Advancing Federal Cybersecurity With Zero Trust Principles

Zero Trust is a security framework that operates on the following principle: never trust, always verify. It calls for stricter security controls between users and systems and never allows access by default. By implementing this security strategy — one that addresses the complexities and challenges of modern threats — an organization can strengthen its security posture.

In a conversation with journalist Tom Temin on the Federal Drive podcast, Akamai senior solutions engineer Joe Henry explained that Zero Trust is not just a technology or a product. Instead, it requires a comprehensive approach to securing digital interactions. Read on to gain more insights from the conversation — and to learn strategies for defending against modern cyberthreats.

The shift from the traditional “castle-and-moat” security approach to a Zero Trust strategy marks a significant move for federal agencies. 

This new paradigm emphasizes continuous authentication for those requesting access to information systems and rejects the assumption of trust inside or outside the network. It’s a fundamental change necessary for the Department of Defense (DOD) and other federal agencies to ensure data protection and meet modern security demands posed by increasingly sophisticated cyberthreats, an evolving digital landscape, the migration to cloud services, and hybrid work environments. 

Federal agencies and their cybersecurity providers are at a crossroads, striving to balance the demand for rapid, convenient, and personalized services against legacy systems, budgetary constraints, and an escalating landscape of cyberthreats. The move toward Zero Trust is fraught with challenges, from modernizing outdated infrastructures to safeguarding against sophisticated cyberattacks while adhering to evolving architectural mandates.

So, where should federal agencies begin?

For agencies beginning their Zero Trust initiatives, a secure internet access management solution like Akamai Enterprise Application Access can help provide a first layer of protection and proactively block malicious requests and content by inspecting user web requests. 

According to Joe Henry, agencies must consider their expanding hybrid workforces and offer the same user experience for remote employees as those in the office. Under a Zero Trust security model, agencies continually verify each user access request, regardless of location or previous access decisions.  

This was one of the first steps Akamai took in its own Zero Trust journey. “We’re a security company,” Joe Henry remarked. ”We saw the need for something a little more stringent to confirm user identity before allowing access to assets within the network. So, we started our Zero Trust Network Access.” 

By implementing adaptive, identity-based access control, agencies can enforce least privilege access, meaning employees have secure access to only the resources necessary for their specific roles and responsibilities. This way, federal agencies can take a Zero Trust approach to access controls that match employee work needs.

To help organizations build a Zero Trust network security architecture, the Cybersecurity and Infrastructure Security Agency (CISA) created a roadmap known as CISA’s Zero Trust Maturity Model Version 2.0. The model calls for “distributed microperimeters with just-in-time and just-enough access controls” as an optimal capability for mature Zero Trust architectures. 

Akamai Guardicore Segmentation provides visibility into network behaviors, AI-recommended policy controls, and automated enforcement to help agencies navigate the complexities of implementing segmentation across distributed, dynamic environments.                

Software-defined microsegmentation establishes secure microperimeters within an agency’s environment. This reduces attack surfaces from expanding endpoints and creates a “ring-fence” to isolate sensitive mission apps and data and block attackers from moving around agency networks.

However, given the complexity and scale of agency environments, network operators first need visibility into their on-premises and cloud assets. Akamai’s comprehensive mapping provides just that and more, visualizing network activities and flagging anomalies so agencies can understand how their network behaves in real time. 

By using these insights and Akamai’s AI-recommended segmentation security policies, agencies can implement granular network controls much faster. “That’s the point of microsegmentation,” Henry pointed out. “You can go right down into the process and permit or deny what you want.”

By layering solutions like Akamai Guardicore Segmentation and Akamai Enterprise Application Access to secure individual workloads, agencies can create a solid foundation for a Zero Trust ecosystem — reducing attack surfaces and ensuring that only authorized employees and devices can access specific applications and data.

Since Zero Trust is a journey, Akamai continually builds new technologies that match evolving security needs. 

According to Joe Henry, one current focus area is apps and APIs. Up to 85% of the hits to Akamai’s global edge platform come from APIs, which can introduce new unseen vulnerabilities. Akamai App & API Protector provides a broad set of advanced protections that start with automated, Zero Trust discovery and inspection of all APIs to find and block vulnerabilities now buried in API calls.