Expert Insight: Adam Seamons on Zero-Trust Architecture – IT Governance UK Blog
How networks have evolved and how to secure them
Adam Seamons is the information security manager of GRC International Group PLC, after more than 15 years’ experience working as a systems engineer and in technical support.
Adam also holds CISSP (Certified Information Systems Security Professional) and SSCP (Systems Security Certified Practitioner) certifications.
We sat down to chat to him.
What trends in network security have you noticed recently?
One of the big impacts to networks has come from the changes in technology, particularly in terms of the Cloud. Networks have moved from self-contained, on-site setups to multiple Cloud services that are accessed remotely by staff and resources.
Some of these technologies were hastily implemented during the COVID-19 years, when the hand of IT teams and decision makers was forced due to the pressure of having to move to remote working almost immediately. As part of that, there was also a lot of pressure to quickly integrate existing networks with services from third-party providers, often based in the Cloud.
And criminals took advantage. For instance, recently, the denial-of-service attack on the US Department of Health and Human Services from when the pandemic first hit the US was in the news again. That attack probably only succeeded due to a rushed move towards remote working.
But regardless of why the move to Cloud infrastructure happened, it created complexity where traditional IT and security controls don’t cut it. The inevitable result was the rise of new threats and vulnerabilities – cyber criminals tend to move very quickly and be, unfortunately, extremely innovative. These problems are compounded by a lack of resources – from a funding perspective, but also in terms of skills shortages.
You say “traditional” security. Could you please elaborate?
Taking you on a bit of a history lesson, IT was used in business long before we had the Internet. In those days, if you wanted to access digital organisational resources, you had to use a device that was physically connected to the company network. It was natural to automatically trust the devices that got past your firewall and onto your network.
Some years after that, you’d use a VPN [virtual private network] or similar technology. VPNs were – and still are – used to extend network access to users outside the physical network in a fairly secure manner. That said, not all VPNs are equally secure [discussed in more detail in our interview with senior penetration tester Leon Teale], and many VPNs with poor or legacy security are still in place today.
The Internet, particularly the Cloud, changed all that. As organisational resources increasingly moved into the Cloud, corporate network structures changed completely. This also completely changed the risks.
Previously, when the networks were largely or even exclusively physical, organisations and IT teams prioritised accessibility. In other words, staff could access pretty much anything once they had logged in to the network for maximum convenience.
But now, with the Cloud, people can work whenever and wherever they want. That brings huge business benefits and opportunities, obviously – particularly when you’re dealing with a situation like the 2020 lockdowns – but it also comes with risks. If staff can log in from anywhere, so can intruders.
How can organisations address those Cloud-associated risks?
For a start, organisations must think about who needs access to what, and what type of access is required. As they transfer more and more data assets into the Cloud, the risk of compromise becomes greater. That’s in the sense of the likelihood of a compromise, but also in terms of the impact of a breach. In 2023, we had incidents where more than a billion records were breached. One incident, the DarkBeam breach, even approached 4 billion records – in a small company!
It’s important to restrict access as much as possible. If certain people – and, by extension, their accounts and devices – haven’t got access to begin with, an attacker who compromises their account or device won’t have that access either. Or at least, not automatically.
Even if someone does need access to, say, HR or financial data, they may not need access to all of it. Maybe they need access to employee records, but not payroll data, for example. Or someone may only need to be able to view something, but not edit it.
Strong identity and access management systems are key in keeping your networks secure. But more than having the right software, it’s about following good principles – in this case, the principle of least privilege.
So, to recap, organisations should block access by default and make the device/user prove that it/they can be trusted?
Precisely – the zero-trust network. In that type of network architecture, company devices aren’t allowed access unless they have a specific need to and can prove themselves trustworthy via authentication.
So, zero trust goes beyond restricting access by need to know and the principle of least privilege. It’s about properly verifying access and being 110% certain that the access is legitimate. That means things like limiting access to specific criteria, such as by port or protocol, time period, IP address and/or physical location.
For example, if an HR employee of a UK or an EU organisation wanted to work in Dubai for a few days, they shouldn’t be granted access to employee records – i.e. personal data – as that’d constitute a data transfer outside the UK or EU under the GDPR [General Data Protection Regulation]. Such a transfer is only permitted if certain mechanisms are put in place. I’m not saying that couldn’t be done, but the default should be to block access.
A zero-trust network is about verification or double-checking. You want to be verifying not just the person, but also the device and limiting that access to specific permissions and rights that have been approved in advance. And you’re also restricting data access, particularly in situations like the example I just gave.
Think of it like the difference between a key to the front door that gives you access to the whole house, and needing a key for the front door as well as separate keys for all the different rooms.
Presumably, access control isn’t enough to secure your networks. What technologies would organisations need?
All-in-one packages like Microsoft Defender – which includes account monitoring and protection, data loss prevention, and more – can go a long way towards addressing organisations’ security needs. It’s like a one-stop shop for security. Microsoft Defender has got everything organisations need, from monitoring user activity to stopping data leaks. It’s smart too, as it uses machine learning to catch threats early.
As for other solutions, SIEM and SOAR are great tools [security information and event management, and security orchestration, automation and response tools].
SIEM tools are basically cyber investigations. Splunk is a top pick, which gathers clues from logs and devices to identify potentially suspicious activity. If it does detect something fishy, it’ll automatically send out an alert that someone should manually follow up.
Meanwhile, SOAR tools are all about making your security team’s lives easier by automating processes that’d otherwise have to be done manually, including updating security systems and escalating security alerts. Cortex XSOAR from Palo Alto Networks is a good choice here. It links up with your existing security measures and speeds up dealing with cyber threats through real-time collaboration within a SOC [security operations centre].
These types of technical solutions allow organisations to build a solid security setup – not just for today, but also for the future.
AI has been on everyone’s mind for the past year or so. Do you believe that AI tools can offer valuable security solutions, whether now or in future?
It’s definitely worth combining the measures I mentioned earlier with some of the new AI-powered tools to analyse and respond to threats faster.
I think that AI is already offering the cyber security world some really exciting solutions. It’s like having a highly efficient assistant who is always on top of things and only brings important issues to your attention.
Some organisations are already using this technology to spot and stop cyber threats in their tracks, often before you even know they’re there.
Looking ahead, what role do you believe AI will play in the security landscape?
AI and machine learning have both been used in detecting anomalies and suspicious patterns for some time, and will only continue to be used more. I expect SOCs to become increasingly reliant on AI.
Getting more specific, log analysis is a key area for AI to automate. An AI tool could do the heavy lifting, sifting through tons of logs and data to detect and then respond to threats far faster than a human could. It’s akin to algorithms in the financial markets, identifying and placing trades faster than is humanly possible.
Do you have any final words of advice?
It’s easy to get caught up in rolling out new technology, particularly with the advancements in, and better availability of, AI tools. Often, organisations deploy technology without taking the time to get the most out of all its features. I’ve even seen them simply abandon it once it has gone live.
The real key to becoming secure is to spend time thinking about your specific pain points. Ask yourself questions like:
- What cyber security risks do I need to address?
- In view of those risks, how can I optimise my resources?
I’m a big believer in making sure that you’re using what you’ve got to its full potential. Figuring out what will give you the best ‘bang for your buck’ is key to both effective and sustainable security.
We hope you enjoyed this week’s edition of our ‘Expert Insight’ series. Please do leave a comment below to let us know what you think, and if you have any questions you’d like our experts to answer.
We’ll be back next week, chatting to another expert within the Group.
In the meantime, if you missed it, check out our previous Expert Insight, where Cliff Martin, head of cyber incident response within GRCI Law, gave us his expert tips on streamlining DORA (Digital Operational Resilience Act) compliance.
Cyber Security Advice Service
Get fast answers to your cyber security issues from our experts with our unlimited advice service:
- Available via phone, email or video chat.
- Your key point of contact for advice on data breaches or cyber incidents.
- Perfect for small and medium-sized organisations without an in-house cyber security team.