See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/335101542

Zero Trust Network Security Model

Experiment Findings · August 2019

CITATIONS READS
0 3,346

1 author:

Avvari Raviraja
Lovely Professional University
2 PUBLICATIONS   0 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

zero trust security View project

Zero Trust Network Security Model View project

All content following this page was uploaded by Avvari Raviraja on 10 August 2019.

The user has requested enhancement of the downloaded file.

 8 Steps To

ZER TRUST A Comprehensive and Achievable Roadmap

As applications, users, and devices evolve, dissolving what was once the trusted
enterprise perimeter, many businesses are turning to a zero trust security model
to secure against attacks.

Use this step-by-step guide from Akamai’s CTO, Charlie Gero, to build an inclusive
and concrete zero trust architecture, intended to help enable safe application access
in a cloud-native world. Easily transition to a perimeter-less environment with this
prescriptive process, phasing applications in one at a time and
reducing your migration risk profile.

Application Precheck Stage

1 First, check to make sure the application meets the requirements of the
access proxy you have deployed. Read more about pre-staging assumptions
and necessary prerequisites in this white paper authored by Charlie Gero.

Access Proxy Preparation Stage

Next, configure your access proxy to be aware of the application as well as its

2 specific security and access rights. Consider the environment in which this will
be configured — cloud versus on-premises — and how it will be pushed to
your end users.

Test Lab Enrollment Stage

Now you can begin onboarding users. We recommend a designated Test Lab
group be previously established; these users will be those first responsible

3
for verifying the functional integrity of the application. At this time, Test Lab
members should confirm that authentication is working correctly, multi-factor
authentication is appropriately configured, and single sign-on works across
all other previously onboarded applications. For more information about user
grouping methodology, see the white paper.

Security Upgrade Stage

Once Test Lab users are safely able to access the application, you should
consider enabling advanced security features that otherwise were impossible
in the traditional perimeter model. We recommend:
• Web application firewall (WAF) for SQL injection, cross-site scripting,

4
and common injection attacks
• Advanced threat protection
• Browser and operating system governance
• Restrictions for unmanaged versus managed devices
• Geoblocking and IP-based limitations
Regardless of the features you enable, Test Lab members should ensure that
the security options are not only working, but also are not inhibiting the
functional correctness of the application.

Performance Upgrade Stage

You should now examine performance degradation. In traditional access and
security models, enterprises are often limited in performance by the robustness
of the application server and the enterprise’s associated links between branch
locations. Features we recommend to mitigate these issues include:

5
• Caching
• Utilizing a content delivery network (CDN)
• Route optimization
• Forward error correction (FEC)
• Packet replication
In any event, we recommend performance instrumentation at this phase as well
as prior to application enrollment, in order to accurately assess the
performance gains.

External User Enrollment Stage

It’s time to roll the application out to external users, as non-traditional access
means VPN removal for this group. External users are also most often affected
by performance issues and are in the most hostile environments — their very
6 location puts your applications and data at risk. While the transition should be
nearly invisible, aside from increased performance, we recommend advanced
notification to users so that they can keep a close eye on functional
correctness. For more information about user grouping methodology, read
the white paper.

Internal User Enrollment Stage

At this point, you can add the application as a CNAME (Canonical Name) entry
to the common view. All users should then immediately begin accessing this

7 application via the access proxy. Hopefully, through the prior six stages, any
errors or misconfigurations will have been discovered and remedied; all users
should now be enjoying the benefits of easier, faster, and safer access. For
more information about user grouping methodology, see the white paper.

VLAN Migration Stage

After an appropriate amount of time has passed, you can shift the application
into the walled-off VLAN. Before this occurs, the application server itself is still

8 reachable directly through its IP address and thus vulnerable to malware within
your network perimeter. This final stage removes all direct IP access, effectively
walling the application off from anything but the access proxy itself. For a
guide to post-staging operations, read the full white paper, Moving Beyond
Perimeter Security.

Review Akamai’s zero trust reference architecture to visualize this

process or visit akamai.com/zerotrust to learn more about the
solutions that can assist you with the above implementation.

As the world’s largest and most trusted cloud delivery platform, Akamai makes it easier for its customers to provide the best and most secure digital
experiences on any device, anytime, anywhere. Akamai’s massively distributed platform is unparalleled in scale with over 200,000 servers across 130 countries,
giving customers superior performance and threat protection. Akamai’s portfolio of web and mobile performance, cloud security, enterprise access, and video
delivery solutions are supported by exceptional customer service and 24/7 monitoring. To learn why the top financial institutions, e-commerce leaders, media &
entertainment providers, and government organizations trust Akamai please visit www.akamai.com, blogs.akamai.com, or @Akamai on Twitter. You can find our
global contact information at www.akamai.com/locations. Published 05/18.
View publication stats