Planning for the future means moving secure remote access toward the top of your list
By Leo Taddeo, Chief Information Security Officer, Cyxtera Technologies and President, Cyxtera Federal Group
In terms of a global cyber conflict, data centers are the modern-day equivalent to the ball bearing plants of WWII. Just as ball bearings were essential to the tools of mechanized warfare, data centers are key components of the infrastructure that supports the modern economy. The effects of a successful cyberattack on a few data centers would cascade across other critical sectors to cripple the country’s digital backbone. Protecting data centers from threats to continued and uninterrupted operations must be a top priority in any national or commercial cybersecurity strategy.
To that end, the main pillar of information security for data centers, and other industrial control systems (ICS), is effective user access control. For many data centers and ICS security plans, user access was partly secured by requiring the user to be on site. This made sense up until 2020 BC (“Before COVID”), when few CISOs thought about social distancing for ICS and data center operators. While keeping unauthorized users out has, and always will be, essential, the pandemic has added a new reason to focus on secure remote access. Beyond keeping unauthorized users out, effective remote access tools can keep authorized users apart.
Being Inside the Physical Perimeter Means Risk
The response to COVID-19 forced businesses to scramble to keep employees productive as they transitioned from the office to home workstations. Fortunately, most office employees can remain productive by using video conferencing and familiar applications that are highly scalable in cloud-based SaaS offerings. The security for these productivity suites is built into the application — easy.
But what about highly skilled technical employees who need access to systems that run only on corporate networks? These include sensitive ICS like cooling, power, and humidity. How can a CISO ensure only the right people have access at the right time and for the right purpose? In the pre-COVID world, the employee had to be on-site to access the system. Keeping employees together on-site is no longer a net benefit to security. The potential for infection and loss of key personnel is too great.
In addition, most data centers and other ICS facilities have been relying on an outdated contractor service model, wherein the interest of efficiency, specialized technicians travel from facility to facility in an ongoing cycle of install, repair, and update. In a pandemic environment, each visit by a technician is an opportunity for the virus to spread. The visiting technician model creates real cross-contamination risk within campuses and across regions. One contagious technician could potentially visit multiple sites in the course of several days with the potential to knock out dozens of those sites before he knows he is contagious.
This, in a nutshell, is why CISOs need to reprioritize remote access for as many users as possible. If an employee, especially a highly skilled technician, can operate off-site, the contamination risk goes down and resilience goes up.
Rethinking Remote Access Tools
As the foundation of our digital critical infrastructure, data center operations teams have so far met the pandemic’s immediate needs — scaling up clients to deal with shifting demand and a newly remote workforce, to name a few. But the fact is that geopolitical tensions are rising and cyber conflicts between rival powers are transitioning from a simmer to a low boil. Reports from reliable sources, including government agencies and private threat intelligence firms, reveal a disturbing uptick in activity from China, Russia, and North Korea. As we grapple with the real health threats caused by the pandemic, we can’t forget that adversaries are lurking in the wings, waiting for us to look away so they can get inside our critical infrastructure and potentially do damage.
In the past, practically the only option for CISOs was to allow remote access through a traditional VPN. Unfortunately, nation-state actors are known to have exploited vulnerabilities in legacy VPN technologies to steal credentials and gain access to sensitive systems. In October 2019, the UK’s National Cyber Security Center warned that Chinese intelligence agencies had used these tactics. The US Department of Homeland Security and National Security Agency issued similar warnings.
Far too many data centers and ICS facilities are burdened with legacy VPN systems, which are simply not designed to meet today’s risks. They are incompatible with new technology, lack scalability, and expose the companies using them to regulatory and compliance risks. In addition to being vulnerable to several common attack vectors, VPNs limit operational flexibility in that they don’t allow for dynamic access based on conditions and user context.
Make Secure Remote Access a Business Enabler
For data center operators, maintaining building management systems is a non-negotiable requirement. Many data center operators are looking for an alternative to the VPN. The answer for many operators of sensitive industrial systems, including data centers, is the Software-Defined Perimeter (SDP). One of the big advantages of SDP is the ability to enforce least privilege access to third-party support organizations.
Unlike a VPN, SDP can allow access to specific systems included in a contractor’s support agreement without giving them wide access to the network. As an example, the RF code wireless temp/humidity sensors in some data centers are supported by specialized service providers. Using SDP, CISOs can limit the contractor’s access to those servers without opening up our other BMS platforms. CISOs can also use SDP to ensure that the contractor’s machines meet security requirements before they connect. If the laptop is not sufficiently updated and protected by antivirus software, SDP will block the connection. These additional audit and security controls are a far superior solution than legacy VPNs.
As data centers look to fortify their security posture, there is the realization that a full-scale overhaul isn’t economical. Incremental refreshes are, however, so as components and systems such as humidifiers or cooling systems are updated or replaced, cost, efficiency, and security must be paramount. Outmoded systems that require people onsite to run them open enterprises up to future vulnerabilities to threats that are known, unknown, or unforeseen — such as a pandemic.
Designing ICS and data center systems that are naturally and organically configured for secure remote access produces a number of benefits. First, remote access can result in cost savings over on-site access requirements as the latter incur additional travel and head-count costs. Second, modern remote access tools improve security flexibility. Lastly, remote access allows for separation between operators and vendors that add to resilience against operational interruptions caused by pandemics and natural disasters.
Planning for the future means moving secure remote access toward the top of the list of criteria for IT investments. The world has changed dramatically. We must ensure our security solutions keep pace.
About the Author
Leo Taddeo, Chief Information Security Officer, Cyxtera Technologies and President, Cyxtera Federal Group, is responsible for oversight of Cyxtera’s global security operations, investigations and intelligence programs, crisis management, and business continuity processes. He provides deep domain insight into the techniques, tactics, and procedures used by cybercriminals, to help Cyxtera and federal agencies defend against advanced threats. Leo can be reached at @LeoTaddeoCZ? and at our company website https://www.cyxtera.com.