How Akamai implemented a zero-trust model

An effort that was triggered by a nation-state attack nine years ago has fundamentally transformed how people and devices access apps and services, limiting damage from lateral movement.

A nation state-sponsored cyberattack on Akamai in 2010 triggered an initiative at the company that nine years later has resulted in an application access model very different from that employed by a majority of large organizations. At its core is a design that separates application access from network access. In the past, access to Akamai's network, like at many organizations, pretty much provided a user with access to almost everything on it. These days there's no network at all, at least in the conventional sense.

Users access applications and services at Akamai on a case-by-case basis via a web interface after they—and the devices used for access—have been fully authenticated and authorized. Broad network-level permissions have been replaced with a narrowly tailored zero-trust model where every application access request is verified and vetted. No applications are visible from the internet and therefore cannot be directly accessed from it. There is no VPN access either.

The model is designed to limit the damage that attackers can cause if they do manage to gain access to a user account at Akamai. In innumerable recent incidents at other organizations, threat actors using a single entry point have quickly broadened their presence on a compromised network by hopping from one system to another. In Akamai's model, an attacker with access to a user's account would only have access to the specific tools and services available to that particular user and nothing else.

Andy Ellis, Akamai's CSO and one of the architects of the design describes the zero-trust access model as operating very differently from the usual approach of automatically trusting users on the corporate network or those coming in via VPN. "We no longer give someone access privilege because of location," he says. Where you are has no impact on how you gain access to an application or service. For application access purposes, a user located in an Akamai facility is treated the same way as someone attempting to access an application or service from a remote location.

Cyberattack spurs change to zero-trust model

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!