As agencies pursue a zero trust architecture for their networks, they also have the opportunity to equalize the user experience for those working in the traditional office setting and those working remotely or teleworking.
An internet and cybersecurity company has demonstrated for itself how this can happen. Akamai, known for its content delivery network, has been adding cybersecurity capabilities it acquired in buying other companies.
“We started our zero trust network access,” said Joe Henry, a senior solutions architect at Akamai. “And a little bit before the pandemic happened, and everybody was forced to work remotely, we implemented that on our systems. So within Akamai, globally, we have the same access, or the same way to access all corporate assets, either inside the Akamai network, or outside.”
The access design, Henry said, uses what he called a “central hotspot” for all employees that adjudicates network access according to each employee’s role and associated rights.
“The authentication piece of it was essential for us,” Henry said. “Myself, being a solutions engineer, I only have access to certain assets within the network. [Other parts of] engineering have a completely different access, and I don’t even see any of those assets [they] would see.”
Traditionally, people remotely logging on using a virtual private network (VPN) or virtual desktop infrastructure (VDI) have more hoops to jump through than people signing on directly to the network. The question becomes how to have zero trust for everyone without making the in-office experience as cumbersome as the remote.
Henry said the solution was a single sign-on (SSO) solution that’s fast identity online (FIDO) compliant. It sends a token to a user’s phone, asking if the user wishes to logon.
“I say ‘allow,’ and then I’m logged in and authenticated,” Henry said. “If I go to a separate system, depending on how our SSO is enabled for a particular application, I can take that same credential and use it for authenticating to, let’s say, my email.”
But access policy, as configured in Active Directory, might also cause the SSO system to challenge the user, Henry said.
He added that in implementing the more fine-grained access companywide, officials discovered so-called shadow IT, “some servers that were doing something that nobody really knew about, that some of the guys just set up,” he said. Shifting access from a geography basis to a role basis, though, more closely aligns people with their work needs and boosts security, partly by exposing hidden assets.
Segmentation and zero trust
Zero trust extends far beyond human users, Henry said. It must also cover non-human entities such as applications trying to access databases. Therefore, implementing zero trust requires a lot of detailed work up and down the network stack. Henry said his experience as a contractor on Defense Department projects showed him how network architectures must change for zero trust.
“My biggest problem was, if you start to segment your network through a firewall or through a router, there’s always the Layer 2 access.” That is, for databases and applications, “that Layer 2 access on the network plane would give them essentially back-to-back conversations,” Henry said. Access policies had to be placed at Layer 3, where traffic meets the network firewalls.
By contrast, Henry said, the emergence of micro segmentation places access policies on the server for each application and database. Essentially, “we’re loading endpoints into the servers themselves,” Henry said. “And we’re permitting what that server can talk to, on what port and what process.” That means much more granular control on what accesses what.
“That’s the point of micro segmentation,” Henry said. “You can go right down into the process and permit or deny what you want.”
Of course, with millions of microsegments constantly performing millions of processes on large, complex networks, Henry said network operators fundamentally need a map of their networks that covers both on-premises and commercial cloud assets.
Beyond a map, though, Henry said Akamai gives clients visualizations of network activity that flags anomalies.
“We’ll show our customers that, hey, this is the standard business of what your systems are doing,” he said. “If there’s any anomalies or any recommendations, we’re having our machine learning algorithms behind the scenes start to pump these out.”
He added that with digital services causing a rise in use of application programming interfaces (APIs), it’s important for zero trust plans to include APIs.
“On the [Akamai] content delivery network, we’re seeing about 85% of the hits are APIs. And that’s a huge vulnerability.”