In 2010, Forrester Research analyst John Kindervag proposed a solution he termed “Zero Trust.” 

It was a shift from the strategy of “trust but verify” to “never trust, always verify.” In the Zero Trust model, no user or device is trusted to access a resource until their identity and authorization are verified. This process applies to those normally inside a private network, like an employee on a company computer working remotely from home or on their mobile device while at a conference across the world. It also applies to every person or device outside of that network. It makes no difference if you have accessed the network before or how many times — your identity is not trusted until verified again and again. The idea is that you should assume every machine, user, and server to be untrusted until proven otherwise.

Historically, a castle-and-moat approach to security seemed workable — the idea of a network perimeter where everyone outside the network — or moat — was “bad” and everyone inside was “good” once prevailed. But just as castles and moats are a thing of the past, so should be the castle-and-moat approach to security. Just think about the current state of remote work. Today’s workforce and workplace have changed — when, how, and where people do their work have moved beyond the four walls of an office. With the rise of the cloud, the network perimeter no longer exists in the way it used to. Users and applications are just as likely to be outside of the moat as they are inside. And that introduces weaknesses in the perimeter that malicious actors can exploit. Once inside the moat, they are free to move around, accessing resources and high-value assets, like customer data (or the crown jewels!) — or launching a ransomware attack.

Imagine the Zero Trust model like an extremely vigilant security guard — methodically and repeatedly checking your credentials before allowing you access to the office building where you work, even if they recognize you — then duplicating that process to verify your identity over and over. 

The Zero Trust model relies on strong authentication and authorization for every device and person before any access or data transfer takes place on a private network, no matter if they are inside or outside that network perimeter. The process also combines analytics, filtering, and logging to verify behavior and to continually watch for signals of compromise. If a user or device shows signs of acting differently than before, it is taken note of and monitored as a possible threat. For example, Marcus at Acme Co. typically logs in from Columbus, Ohio, in the United States, but today, he’s attempting to access Acme’s intranet from Berlin, Germany. Even though Marcus’ username and password were entered correctly, a Zero Trust approach would recognize the anomaly in Marcus’ behavior and take action, such as serving Marcus another authentication challenge to verify his identity. 

This basic shift in approach defeats many common security threats. Attackers can no longer spend time taking advantage of weaknesses in the perimeter, and then exploiting sensitive data and applications because they made it inside the moat. Now there is no moat. There are just applications and users, each of which must mutually authenticate, and verify authorization before access can occur. Mutual authentication takes place when two parties authenticate each other at the same time, such as a user with a login and password, and an application they are connecting with through a digital certificate.

The Zero Trust security model of today has expanded. There are many implementations of its principles, including Zero Trust architecture (ZTA), Zero Trust Network Access (ZTNA), and Zero Trust Edge (ZTE). Zero Trust security is also sometimes referred to as “perimeterless security.”

Don’t think of Zero Trust as one discrete technology. Rather, a Zero Trust architecture uses a variety of different technologies and principles to address common security challenges through preventive techniques. These components are designed to provide advanced threat protection as the boundaries between work and home disappear, and an increasingly distributed remote workforce becomes the norm.

• Control network flows between all assets
• Verify identity and grant access to the cloud
• Authentication and authorization, including multi-factor authentication (MFA)
• Application access vs. access to the entire network
• Least-privilege user access to all applications (IaaS, SaaS, and on-premises)
• VPN elimination
• Service insertion
• Security at the edge
• Improved application performance
• Improved security posture against advanced threats

A Zero Trust architecture works seamlessly for users, helps protect against cyberattacks, and simplifies infrastructure requirements. Different components of Zero Trust architecture can:

IT teams need to ensure that users and devices can safely connect to the internet, regardless of where they are connecting from, without the complexity associated with legacy approaches. They also need to proactively identify, block, and mitigate targeted threats such as malware, ransomware, phishing, DNS data exfiltration, and advanced zero-day attacks for users. Zero Trust security can improve security postures while reducing the risk of malware.

Traditional access technologies, like VPN, rely on antiquated trust principles, and are particularly vulnerable through compromised user credentials that have led to breaches. IT needs to rethink its access model and technologies to ensure the business is secure, while still enabling fast and simple access for all users, including third-party users. Zero Trust security can reduce risk and complexity, while delivering a consistent user experience.

Enterprise access and security is complex and constantly changing. Making changes with traditional enterprise technologies often takes days (and often across many hardware and software components) using valuable resources. A Zero Trust security model can reduce architectural complexity.

In summary, the modern workforce is becoming increasingly mobile, accessing applications from multiple devices outside of the business perimeter. In the past, many enterprises adopted a “verify, then trust” model — which meant if someone had the correct user credentials, they were admitted to whichever site, app, or device they were requesting. This resulted in an increased risk of exposure, dissolving what was once the trusted enterprise zone of control and leaving many organizations exposed to data breaches, malware, and ransomware attacks. Protection is now needed within specific digital infrastructures where applications and data, and users and devices, are located.

• Users, devices, applications, and data are moving outside of the enterprise perimeter and zone of control, away from traditional data centers
• New business requirements driven by digital transformation increase risk exposure
• “Trust but verify” is no longer an option, as targeted advanced threats are moving inside the corporate perimeter
• Traditional perimeters are complex, increase risk, and are no longer compatible with today’s business models
• To be competitive, businesses need a Zero Trust network architecture able to protect enterprise data, wherever users and devices are, while ensuring that applications work quickly and seamlessly

Akamai’s cloud security services can be combined to build a complete Zero Trust solution that best suits your specific business needs. By enabling safe application access in a cloud-native world, internal corporate networks can become a thing of the past.

Using our advanced distributed ZTNA solution, along with the power of the over 20-year-strong global Akamai Intelligent Edge Platform, you can easily move to a perimeterless world, phasing in applications, protecting your business, and enabling growth.

Akamai MFA prevents employee account takeover and data breaches, and provides unrivaled security. Security is provided by end-to-end cryptography and a sealed challenge/response flow. This method makes the authentication process unphishable and confidential.

A Blueprint for Zero Trust Security Architecture

How-To Guide: Zero Trust Security Transformation