outside of the enterprise's traditional sphere of control, there are obviously risks to consider. Whether using a lift and shift approach to an infrastructure as a service (IaaS) environment, or the ability to consume the required functionality as software as a service (SaaS), the question remains the same. How should security and IT teams provide access to cloud workloads without losing control and exposing them to the dangers of the public Internet?
Akamai's answer is architected to ensure that only authorized and trusted users and devices, based on a multitude of security signals, have access to cloud apps. No one can access applications directly because they are isolated from the Internet and public exposure. Our approach is designed to minimize risk and allow IT to scale finite resources to meet the demands of the business in any environment, enabling IT to stand up new apps and users in a matter of minutes. Our platform supports clientless and client-required apps, making access fast and intuitive for end users. And it reduces support calls for poor app performance, VPN connectivity issues and device incompatibilities.
To learn more about how to start out with never trust, but quickly move into always verify, based on as many security signals as possible, read our how to guide on how to secure enterprise app access in the cloud.