Intelligent CIO Africa Issue 68 | Page 76

Richard Meeus – Director of Security , Technology and Strategy for Akamai
What are some of the key questions CISOs should consider while embarking on Zero Trust journeys ?
The first key areas to understand are your assets ; data , applications , platforms and users . It is essential to know exactly what you have and to put the tools in place to make sure that you know what your users are accessing , what applications they need and what data you are trying to control .
In addition , consider what you already have . Zero Trust is not about ripping everything out and replacing it with a shiny new toy . Many tools and controls currently in place can be used to achieve Zero Trust . The principle is ‘ never trust , always verify ’. For example , IdP , SSO and endpoint management may be able to address key requirements within Zero Trust and then provide a greater understanding of the impact and risk .
How can Akamai ’ s cloud security services be combined to build a comprehensive Zero Trust architecture ?
Akamai has the tools to deliver the core components of Zero Trust and we ’ ve been using them for several years to help businesses either with application access or with internal requirements .
Initially the focus is on least privilege and how to reduce the risk of compromise by only allowing access to the application and not to the entire network . This is a fundamental first step that takes a lot of the risk out of your network and gets to one of the key elements of Zero Trust . This is done through an identity aware proxy . Akamai has , for many years , been delivering Internet traffic through reverse proxies . As a result , we ’ re delivering nearly 30 % of the web travel across our estate every day and we are very well versed in how to make this effective , fast , secure and reliable .
What would be your best practice advice on how organisations can transition to a Zero Trust architecture ?
It is necessary to understand and map your assets . In advance of any major project , there are many tools that you can use to do this easily such as analysing traffic through Netflow or Span port traffic , or you can put agents onto devices , servers and cloud estates .
Once you have this visibility , you then correlate that with your CMDB or similar tool to make sure you have an accurate map of what is talking to what and where everything is . However , to do Zero Trust comprehensively , it ’ s going to be a long-term project . It ’ s important to show value at key stages to ensure that focus and funding is maintained .
How can CISOs effectively convey the benefits of this approach to the board to ensure buy-in and how can they demonstrate its success ?
Security has historically been seen as a cost centre and it ’ s been challenging to present new projects to the board and obtain funding . However , it ’ s possible to present models where you can show a positive ROI . Such as , things like MFA don ’ t require a hard token . This can be done on a mobile phone , which means there will also be fewer support calls for lost tokens .
It ’ s very difficult to put a value on that , but anything that creates a happier workforce , that is more focused on doing what it needs to do without having to juggle a lot of the intrinsic security risks , is always going to be better . p
76 INTELLIGENTCIO AFRICA www . intelligentcio . com