Insight by Akamai

Zero Trust: Securing the new perimeter

The Zero-Trust Concept

You need an architectural change and that's really sort of how we think about Zero Trust.

Federal information technology professionals have been living with a failed cybersecurity system. This approach assumes that systems could be protected by firewalls, Virtual Private Networks (VPN), and Intrusion Detection Systems (IDS). Much of this concept originated with security being based on something called “topology” in the network. In other words, if someone is inside the network, they are trusted. If they are outside the network, they are not trusted.

This is applying horse-and-buggy technology to the modern world. Patrick Sullivan, global director of security strategy at Akamai Technologies, believes this approach can leave networks vulnerable.

“Attackers have done a great job of abusing that trust that’s been granted on the network,” he said.

The volume and size of attacks have allowed current systems to be breached. According to an article in a publication by the Association of the United States Army, Army Lt. Gen. Alan R. Lynn referred to attacks that are 600-gigabyte attacks. These are done in ways they haven’t seen before.

When a system gets attacked, the malicious actor may not announce himself. He may merely move in a lateral manner.  This allows him to test vulnerabilities inside the wall and communicate out to command systems. Sullivan indicated this trend has shown up in a breach reports.

If you look at some of the data breach reports, those results are often somewhat depressing,” he said.

When remote workers demanded access to this “wall and moat” system, the VPN concept was introduced. The cryptography was impressive, and it seemed to work.  However, from a structural perspective, this merely replicated the vulnerabilities on the network. When the network is easily breached, this negates even the highest quality VPN.  Beyond security concerns, many VPNs can go into a VPN concentrator and deprecate system speed.

Building up higher walls does nothing to a Distributed Denial of Service Attack (DDOS). Dr. Tom Leighton, chief executive officer of Akamai Technologies, said the size of attacks is doubling every two years. Dr. Leighton has seen 1.3 terabyte attacks. Defending against this from inside a wall fails logic.

The answer is not a higher wall, as malicious actors are already inside the wall. The answer is not to build an encrypted tunnel to a remote user, since this is just a secure access to a compromised system. The answer is not another box, because the scope and scale of the attacks will not diminish.

“You need an architectural change and that’s really sort of how we think about Zero Trust,” Sullivan said.

The correct response is an approach based on architecture. Rather than giving carte balance to anybody inside the wall, the Zero Trust approach denies permission as a default. No matter how much trust a person, or their stolen identity has, Zero Trust will not give you access.  The concept of Zero Trust originated at Forester in 2012.

This is not a “lift and shift” approach. Zero Trust should be slowly introduced on an app-by-app and user-by-user method.

An additional benefit of a Zero Trust approach is a reduced number of attacks. Attackers are human. It is easier to change the target than to change the technical tool used in the attack. Some will argue that 80 percent of attacks are highly repetitive. Once they hit a Zero Trust system, they are blocked and they move on.

 

Listen to the full interview: