Views on security network architecture have changed since the COVID-19 pandemic. The use of cloud has accelerated and enabled companies to expand, develop and test new applications in greater numbers, but it has also presented new challenges for security networks and their users. Intelligent CISO’s Jessica Abell discusses these challenges with Akamai’s Director of Security Technology and Strategy, Richard Meeus, and reveals how businesses can effectively update their security architecture.
How have threat actors capitalised on traditional network security architecture?
Since the pandemic, there has been a shift in perception around traditional security network architecture. While the traditional model was that of a secure perimeter which housed assets and users inside – all protected by technology – the shift to a remote or hybrid workforce means that perimeter no longer exists, and neither does the safety net. In addition, employees are accessing more cloud applications to do their work from wherever they are based.
Attackers are capitalising on this knowledge and are using this new environment to access applications – whether via phishing attacks, injection attacks or through access credentials that they’ve been able to harvest.
How has the rise of cloud impacted security approaches?
Cloud is an excellent enabler for businesses, providing opportunities to quickly expand, develop and test new applications and services far more effectively than with traditional on-prem assets.
However, the new ease of use and the ability to deploy at scale and at pace creates additional pressure on security to keep up. Security can often get bypassed in the race to push out a new application, with only minimal controls in place, which could create a wider attack surface.
Users and applications are no longer defined by location. As a result, we can no longer use traditional perimeter-based security practices and it can significantly hinder progress if we try to do so.
How confident do you believe CISOs are regarding their employees’ ability to apply sound cyber judgement?
A recent Gartner report highlighted that 88% of CISOs said they were not confident in this regard. It’s important to remember that when it comes to security, employees such as accountants, lawyers, nurses, salespeople and call handlers are being asked to identify clever criminal activity – something that is well outside of their normal job function. A one-hour training session every six months is not really going to move the needle in terms of effective detection of malicious activity. We should focus on trying to ensure that we can provide the best available environment for our employees to work in.
What are the principles of Zero Trust and how challenging is it to achieve?
A greater number of companies have expressed an interest recently in taking a Zero Trust approach, in addition to getting a greater understanding of what it entails.
Zero Trust means removing location as an arbiter of trust in the corporate world – which means that being in the office does not grant you more trust than if you are connecting from your home. It also means that every request to use an application must be authenticated.
Continuous authentication and authorisation is an important aspect of Zero Trust, to check whether the individual is exactly who they say they are and is entitled to access those given assets.
What are some of the key questions CISOs should consider while embarking on Zero Trust journeys?
The first key areas to understand are your assets; data, applications, platforms and users. It is essential to know exactly what you have and to put the tools in place to make sure that you know what your users are accessing, what applications they need and what data you are trying to control.
In addition, consider what you already have. Zero Trust is not about ripping everything out and replacing it with a shiny new toy. Many tools and controls currently in place can be used to achieve Zero Trust. The principle is ‘never trust, always verify’. For example, IdP, SSO and endpoint management may be able to address key requirements within Zero Trust and then provide a greater understanding of the impact and risk.
How can Akamai’s cloud security services be combined to build a comprehensive Zero Trust architecture?
Akamai has the tools to deliver the core components of Zero Trust and we’ve been using them for several years to help businesses either with application access or with internal requirements.
Initially the focus is on least privilege and how to reduce the risk of compromise by only allowing access to the application and not to the entire network. This is a fundamental first step that takes a lot of the risk out of your network and gets to one of the key elements of Zero Trust. This is done through an identity aware proxy. Akamai has, for many years, been delivering Internet traffic through reverse proxies. As a result, we’re delivering nearly 30% of the web travel across our estate every day and we are very well versed in how to make this effective, fast, secure and reliable.
What would be your best practice advice on how organisations can transition to a Zero Trust architecture?
It is necessary to understand and map your assets. In advance of any major project, there are many tools that you can use to do this easily such as analysing traffic through Netflow or Span port traffic, or you can put agents onto devices, servers and cloud estates.
Once you have this visibility, you then correlate that with your CMDB or similar tool to make sure you have an accurate map of what is talking to what and where everything is. However, to do Zero Trust comprehensively, it’s going to be a long-term project. It’s important to show value at key stages to ensure that focus and funding is maintained.
How can CISOs effectively convey the benefits of this approach to the board to ensure buy-in and how can they demonstrate its success?
Security has historically been seen as a cost centre and it’s been challenging to present new projects to the board and obtain funding.
However, it’s possible to present models where you can show a positive ROI. Such as, things like MFA don’t require a hard token. This can be done on a mobile phone, which means there will also be fewer support calls for lost tokens.
It’s very difficult to put a value on that, but anything that creates a happier workforce, that is more focused on doing what it needs to do without having to juggle a lot of the intrinsic security risks, is always going to be better.
Click below to share this article
