Akamai CTO: Biggest Zero-Trust Misconceptions
Zero trust has become one of cybersecurity’s biggest and favorite buzzwords, but there are still some myths around the term. Akamai Technologies’ CTO and EVP Robert Blumofe listed three of the most common misconceptions surrounding zero trust.
Zero trust has become one of cybersecurity’s biggest and favorite buzzwords, but there are still some myths around the term. Akamai Technologies’ CTO and EVP Robert Blumofe listed three of the most common misconceptions surrounding zero trust.
First misconception: zero trust means that your company doesn’t trust you.
The word “zero trust” can chalk up some negative feelings, and Blumofe has never been very fond of this term. The term itself means “you don’t trust anything,” and employees would wonder if the adoption of the zero-trust model means the company doesn’t trust them anymore.
“I don’t think of it that way at all,” Blumofe told SDxCentral. “It simply means that the company is trying to apply protections to protect me and protect the company and protect the company’s data, mostly from innocent errors” which can cause serious harm to the company.
And it also means people should recognize “there’s no such thing as a secure network, so all enterprise traffic has to be inspected and controlled,” he added. “What you need to do is to identify all of the endpoints and then control all of the communication between your endpoints.”
Second misconception: zero trust is complex.
Blumofe explained that zero trust is a simple protection model based on two key fundamentals — focusing on the principle of least privilege and strongly identifying all users and devices. To accelerate the path to a zero-trust security posture, security and accessibility are both priorities, he added.
Organizations can start their zero-trust journey with “two cornerstone technologies” — zero-trust network access (ZTNA) and microsegmentation. “The zero-trust network access is what controls your north-south traffic, and the microsegmentation is what controls your east-west traffic, and it’s my view that you need to control all traffic,” he said.
Plus, they also need other components such as identifying endpoints, single sign-on (SSO), multi-factor authentication (MFA), and identity and access management, which will help organizations to make a policy decision on whether or not the access is allowed, Blumofe added.
Third misconception: zero trust is only necessary for remote access and the traditional corporate network is still secure.
All access should be treated as remote access including the ones in the office, Blumofe argues. “It’s my belief that employees [and/or] users should never ever be on the same network as your applications. There should not be a corporate network.”
“The office really should be thought of as a private coffee shop with great WiFi,” he added. “I’m never on the same network as the applications so I can only ever access the applications through the remote-access mechanism.” In this model, zero-trust access architecture can help ensure all access is managed and secured.
“Zero-trust network access is an oxymoron,” Blumofe said. “The whole point of zero trust is don’t access the network – because networks are inherently unsafe, instead, access applications.”
Palo Alto Networks recently called on the cybersecurity industry to make the shift to next-generation ZTNA, claiming that traditional ZTNA products have “critical limitations” including providing too much access, “allow and ignore,” and little to no visibility or control over data, according to its founder and CTO Nir Zuk.
“It’s a fair criticism because I think there are vendors out there that are selling the 1.0 version because they don’t have those critical capabilities,” Blumofe said, adding that Akamai’s zero-trust access service offers those capabilities “from very early on.”
There has been a lot of buzz around the term zero trust and it’s “nebulous,” Blumofe pointed out. “Just by its nature, it doesn’t really tell you what it is, so I do think there has been a fair amount of confusion and maybe concern that it’s just a lot of hype.”
However, this might be because the zero-trust model is not well-implemented. If organizations adopt all the components mentioned above, zero trust “is your best defense against ransomware.”
“Ransomware is the face of cybercrime going forward. It’s not one of many different types of attacks,” Blumofe argues.
It will be the dominant model for cybercrime going forward because it’s repeatable and cybercriminals run it “as a scalable, profitable criminal business enterprise.”
