Making your architecture zero trust

by Black Hat Middle East and Africa
Making your architecture zero trust


Zero trust security has grown in popularity since the shift to remote work in 2020, which necessitated more comprehensive security that can cater to distributed environments. This need, along with the significant hike in cybercrime, encouraged businesses to replace their traditional perimeter security with a better-suited Zero Trust security model. 41% more organisations deployed Zero Trust in 2022, compared to 35% in 2021. Meanwhile, organisations that didn't deploy Zero Trust security incurred an average of USD 1 million more breach costs compared to those that deployed Zero Trust. In fact, the average cost of a data breach globally hit an all-time high of $4.35 million, a 2.6% increase from the previous year, according to IBM's latest Cost of Data Breach report. Despite that, Zero Trust is still not universal, and companies find themselves at different stages of adoption. So here's what you need to know to build your Zero Trust architecture.


Zero trust is a tried-and-true method of preventing cyberattacks. However, some companies are still hesitant to begin their Zero Trust journey because they're wary of traditional security models and the "all or nothing" approach to cybersecurity. Fortunately, building a Zero Trust architecture is easier than it seems. This is because Zero Trust is an addition to your existing infrastructure and does not necessitate a complete technology overhaul. Instead, you can deploy a Zero Trust architecture iteratively while you utilise the tools and technologies that are already available to you.

Use these steps to implement and maintain a Zero Trust architecture, which will help you understand where you stand in the implementation process and what to do next.

1. Segment your network: effective network segmentation is at the heart of Zero Trust architecture. Systems and equipment must be divided within organisations based on the types of access they permit and the categories of information they handle. Then, these network segments can be used as trust boundaries that enable other security controls to apply Zero Trust security.

2. Define your protect surface: In today's dynamic threat environment, working ceaselessly to decrease the attack surface is not practical. Since the attack surface is constantly expanding, it becomes more difficult to define, shrink, or defend against. Zero Trust security, however, lets you determine your protect surface rather than focus on the macro level of the attack surface. The protect surface includes the critical data, applications, assets and services (DAAS) that are the most critical for your company to protect. Examples of DAAS that can be included in your protect surface:

Data: This includes credit card information (PCI), intellectual property (IP), protected health information (PHI), and personally identifiable information (PII).

Applications: Both off-the-shelf and custom software are included

Assets: SCADA controls, IoT devices, medical equipment, point-of-sale terminals, and manufacturing assets.

Services: Such as DHCP, DNS, and active directory.

Once you define your DAAS, you can position your controls as close as possible to the protect surface to build a microperimeter with limited, precise, and comprehensible policy statement.

3. Map your transaction flows: You can only protect your network by determining how traffic moves across it. Therefore, it's crucial to have a contextual understanding of the interdependencies of your DAAS. You can correctly implement controls and guarantee that they help protect your data rather than hurt your business by properly documenting how specific resources interact.

4. Architect a Zero Trust network: Zero Trust networks are fully customised, not based on a single, common design. Instead, the architecture is built to surround the protect surface. You can design the Zero Trust architecture, beginning with a next-generation firewall, once you have identified the protect surface and mapped flows according to the requirements of your organisation. The next-generation firewall creates a microperimeter around the protect surface, acting as a segmentation gateway. Using a segmentation gateway allows you to impose additional layers of inspection and access controls for anyone attempting to access resources inside the protect surface.

5. Develop a Zero Trust policy: Use the "Kipling method" to construct Zero Trust policies after the network has been architected in order to whitelist which resources should be accessible to others. The Kipling method follows the concept of "who, what, when, where, why and how", which helps us define:

Who should access a resource?
What application are people using to access a resource within the protect surface?
When are resources being accessed?
Why is this packet attempting to access a certain resource on the protect surface?
How is the packet getting access to the protect surface using a specific application?

6. Monitor and maintain the Zero Trust network: The last stage involves going through all logs, both internal and external, up to layer 7, with a focus on the operational facets of Zero Trust. Because Zero Trust is an iterative process, examining and logging all traffic will give important information about how to gradually enhance the network.

After completing the core steps of implementing a Zero Trust network for your initial protect surface, You can extend to incrementally migrate other data, applications, assets, or services from your traditional network to a Zero Trust network in a cost-effective and disruptive manner.


The Middle East's Zero Trust Security Market is predicted to grow at a CAGR of around 16.1% during 2021-2026. Rapid digital transformation in enterprises, increasing cyberattacks in the Middle East, and growing trends in mobile & cloud-enabled environments propel that market growth. The rise in cyber-attacks is the biggest driver for the adoption of Zero Trust security. Following the US, The Middle East comes in second place for the highest average data breach cost of $7.46 million. KSA and UAE are the biggest targets, with the average cost of a data breach in these two countries rising by 9.4% over the past year. For that reason, more companies and governments are investing in Zero Trust architecture.


Multi-factor authentication held the biggest share of the Middle East's Zero Trust security market, and the investment in it is expected to grow with more entities spending massively on cloud computing and introducing large-scale data centre development plans, as well as the rising awareness of the importance of investing in cybersecurity. For example, the Saudi Ministry of Communications and Information Technology (MCIT) developed a USD18 billion plan to create a network of large-scale data centres, which would require a Zero-Trust approach with multi-factor authentication.


Cloud deployment will show the fastest growth rate in the Middle East's Zero Trust Security Market during 2021-2026 compared to other deployment methods like on-premise and hybrid. This is because more industries are migrating to the cloud to accommodate the rising demand for data digitalisation and the benefits of cloud services like cost reduction and immediate scalability. Governments are also honing in on cloud policies, which is bolstering the demand for Zero-Trust security. For instance, Saudi Arabia's Cloud First Policy aims to accelerate the transition of governmental entities from traditional IT solutions to cloud-based ones. Thus, both private and governmental organisations are investing in cloud-based Zero Trust security to mitigate the risk of cyber threats, which would in turn, further increase the demand for Zero-Trust security in the coming years.


The iconic cybersecurity event, Black Hat, is coming to Saudi Arabia to bring global-scale cybersecurity training, technical workshops and networking opportunities to the region. So if you're curious about Zero Trust security and the latest cybersecurity techniques and trends, join us at Black Hat MEA to be trained by elite ethical hackers and network with global CISOs from front-page companies. You don't want to miss this! Black Hat MEA supports the Saudi Vision 2030 by training people on essential cybersecurity skills to secure the ambitious goals of Vision 2030 from cyber threats.


Akamai Technologies took the plunge and implemented a Zero Trust architecture without VPN. The company noticed that attack surfaces continued to shift due to the increasing prevalence of the public Internet and SaaS applications, making location-based access more impractical. In addition, legacy solutions cannot keep up with the rising demand for connectivity and a data-intensive reality. This is especially true with the increase in remote work, which is making employees expect full mobility and quick, reliable access to corporate applications from anywhere. Thus, Akamai realised that a network-centric approach to security and access was no longer enough to protect the company's assets. Additionally, they've noted that VPNs come with security drawbacks, like the increased risk of unauthorised remote access to sensitive data and potential access to all applications on the corporate network from any authenticated
device. Relying on a VPN and network-centric approach to remote access poses unnecessary security risks, where every user can access the same applications as any other user. So how did Akamai solve this issue? By resorting to a Zero Trust security strategy that would omit the traditional corporate VPN and steer away from a perimeter-based security model. The purpose was to protect Akamai's corporate data and applications, prevent lateral movement on the network, and improve user experience.

Akamai established a set of goals for their Zero Trust Transformation:

Move to a perimeter-less environment where the internet becomes the corporate network
Make every office a Wi-Fi hotspot
Grant access to applications contextually and dynamically, based on identity, environments; such as location and time of day, and device signals, like client-side certificates or device compliance to corporate security policy.

On top of that, Akamai updated its security guidelines to align with the principles of Zero Trust, namely not to trust any user or device by default. This strategy was designed to find cost-effective technologies that promote stronger security, mobility, virtualisation, and flexible access while utilising the cloud's simplicity.


Distributed workforce
Akamai acknowledged the need for high-functioning application access to cater to its diverse, globally dispersed workforce.

Mobile devices
More mobile phones and devices needed to access corporate applications

Current architecture and VPN connectivity yielded slow and inconsistent application access

The cost and complexity of providing access to corporate applications to the newly acquired workforces were increasing

Various applications
Using multiple applications made it crucial to prevent business disruption and data loss from attacks, regardless of application type (on-premises, IaaS, and SaaS)


To replace VPN, Akamai adopted the ZTNA solution Enterprise Application Access. This cloud-based access solution secures the corporate network by applying dial-out-only access to applications behind the firewall. Using this technology, Akamai was able to grant application access based only on entitlement, identity, authentication, and authorisation at a per-application level, regardless of where they're hosted (on-premises, IaaS, SaaS). As a result, Akamai was able to deliver agility, simplicity, and an improved user experience for the entire workforce, including IT and security teams, by utilising Enterprise Application Access for application-specific access and control.

To further bolster their security, Akamai deployed Kona Site Defender —
Akamai's web application firewall — along with Enterprise Application Access to secure internal applications against SQL injection attacks and other insider threats from previously "trusted" sites. This further minimised risk and fortified Akamai's overall

Ultimately, Akamai's method reduced the expenses and complexities associated with securing access to applications. It was more sensible for the company to deploy a system to deploy a solution that enables IT to monitor and regulate access only to applications users actually need, rather than attempting to control or limit multiple endpoints remotely accessing the corporate network. Akamai significantly reduced risk and streamlined the corporate application deployment process by moving away from VPN and the corporate network and employing a Zero Trust approach to get visibility and context for all traffic (across users, devices, locations, and applications).

Share on

Join newsletter

Join the newsletter to receive the latest updates in your inbox.

Follow us


Sign up for more like this.

Join the newsletter to receive the latest updates in your inbox.

Related articles