Rethinking Defensive Strategy at the Edge, Part 1: A Changing Landscape for Securing Users

In recent years, new enterprise remote access architectures and frameworks have been introduced, such as Zero Trust Access (ZTA). Those concepts have driven changes in the way the network perimeter has been defined — specifically, from the outside in, not the inside out. Access to applications and services usually start from users and devices outside of traditional on-premises network perimeters.

This change has been driven by changing business models that require enterprises’ remote access usability, adoption of distributed edge computing services, and the response to an evolving threat landscape. This has become even more evident this year in the accelerated adoption of a remote access architecture by enterprises as they react to COVID-19 workplace guidelines, and execute adaptive access and business continuity plans to enable remote work.   

DevOps Connect:DevSecOps @ RSAC 2022

As the boundaries of enterprise networks continue to change, and a new model of applied distributed remote connectivity architecture that enables intelligent access decisions takes its place, a new form of defensive strategy needs to be considered as well. This new approach needs to be easy to adopt and integrate, focus on the connected entity and its posture, take into consideration threat signals that enable risk-based actionable protection, and enable autonomous adaptive access capabilities.

This series of three blog posts will outline a new defensive strategy at the edge that enhances those in place and introduces another layer of defense that includes the following five components: data and indicators, risk-based signals and entities, and protective actions. The three blogs will discuss the gaps and challenges of protecting remotely connected users, will move to a suggested risk-based signals detection, and will end with introducing a protection strategy. 

Inherently, the goal in adopting this new architecture is to reduce security risk. One of the key principles in a defensive edge strategy is a continuous authentication mechanism (as opposed to one-time authentication). A defensive edge strategy will minimize the attack surface, since in this model the connectivity is to a specific enterprise application, and not the entire network. This is in contrast to traditional access solutions such as VPN, which allow the connected user access to the entire enterprise network, and thereby allow for the potential of lateral movement of an attack across the network.

According to Akamai’s research that was released in May 2020, access from home included changes to the habits of users connecting to internet services remotely. This cause is rooted in the change in how the device is being used. Previously the device may have been connecting to corporate applications and services, however, since connecting remotely more often from home, that device is now being used to connect more frequently to consumer-based activities and apps such as streaming, gaming, and social networking.

The change in browsing habits also leads to the device being exposed and vulnerable to more threats. As you can see in this graph based on Akamai’s research, the data reflects that the increase in connecting from home resulted in changes to users’ browsing habits.

EdgeBlog_9.14.20.pngChanges in internet consumption of enterprise users, March 9 – April 27

The research shows that working from home leads to an increase of nearly four times more access to malware-associated websites and an increase in the risk of those connected devices becoming compromised.

While Zero Trust Access — ensuring that no user is trusted but assumed to be untrusted — helps with reducing remote access risk, it does not entirely eliminate the risk associated with compromised devices. These devices might result in exploitation of enterprise applications, and can lead to data breach and access to sensitive and proprietary data.

One of the by-products of enabling remote connectivity in the past year is to enable more access from new device types such as mobile phones and tablets. While this enablement is derived by workforce productivity, it also introduces more risk, as those devices are known to be less secure and more vulnerable.

Enterprises’ perimeters and connectivity locations are constantly changing, and as a result users’ hygiene and browsing habits are as well, so the defensive strategy also needs to change. Such change needs to reflect the ability to add a new layer of defense that puts more focus on the connected users and devices, evaluate the risk associated with their connectivity, and enable a flexible and adaptive defensive strategy.

The lack of clear network perimeters leads to the unavoidable conclusion that remotely connected entities must be at the center of the defensive strategy. These entities should include all connected device types from users, such as desktops, laptops, mobile phones, and tablets, as well as any connected applications, servers, and services.

As we will continue to explore and rethink defensive strategy at the edge, our next blog post will discuss in further detail about user entities as well as risk-based signals that can be leveraged to improve the suggested defensive strategy.

*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Or Katz. Read the original post at:

Or Katz

Or Katz is a Principal Lead Security Researcher at Akamai. Or is a frequent speaker at security conferences and has published numerous articles and white papers on threat intelligence and security defensive techniques. He began his research career in the early days of web application firewalls (WAFs) and he was OWASP Israel chapter lead between 2017 till 2019.

or-katz has 11 posts and counting.See all posts by or-katz