The COVID-19 pandemic has reshaped the way many industries operate and yet there is still great demand within the IT sector, particularly as the surge in data puts pressure on the need for data centres. However, Alex Tarter, Chief Cyber Consultant and CTO, Thales, says that even before the pandemic, cloud adoption was reshaping the way data centres operated and how CIOs kept their organisation’s infrastructure secure. “With 93% of businesses using a multi-cloud strategy to store data, it’s the go-to IT environment, especially now that a substantial amount of the UK workforce is logging on remotely,” said Tarter. “This widely distributed workforce, based overwhelmingly on the cloud, is challenging security teams to adapt at an unprecedented rate. So, how can data centre leaders ensure they operate securely?
“As remote working, or at least hybrid patterns, look set to stay well beyond the pandemic, it’s vital that data centre leaders reduce their reliance on employees in data centres and hosting facilities. Fortunately, even on-site security solutions such as hardware security modules (HSMs), are now available as cloud services, which can be accessed remotely.
“Access to cloud-based technologies has shifted the day-to-day operations of data centre leaders; for instance, the decline in on-premises ‘traditional’ IT infrastructure has been accelerated by the pandemic, with usage of these facilities decreasing by over half (54%) in 2020, when compared to 2018.”
Tarter said that the industry is also seeing data centres going ‘dark’ at an increasing rate – dark data centres ultimately help to manage costs and improve physical security, as they operate almost entirely remotely through lights out management (LOM).
As businesses look to revisit earlier projects put on hold during the first months of lockdown, Tarter added that data centre leaders need to start focusing more heavily on securing their cloud infrastructure offerings. “It’s time for organisations to adapt their security practices to these new conditions by reducing the reliance on employees being physically in data centres, while employing systems to keep their employee and customer data secure and encrypted in the cloud,” said Tarter.
“If businesses don’t take these steps now and adapt to this new reality, it might be the case that they’re much less agile and not able to pivot when faced with new threat vectors or external influences. For most organisations, the starting point for securing data on the cloud is being situationally aware. This means understanding what data it has, where it’s stored, who can access it and the risks associated with storing it. From here, security teams can start to remotely implement access control, encryption, key management and key security.”
Tarter said that data centre leaders need to make sure that their infrastructure isn’t just secure, but resilient to unexpected operational shifts.
Intelligent Data Centres spoke to industry experts to gather their thoughts and best practice advice on the subject.
Justin Augat, VP of Marketing for iland: “There is no question that cybersecurity is top of mind for organisations worldwide. Nearly every cybersecurity survey published in the last year indicates that cyberattacks are on the rise in terms of frequency, impact, duration and sophistication. Recent data from Accenture shows that, over the last five years, the number of security breaches has risen 67%, the cost of cybercrime has gone up 72% and the complexity and sophistication of the threats has also increased.
“Unfortunately, there is no ‘silver bullet’ solution when it comes to cybersecurity. As a result, organisations must take a multi-layered approach to securing their data and proactively deploying solutions that enable the recovery of data if the security layers are defeated. Starting with security, our experience has shown that a combination of the following is best:
• Physical security: This includes monitoring, access security and ensuring environmental elements are protected such as power, cooling and power supplies
• Logical security: This includes network, storage and hypervisor security. In this case, virtual firewalls, encryption and logical segmentation should be standard
• Process: This includes role-based access, documentation and regular testing
• Certification: Finally, independent validation of the above by a reputable third party
“With all of the above in place, the likelihood of a successful cybersecurity event is low. However, should the security fail, or the attack be so sophisticated as to overwhelm the provider defences, an appropriate data protection and recovery solution should be considered part of the cyberstrategy. This includes protecting the data via air-gapped backups. In this case, the cyber thief may have a copy of your data, but they will not be able to hold it for ransom. Air-gapped solutions restrict access to everyone but the provider.
“In other cases, cybercriminals may be out to inflict maximum damage on the IT operation. In this situation, organisations would benefit from a dedicated disaster recovery solution leveraging a cloud provider that can accommodate a secondary production environment that (also) includes all the security and protection options above.
“In the world of cybersecurity, the best offence is a good (proactive) defence. Given the frequency and sophistication of attacks over the last few years, it is clear that implementing multiple layers of security and protection is the best method to reduce the ability to attack and to limit the financial damage associated with an attack.”
Richard Meeus, Director of Security Technology and Strategy EMEA, Akamai: “Organisations are currently witnessing an increase in the rate of cyberattacks, with DDoS attacks currently flavour of the month for attackers. We have seen record-breaking attack sizes earlier this year and now we are in the midst of an RDoS campaign, where DDoS is used as a threat should a substantial ransom not be paid. As such, data centre leaders must act swiftly to ensure DDoS attacks don’t impact the availability of their servers and their services.
“Effective mitigation of DDoS, including the huge, multi-Tbps and 809Mpps attacks seen in June, requires inline cloud-based protection. Effectively managed by a round-the-clock Security Operation Centre, this can provide instant mitigation against known attacks and fast action against evolving tactics, ensuring your services remain online.
“Despite this, DDoS attacks are often used to generate smokescreens for more covert, malicious attacks. With the current widespread adoption of remote working, our corporate networks and data centres now have a perimeter that extends into bedrooms, kitchens and home offices all around the world. They are also shared with all the other devices on those networks, including fridges, doorbells, thermostats, security cameras and other Internet-of-Things that may not have such a stringent attitude to security as in the data centre.
“Implementing procedures and processes, often called Zero Trust Network Access, that only enable users’ access to the applications they need, rather than the wider network is a hugely effective first step. Many organisations tend to enable employee access through VPNs, however by doing so they leave themselves open to risks if the user’s device or network is compromised. This is undoubtedly a growing issue in these socially distanced times. By focusing solely on access to the application, leaders can better prevent wider access to their networks and block the spread of malware.
“If criminals enter a network via other means, their primary objective is likely to be stealing and exfiltrating organisation and employee data. One of the issues for data centre leaders is that outbound traffic, especially when non-user based, is rarely afforded the same level of scrutiny as inbound traffic. The attackers know this and will use many ways to move the stolen data as surreptitiously as possible. As attackers can remain inside a network for many months, identifying them as soon as possible is imperative. Exfiltration commonly requires access to an external server that is found through a hostname. If we can analyse all DNS requests leaving our estate this would give us increased awareness into potential breached servers. In addition, if they were analysed against billions of other global DNS requests to be correlated for malware propensity, even better.”
Ozgur Danisman, Director – Sales Engineering, Emerging Markets, Forcepoint: “As leaders in global security, we at Forcepoint recognise that solving the most pressing security problems requires tight integration of capabilities that cross traditional product boundaries. The need for integrated products had been increasing in recent years, but 2020 has accelerated this trend. Suddenly, businesses needed to navigate through curfews, social distancing and remote working. Many companies had to prioritise cloud adoption for Business Continuity. Given these macro factors, it’s not surprising to witness some of the most conservative organisations now utilising public clouds.
“In the Middle East, close to 65% of our customers own and operate their own data centres, manage systems and security operations – something I believe represents the wider industry base. In an owned environment, in order to operate securely, data centre leaders should look to managing virtualisation efforts, securing client-server and server-server traffic and facilitating flexible connectivity among their branch offices with SD-WAN capable next-generation firewall (NGFW) solutions. An increasing 35% of our customers have opted to utilise cloud service providers both for SaaS and IaaS. Data security is a significant concern for companies using the cloud and enterprises should seek out DLP solutions which are integrated with Cloud Access Security Broker (CASB) products.
“Our mission is to help our customers ‘free the good and stop the bad’, and the end goal is of course to allow employees to work from home securely, connecting to their applications remotely with ease. Data centre leaders should demand built-in SSL-VPN functionality in NGFW products, so they are able to secure the data running on their employee’s workstations and apply a secure web browsing capability with unified endpoint security solutions. Particularly in the Middle East, security leaders need to seek out vendors that focus on cloud-first and are hybrid-ready: owned data centres are not going to disappear overnight.
“We recently introduced the Dynamic Edge Protection (DEP) suite of cloud-native SASE solutions featuring new Cloud Security Gateway (CSG) and Private Access offerings. With DEP, we have the industry’s most comprehensive suite of converged capabilities to address the enterprises’ most critical work-from-home security challenges across network security, threat protection, secure access and data protection. It enables enterprises to use the cloud to transform their network and security architectures, simplify connectivity and unify security policy enforcement throughout their distributed application and network environments.
“Forcepoint Private Access brings security – once delivered via a patchwork of point products – into the cloud. It dramatically improves and simplifies how customers can keep their people and data safe. It provides true SASE Security-as-a-Service that is ideal for safeguarding branch offices, SD-WAN connections and allowing employees to access the services hosted in the data centres (be they public or private) without needing any complicated infrastructure requirements.”
Ashraf Yehia, Managing Director, Eaton: “Cybersecurity is a discipline of risk management that is not a binary ‘secure’ or ‘insecure’, nor is it something that can be done once and then forgotten. It’s also not something that can be considered at procurement or commissioning and then forgotten. Full life cycle cybersecurity consideration requires consideration in the supply chain through product selection and full life cycle cybersecurity maintenance (from commissioning, weekly, monthly and yearly maintenance, and decommissioning).
“Data centre leaders should want a vendor with documented, repeatable and measurable processes to provide a level of cybersecurity assurance of supplied products and services. In addition to established good cybersecurity hygiene and governance for a vendor organisation, supply chain cybersecurity for devices centres around the following:
- Authenticity and integrity of firmware/software
- Secure by design
- The ability to be deployed securely in a system (e.g. strong access controls, optional secure remote access capability)
- Being part of a Secure Development Lifecycle (SDL or SDLC) to manage cybersecurity risks
- Third-party validated SDLCh
- Full Lifecycle Vulnerability Management
- Secure storage and governance
“When considering critical infrastructure applications, supply chain cybersecurity standards are often influenced by actual cyber incidents and politics.
“The concept of a Secure Development Lifecycle (SDLC/SDL) not only applies to the full life cycle consideration of cybersecurity risks (inception, design, development, deployment, integration, maintenance and decommissioning), but also to the environment in which it is applied. For supply chain cybersecurity, NIST best practices rely on the need of assuming a Zero Trust environment to drive organisations to deploy controls throughout the environment (from human resources, access to data, manufacturing and downstream supply chain integrity). The ISO 27034 standard provides guidance around an SDL/SDLC for application security.
“Unfortunately, there is no global cybersecurity standard at this very moment. There are many different cybersecurity standards and they all differ in focus area. This makes is quite hard to know which standards are relevant for your business needs. It is critical to consider a range of these cybersecurity standards and industry best practices, and along with trained professionals, apply them appropriately to meet your needs.”