In 2020, millions of people around the world went to work remotely and, just like that, the structure of employment changed radically. Then, in 2021, cyberattacks also hit an inflection point, proving they are now a type of sophisticated, organized crime able to extort billions of dollars worldwide. These seismic shifts forced cybersecurity to adapt—quickly.
But not all companies have been able to adapt to the best-practice cybersecurity that is now required to remain secure. While many in our industry see Zero Trust as the best approach for both threat protection and mitigation, there has been no shortage of confusion about what Zero Trust is and what it requires. This confusion is also hindering the needed response to these shifts. Let’s start by clearing up that confusion.
What is Zero Trust?
If I could, I would rename Zero Trust. It sounds like a punishment, as if “we used to trust you, workers and customers, but now we don’t, and we never will.” What might actually be a more accurate name is One-to-One security access, because it requires an organization to move away from a network-based access model to an endpoint–based access model. This model enforces tight access control for all endpoints, whether it’s a human with a device, a nonhuman thing, or an application.
With One-to-One security (or Zero Trust, if you insist) “trust” actually plays no part. It’s not necessary. Like the movie Groundhog Day, every connection is a new connection. Each attempted access is tightly controlled against policies that grant the minimum access necessary (least privilege—also too punitive-sounding, but much better).
The result: Your workforce and your customers can work more securely from anywhere. They are much less likely to have their device infected with malware, and if that does happen, then the malware is much less likely to propagate to where it can do harm. Even better, they can work with the additional confidence of knowing that every access is protected, regardless of where they are located or where the requested application or device is located.
No such thing as a secure network, only secure connections
Talking about a secure network is like talking about a safe pool. No pool is intrinsically safe. And neither is any network. Like the water in a pool, the fabric that a company’s data travels in is only as safe as the policies and “lifeguards” that protect it. Think of it this way: You wouldn’t let a kid into a pool without supervision. Likewise, One-to-One or Zero Trust security supervises all connections based on knowing the identity of the endpoints and the policies that govern access. This one-to-one match is what ensures security for everyone.
Before I go on, I’d like to clarify a particularly confusing part of the Zero Trust conversation: Zero Trust Network Access, or ZTNA, an oxymoron that I’ve written about in detail. I’ve even seen ZTNA referred to as “extending the Zero Trust model beyond the network.” In my view, this is an impossible claim, because Zero Trust doesn’t work within a network whatsoever. The whole point of Zero Trust is that it ultimately replaces the network access approach altogether.
Of course, the network will still be operating. Connections will still travel on it, but they will have a strict route that takes them exactly to the applications they use. There is no way to wander off course. In fact, there is no way to even see the scenery along the way.
Apply Zero Trust to servers, too
One-to-One security must also be applied to servers and applications. Applying strict rules to communication between servers and applications effectively shuts down east-west movement that is not explicitly authorized, which stops cyberattacks from spreading and doing greater harm. We acquired Guardicore last year, with its award-winning microsegmentation solution, to complete our Zero Trust offering and create a powerful solution to protect against ransomware.
You’ll still have your network, the fabric you need to move data, but its vulnerability to breaches and to the movement of malware inside will be significantly reduced. Moreover, the evolution of this security posture is capable of incredibly granular rules, laying the groundwork for the further convergence of customer experiences and the data that creates them.
Five steps to a (much) stronger cybersecurity posture
Zero Trust—or One-to-One secure connectivity—doesn’t happen all at once, obviously. And many organizations don’t know where to start. Here’s one way: start with multi-factor authentication (MFA), ideally without passwords. If this is the first step your organization is looking to take, I have five tips for making this a very strong first step in your transformational journey to Zero Trust. (And if you happen to be a federal agency, taking these steps will satisfy the requirements of the Biden Administration’s Executive Order for improving the government’s cybersecurity posture.)
- Start with a quick win
Migrating all systems and applications to MFA immediately is, frankly, impractical. So begin your journey with a quick and impactful win, such as implementing MFA for your single sign-on (SSO). It’s likely you already have many applications behind the SSO, so this point of integration adds MFA to all of those applications in one step. Taking this action also allows your teams to get familiar with implementing your chosen MFA solution, and it allows your end users to get into the habit of using it.
- Prioritize other MFA integrations
Once you have a quick win under your belt, evaluate your environment and prioritize the remaining necessary MFA integrations by their level of impact – either by volume of applications and systems protected or by criticality to your organization. This prioritization exercise will help you break your migration into manageable increments and ensure your most valuable assets are protected first.
A strong contender for many organizations will be MFA integration for your virtual private network (VPN), since many attacks start by exploiting weak VPN authentication. Better yet, consider replacing your VPN with a Zero Trust Access solution, if possible.
- Leverage FIDO2 with mobile devices
If you can use mobile devices for MFA instead of physical tokens, the MFA implementation and enrollment is greatly simplified. Everybody already has a mobile device, so by using these devices, you avoid the headache of rolling out and maintaining physical tokens. Moreover, push-based MFA for mobile devices is incredibly easy to use – your users will be delighted – and modern solutions make it very easy for users to enroll their devices, so almost no effort is needed from your help desk.
As long as your MFA solutions leverage the newer FIDO2 MFA security technology, you will both improve your security defenses and provide greater convenience to users with frictionless mobile push notifications. Of course, in some cases, physical tokens may be a necessity. In those cases, it’s important to have an MFA solution that is flexible enough to adapt to your organization’s requirements.
- Piggyback MFA on other cyber initiatives
As with any IT or security initiative, there is no success without end-user awareness and adoption. To help speed up adoption, we recommend combining an MFA rollout with other cybersecurity training or awareness campaigns whenever possible. By introducing (and then reminding) your employees about how to use MFA and explaining its role in a broader Zero Trust architecture as part of your regular cadence of training, you help prevent training fatigue and integrate MFA into the day-to-day technology landscape.
- Invest in a strong identity solution
I’d be remiss if I didn’t mention the importance of your other identity and access management (IAM) systems, such as identity management (IdM). These systems provide the framework to link authenticated users with the policies that control what they are able to access. Focus on your IdM solution, either in parallel with your MFA implementation or shortly thereafter. Why? Because strong identity and access management with FIDO2-based MFA is the foundational technology upon which additional security technologies can be most effective.
No matter your industry, these steps apply and move you significantly towards a true One-to-One, or Zero Trust, approach to security. Learn more here.
As Executive Vice President and Chief Technology Officer at Akamai, Dr. Robert Blumofe guides technology strategy and catalyzes innovation within the company. Previously, he led Akamai’s Platform Organization and Enterprise Division, overseeing the development and operation of the distributed system underlying all Akamai products and services as well as the creation of new solutions that secure and improve performance for major enterprises.