How Akamai implemented a zero-trust model

A nation state-sponsored cyberattack on Akamai in 2010 triggered an initiative at the company that nine years later has resulted in an application access model very different from that employed by a majority of large organizations. At its core is a design that separates application access from network access. In the past, access to Akamai’s network, like at many organizations, pretty much provided a user with access to almost everything on it. These days there’s no network at all, at least in the conventional sense.

Users access applications and services at Akamai on a case-by-case basis via a web interface after they—and the devices used for access—have been fully authenticated and authorized. Broad network-level permissions have been replaced with a narrowly tailored zero-trust model where every application access request is verified and vetted. No applications are visible from the internet and therefore cannot be directly accessed from it. There is no VPN access either.

The model is designed to limit the damage that attackers can cause if they do manage to gain access to a user account at Akamai. In innumerable recent incidents at other organizations, threat actors using a single entry point have quickly broadened their presence on a compromised network by hopping from one system to another. In Akamai’s model, an attacker with access to a user’s account would only have access to the specific tools and services available to that particular user and nothing else.

Andy Ellis, Akamai’s CSO and one of the architects of the design describes the zero-trust access model as operating very differently from the usual approach of automatically trusting users on the corporate network or those coming in via VPN. “We no longer give someone access privilege because of location,” he says. Where you are has no impact on how you gain access to an application or service. For application access purposes, a user located in an Akamai facility is treated the same way as someone attempting to access an application or service from a remote location.

Cyberattack spurs change to zero-trust model

Akamai’s effort to implement a new application access model was spawned from an attack nine years ago in which a threat actor compromised a domain administrator account and used that to move laterally across the company’s network in search of a targeted system. The attack was later identified as being part of a broader cyber espionage campaign dubbed Operation Aurora that was sponsored by the Chinese government. Akamai was one of several major U.S. companies targeted in the campaign. Others included Google, Yahoo and Dow Chemical.

In Akamai’s case the attack did little damage, but it exposed what Ellis describes as the Twinkie-like nature of Akamai’s defenses—seemingly tough on the outside but soft and mushy on the inside.

In the immediate aftermath of the attack, the focus at Akamai was on securing domain administrator accounts and accounts of others with high privilege accounts to ensure they couldn’t be abused in the same manner.  Later, the focus shifted to applying Akamai’s content distribution network service to internal apps and using 802.1x certificates for authenticating users to them. The idea was to get rid of the corporate VPN and make internal apps available over the web from anywhere to those who could demonstrate they had the right credentials to access them.

The real breakthrough happened when Ellis and his team discovered technology from a company called SoHa that offered Akamai a way to let users securely access apps from anywhere via a browser and without a VPN. SoHa’s technology sat behind the firewall in front of application servers and acted as a secure connector between users and the apps they wanted to access. Initially, Akamai used the technology to connect outside contractors to internal apps without giving the contractors any sort of network access.

The technology worked so well that Akamai decided to apply the same approach for controlling app access enterprise wide. “It was the missing piece we needed,” Ellis says. “We loved the product so much we bought the company.”

A new application access model

SoHa’s technology is currently a central part of the Enterprise Application Access service that Akamai has deployed for app access. Users that need access to an application connect to the single sign-on (SSO) service on the company’s content delivery network via a URL, enter their access credentials and are authenticated.

Enterprise Application Access connectors based on SoHa’s technology sit behind Akamai’s firewalls, validate the credentials and serve as bridging proxies connecting users to the application they want to access. The application access service and connectors enforce role-based authorization policies when granting access to applications.

Users access applications via outbound only Transport Layer Security (TLS) connections from the application access connectors. Instead of directly making calls from the content delivery network (CDN) to an application, the application makes a call to the connector, thereby eliminating the need to poke a hole through the firewall for each application access, Ellis says.

“What it is doing is buying me two things,” Ellis says. Since everything comes in via the web, the new access model has effectively removed end user devices from the corporate network and made lateral movement much harder for attackers. “Now that I have kicked the users off, nobody is talking to apps on random ports anymore,” he says. “When we think about the overall zero-trust model, where the users are removed from the corporate network, you’re really eliminating all lateral movement between users and servers.”

Someone with authorized access to an app can potentially still infect it with malware, which is why it is necessary to embed a web application firewall into the access proxy, he says. “But malware isn’t going to be able to move across infrastructure ports from clients to servers.”

What zero trust really means

Akamai Executive Vice President Robert Blumofe, who has been associated with the enterprise access project from the beginning, says a zero-trust model is not about users being untrustworthy. Rather it is about strongly authenticating, authorizing and inspecting all traffic flow at all times to ensure malware and attacks don’t sneak in accidentally or maliciously. “The epiphany is, you don’t want anybody to have network access,” Blumofe notes.

Any human who can route network traffic to an application can cause damage, so the goal should be to eliminate that access. Keeping users off your network means they can’t route packets to your applications, they can’t ping them and can’t even see the apps in the first place. “You want to give them access to applications, but never to the network,” Blumofe says.

The effort now is to eventually get to a place where the corporate LAN becomes a thing of the past—or where its footprint is reduced substantially. Blumofe says the goal is at some point to get rid of the network perimeter entirely and make Akamai facilities sort of public access points that are cheaper and simpler to manage.

Moving to zero trust takes time

Implementing a zero-trust model can take time, Ellis says. At Akamai, it has taken nine years so far, and when the work began it wasn’t even about zero trust. Much of the early work was around stronger authentication in general and about how to deal with administrator passwords and accounts so a single error or misuse wouldn’t result in catastrophic consequences.

Akamai implemented some measures that helped enable today’s zero-trust model for application access. The decision to roll out an SSO platform, for instance, was a big one. Without that, Ellis believes it would have been really hard to gain any scalability with a zero-trust approach. The bridging proxy, too, was fundamental to Akamai’s ability to securely connect users to applications. The third factor was implementing ongoing monitoring of the proxy bridge.

The last and ongoing effort is a push for micro-segmentation to ensure that things that shouldn’t be communicating with each other or need not be communicating with each other are properly segregated. Akamai has already achieved a big part of it by ensuring that users communicate with apps only over the proxy bridge, thereby removing them from the network. The harder part is to see if it can do the same sort of segmentation with machine-to-machine communication.

Organizations looking to implement a similar approach must be prepared for a long-term effort and likely some mistakes along the way, Ellis says. For instance, Akamai’s decision to use 802.1x certificates on the corporate network was not the wisest move, he notes. “This is a transition that will provide benefits,” Ellis says. “But this is not a three-month transition. It really is a multi-year change.”