At the end of the day, the vast majority of our security decisions and models are based on defining, establishing, and validating trust. Obviously, trust has been getting a bit of coverage lately thanks to predictions from industry pundits that trust is really a vulnerability, which is why many follow the adage never trust and always verify. You gotta love Zero Trust security. We certainly do.

Recent events have highlighted how inherently assigning trust to entities in 'trusted' environments can lead to all sorts of trouble. But that leaves the question, how do we establish and validate trust? Maybe it's some sort of credential, although these days, I'm not sure that is a viable strategy anymore. Haven't we all asked haveibeenpwndand not gotten a great response? There's also plenty of Akamai threat research around credential stuffingthat requires us to take notice of how we establish and validate trust.

So how do we more successfully establish trust beyond what you know?

Security fundamentals dictate that we move to include additional signals to establish trust. The candidates usually are something you have and something you are. Both are staples for additional authentication factors to continuously evaluate and establish trust. While multi-factor authentication is a no-brainer--particularly in the context of user app access--establishing and validating trust requires a deeper look at another key dimension: context. Taking into account context--in addition to what you know, have, and are--to establish trust clearly makes sense.

For example: Is this request coming from a bot or a human? Is the request malformed, coming from an IP with a bad rep or hostile location, or is this particular entity making a lot of requests? Seems like basic info, but we all know how challenging it is to create effective automated positive security models for security controls like web app firewalls. But when this type of information is augmented with a broader view of other signals such as identity, or device signals such as the presence/validity of a client certificate, or even threat protection signals (think EDR or Akamai's Enterprise Threat Protector) the resulting context becomes incredibly powerful.

Context enables you to more effectively establish and continuously validate trust; particularly trust in entities and users making access requests outside the traditional sphere of enterprise control. Because, at this point we all know, there is no inside...

That's one of the reasons we are believers in starting out with never trust, but quickly moving into always verify, based on as many security signals as possible. And that couldn't be more applicable as you move workloads to the cloud.

As workloads move outside of the enterprise's traditional sphere of control, there are obviously risks to consider. Whether using a lift and shift approach to an infrastructure as a service (IaaS) environment, or the ability to consume the required functionality as software as a service (SaaS), the question remains the same. How should security and IT teams provide access to cloud workloads without losing control and exposing them to the dangers of the public Internet?

