Para trabajar en un ecosistema digitalmente transformado, los directores de sistemas de información y otros líderes empresariales tienen que navegar en un entorno de amenazas a la seguridad en constante cambio. Las soluciones de Next Gen Security (NGS) son soluciones de seguridad optimizadas para trabajar mejor con la escala masiva y cobertura expansiva de la Tercera Plataforma. Aunque 7 de cada 10 empresas afirman estar en el proceso de implementar una solución más de seguridad de nueva generación, 3 de esos 7 no tendrá éxito por la falta de competencia interna, por lo que el tema de seguridad es cada día más crítico”. Akamai ofrece un rendimiento a escala con la solución de distribución en la nube más grande y confiable del mundo. Sus recursos se escalan de forma que sus clientes no tengan que hacerlo. Akamai tiene una visibilidad sin igual de las propiedades más atacadas en la web y obtiene inteligencia ante amenazas continuamente a partir de inspecciones avanzadas tanto del tráfico bueno como del malo.

1. Zero Trust y la Evolucion del
Cibersecurity Empresarial
Raul Zachs
Gerente Regional LATAM
Akamai Technologies
raul.zachs@akamai.com

2. The Enterprise Attack Surface is Growing
API
API
Distributed
footprint
Cloud
provider
Hosted
applications
Applications
Data center(s)
Remote
access
API
API

3. What is Zero Trust?
Network architecture & security model
pioneered by then Forrester analyst John
Kindervag.
Zero Trust focuses on:
● No distinction between external & internal
● Never trust and only deliver
applications/data to authenticated &
authorized users/devices
● Always verify with logging & behavioral
analytics

4. Why Do You Need Zero Trust Security?
• Legacy enterprise security is complex
• Apps & users are moving outside
• Threats are moving inside
• Legacy enterprise security isn’t effective
• Data is moving outside

5. Traditional Perimeters Are Complex & Increase Risk
Enterprise
App #2
App #3
App #4
App #1
Identity
IDP, SSO & MFA
Access
VPN &
Client/Server
Security
Network
Segmentation,
WAF, DLP, SWG &
NGFW
App Delivery
ADC
Performance
WOC
Traditional Perimeter / DMZ
App #5
Perimeter
/ DMZ
SaaS
App
Logging
Inside =
Trusted

6. Cloud Security Is Simple & Reduces Risk
One cloud platform to secure all
enterprise apps and users
● Identity and app access
● Single sign-on with multi-factor
authentication
● Advanced threat protection
● Inline data inspection
● App performance
Threats
App
C&C
App
App
AUP

7. Cloud Security Also Enables
Agile, Innovative & Lean IT
PEOPLE PROCESS TECHNOLOGY
Traditional
Perimeter
Cloud
Security

8. Why Zero Trust Security?
• Stop malware propagation & lateral movement
• Reduce complexity & streamline operations
• Reduces both capex & opex on security
• Greater visibility and faster time-to-breach detection & time-to-breach detection
• Stops exfiltration of internal data
• Enables digital business transformation

9. Moving Toward Zero Trust
Only deliver
apps/data to authN &
authZ users/devices
Proactively prevent
malware & exfiltration
everywhere
z
Never trust & always
verify with full
visibility
Ensure app
performance across
the open Internet

10. Only deliver apps/data to authN & authZ users/devices

11. App 1
Firewall
Application
Access Control
Traditional Remote Access Solutions
Put a Hole in the Firewall
Network
Access Control
User
Client
> VPN
App 3
App 2

12. “DMZs and legacy VPNs were designed for
the networks of the 1990s and have become
obsolete because they lack the agility needed
to protect digital businesses.”
Excerpt from Gartner's It's Time to Isolate Your Services
From the Internet Cesspool

13. Providing Secure App Access with EAA
● User has remote access to applications behind the firewall
● Applications can be hosted in Data Center or IaaS/PaaS provider
● No inbound holes in the firewall, no expensive perimeter
● Use Active Directory or IDP for authentication and authorization
SaaS
Data Center
App #3
App #1
App #2
IaaS
AD/LDAP
Identity &
access

14. Secure Application Access Capabilities
What to Look For:
Keep users off the corporate
network
Lock down your firewall or security group to all
inbound traffic while making your infrastructure
invisible on the Internet.
Centralize security & access control
Determine access rights for users as well as the
specific apps they are authorized to use, across
cloud and on-prem.
Multi-factor auth for enterprise apps
Further minimize unauthorized access by
authenticating users using MFA across email, SMS
or TOTP.
Local server load balancing
Balance traffic across internal infrastructure using
a variety of load balancing algorithms.
Single sign-on for all enterprise
apps
Seamlessly access on-prem, IaaS and SaaS
applications including Office 365 and
salesforce.com
Complete auditing of user activity
Log all users’ client information and actions taken,
as well as geolocation to help ensure HIPAA and
PCI compliance.
Dynamic Acceleration
Realize improvements through protocol optimizations,
including modern web protocols like HTTP/2 and
WebSockets.
Fast and reliable experiences
Automatically accelerate content with caching while
routing around Internet congestion and outages by
balancing traffic load globally with SureRoute.

15. Proactively prevent malware & exfiltration everywhere

16. Majority Of Advanced Threats Leverage DNS
DNS lookup Time to first byte
Initial connection
Content download
malware.com 70 ms 60 ms 60 ms 140 ms
91.3% of known bad malware uses DNS
Source: Cisco 2016 Annual Security Report

17. Proactive Malware Protection Using DNS with ETP
SaaS Apps
WWW
Mobile Apps
HD Video
Cloud
Command & Control
Infrastructure
Advanced
Threats
Unacceptable
Content
Internet
Mobile
IoT
Mac/PC
Branch
Root DNS
TLD DNS
Authoritative
DNS
Akamai
Recursive
DNS
Akamai Cloud
Security
Intelligence
Allow and/or alert
Redirect Security
Connector
ON-NET

18. Malware Protection Capabilities
What to Look For:
Proactive Blocking of Bad DNS Requests
Based on unique and up-to-date threat intelligence, proactively
block all DNS requests to malware and ransomware drop
sites, malware command and control (CnC) servers, and DNS
data exfiltration and phishing domains
Reduced Management Time
Administer security policies and updates from
anywhere in seconds to protect all locations
On & Off-Network Protection
Follow your users and devices for full protection,
whether they’re on or off your network
Protection without complexity
or hardware
Cloud-based solution that can be configured and
deployed in minutes with no disruption for users, and
rapidly scaled.
Complete auditing of user activity
Log all DNS request information for easy export into
CSV or your SIEM for analysis
Ability to Enforce Compliance and
Acceptable Use Policies (AUP)
Easily enforce policy and block access to objectionable
or inappropriate domains and content categories.

19. Never trust & always verify with full visibility
z

20. Always have the whole Picture
Visibility
● Understand new threat vectors and
DNS traffic patterns across the
enterprise globally
Control
● Enforce acceptable Internet use
policy across employees
Protection
● Prevent DNS based data
exfiltration, command & control
callbacks, and access to malicious
malware and phishing domains WWW
AUP
C&C
Threats
z

21. Visibility is a core component of Zero Trust
● Determines which users and requests
should be approved or denied
● Logs all user activity and requests
for reporting and analysis
● Enables the use of predictive analytics and
behavioral analysis
● Effectively apply policy, enforce compliance and
reduce risk
SECURITY
CONTROL
VISIBILITY
z

22. Visibility Capabilities what to Look For:
Intelligence Capabilities
Big data analytics delivering real-time cloud-based
threat intelligence that is continuously updated with
analysis of enterprise & consumer traffic and
augmented with third-party sources
Data Scientists
Does the provider have Data Scientists to fuse,
clean, and scour data for actionable threat
intelligence to add to intelligence capabilities
Ability to Integrate with Existing
SIEM
Choose to export data into your own reports or
integrate with existing SIEM tools through an API
Size of the Platform
What data does the provider have access to? How have
they built their data sources and analytical capabilities?
Complete auditing of user activity
Log all access and request information for
compliance, reporting, or internal analysis
Attack Reporting
Get full visibility into all external DNS requests
and into potential application layer attacks and
threat vectors (SQLI, etc.)
z

23. Ensure app performance across the open Internet in the most
secure way

24. Do Your Need to Improve Internal
Application Delivery Performance?
• Latency from current architecture
• Diversity of devices and last-mile networks are increasing complexity
and affect performance
• Increased helpdesk tickets
• Securing data and access
• Highly distributed workforce

25. Typical App Performance Challenges
A Long Distance
equals
Slow Apps
○ SharePoint
○ Confluence
○ Jira
○ Jenkins
○ Oracle
○ SAP
○ Contactors
○ Partners
○ Vendors
○ Remote Employees
○ Franchisees
○ Customers

26. Provide Fast & Secure App Access
IaaS/PaaS
(AWS, Azure,
etc.)
User
Akamai Platform
Performance & Availability SLA
> Caching
> IP Route Optimization
> TCP Optimizations
> Prefetching
> FEC / Packet Replication
Web Security
> WAF
> DDOS
> Bot Management
EAA
Edge
Enterprise
Enterprise
Connector
App
s
Enterprise
Connector
Apps
AD /
LDAP

27. Dynamic Acceleration
Realize improvements through protocol optimizations,
including modern web protocols like HTTP/2 and
WebSockets.
Fast and reliable user experience
Automatically accelerate content with caching while
routing around Internet congestion and outages by
balancing traffic load globally with SureRoute.
Application Delivery Capabilities
to Look For:
Offload WAN traffic
Reduce the amount of traffic traveling over WAN
connections and need to backhaul traffic to the corporate
network.
Operational Efficiencies
Leverage Akamai’s Intelligent Platform to deliver business
applications over the Internet, helping to reduce support
tickets and costs associated with poor performance.
Scalability
Scale for every situation or activity with the largest
delivery platform available on the market.
Ability to Add Best-in-Class
Security
Shield network infrastructure and protect
applications. Lock down the network to all inbound
traffic and make only authorized applications
available behind the firewall.

28. Key Takeaways
• It’s time for a Zero Trust security model
• Zero Trust is a phased approach…
think about where you can start that will have high impact
• Least privilege access
• Proactive malware protection
• Visibility into every action and request
• Utilizing the Internet’s capabilities

29. Grow revenue opportunities with fast, personalized
web experiences and manage complexity from peak
demand, mobile devices and data collection.QUESTIONS?