Zero Trust Security Model and the Slowly Boiled Frog

This month we are sharing a blog from our technology partner Akamai on the “Zero Trust” philosophy, a concept first coined by analysts at Forrester Research. Given the impact of several high-profile malware outbreaks, exploits and hacks over the past year, a key disruptor in 2018 is the re-emergence of the zero trust security model. With this approach, the IT team adopts a mindset of ‘we don’t trust anybody’, and only by explicitly allowing users to access systems, can trust be established.

Disclaimer: No actual frogs were harmed in the writing of this blog post. We wouldn’t do that. We like frogs!

What is Zero Trust Networking?

The Zero Trust security model was proposed by John Kindervag of Forrester Research back in 2010. The concept is that the traditional trust model of “trust, but verify” is no longer valid; instead, we should “never trust, always verify”. This boils down to mean the network should not assume any user or device is trusted based on their location. Whether “inside” or “outside” the network, users and devices must be verified every time they try to access any resource. Speaking of boiling, what’s with the “boiled frog”?

It’s a somewhat gruesome analogy. If you put a frog in a pot of cool water, and slowly raise the heat, it will not realize it is being boiled until it is too late.

We liken this to how management of the network perimeter slowly became more and more complex and is now increasingly ineffective. Fortunately, we are smarter than frogs. We can realize that we are in hot water and jump out of the pot!

''never trust, always verify''

New business initiatives and processes have created new attack surfaces, and a corporate security perimeter no longer makes sense. Applications, users, and devices are moving outside, dissolving what was once the trusted enterprise perimeter. Protection is now needed where applications and data, and users and devices, are.

What’s wrong with the perimeter security model?

Once upon a time, we stored our crown jewels – the applications and data that run our businesses – in the datacenter. We surrounded our datacenter with a network for our users to access it and secured the perimeter of that network. All good.

Users wanted access to the Internet, so we added proxy web servers, but we could put security controls around that, so it was OK. We wanted to extend our perimeter to users outside the traditional network, so we created VPNs, but we could control that, so it was OK. Then we needed to sell stuff on the Internet, so we built the DMZ. More security controls were needed, but we could manage it, so that was OK. We added firewalls to provide isolation between networks, so only users on specific networks could access secured subnets. This required more and more complex firewall rules, but we could manage that.

Users wanted to have their smartphones, so we allowed them to bring their devices to work and connect them to a guest WiFi or the corporate network. More controls were needed. Viruses and malware proliferated, so we needed anti-virus and anti-malware software, both on end-user devices and on servers. We started using the cloud (software and infrastructure and platform as a service, oh my!), and more security was required to protect our data.

We slowly poked more and more holes in our perimeter, and each time, we added more controls to keep it secure. Our beautiful, perfect network perimeter became filled with holes, complex, and ineffective at maintaining security.

We are the frog. We are in hot water. It’s time to jump out! Time to consider a Zero Trust network model.

Time to consider a Zero Trust network model

Zero Trust in the Cloud

Akamai’s approach to Zero Trust is to expose only the applications a user is authorized to access; the user’s location is irrelevant. A user sitting at headquarters is no more trusted than one connecting from a coffee shop. The location of the application is also irrelevant. We manage access to both internal applications and cloud applications. In essence, there is no “inside” and “outside”. There are users and devices, who are not implicitly trusted. There are applications and data, which can reside anywhere.

We authenticate and authorize users in the cloud, integrating directory services like Active Directory and LDAP, and with cloud identity providers like PingOne and Okta. We reduce the attack surface of your applications; only authorized users will be able to even see them. We move access to the Akamai edge, so attacks hit our resilient cloud, not your infrastructure.

That covers access to your applications, but Akamai can also protect users who are accessing resources on the Internet. Our Cloud Security Intelligence (CSI) platform is constantly updated, tracking bad domains, IP networks, and DNS servers hosting those malicious domains. When one of your users tries to access a site that is malicious or does not meet your company’s acceptable use policy, we can block the request, alert administrators, or redirect the request to a “sinkhole” where data can be collected for further analysis.

Moving to a Zero Trust model can be intimidating, but you can phase in at the pace you want. Pick the user groups and applications you want to start with and go from there. You don’t have to rip out any infrastructure or install any new hardware. Start simply, but get started. Don’t wait in the pot; the water isn’t getting any cooler.

activereach provides a new, alternative approach to secure remote access and third-party application access. Give us a call on 0845 625 9025 to discuss how you can start your Zero Trust journey.