Five Tips for Remote Data Center Manager Security During the Pandemic

As data center operators rushed to get all but the most essential employees working remotely, some security issues may have been overlooked.

Now that most organizations have dealt with the logistical nightmare of getting everyone up and running at home, it's a good time to take a deep breath and check to make sure that no critical security corners were cut in the process.

Here are the top things to check for during this protracted phase of the COVID-19 pandemic.

Patch, Patch, Patch

Prompt patching should be at the top of everyone's cybersecurity hygiene list (and it isn’t), but in times of crisis patching is in even greater danger of falling by the wayside.

Many organizations don't have their systems set up for automated patching, either because the option isn't available for a particular system, or because of worries that patching can cause things to break.

But the bad guys aren't sitting still just because there's a pandemic on.

In fact, a couple of weeks ago, when SaltStack released a patch for two critical vulnerabilities in software used for remote server management, data centers that hadn't patched in time began going down within five days.

Earlier this month Cisco disclosed a dozen high-severity vulnerabilities with its Adaptive Security Appliance and Firepower Threat Defense firewalls.

According to Mikhail Klyuchnikov, the Positive Technologies researcher who found the most dangerous of the vulnerabilities, attackers can prevent VPN connections or even penetrate corporate networks.

Like others, data center operators use VPNs to enable remote employees to connect to data center infrastructure management systems safely.

"Update all your VPN and critical access software that's accessed from outside your facility," advised Tom Coughlin, a technology consultant and IEEE fellow.

Backups for Your Backups

Technology services company Abacus Solutions has three data centers. It manages one on its own, while the other two are at colocation facilities operated by QTS Realty Trust.

To connect to data center management systems, twenty Abacus employees who used to work on premises now use VPNs at home for secure communications, Thomas Harris, the company’s COO, told DCK.

But no VPN can to do much good when the internet connection goes down or becomes too slow or unstable. So, Abacus gave the employees smartphones they can use to create WiFi hotspots. For plan C, the company gave them hotspot devices on a different carrier’s network.

"So, if their local internet went out, they have at least two other methods to connect out," Harris told DCK.

If their company laptops break, Abacus has pre-configured ones all set and ready to go out to the staffers.

"We have not had to send out any replacement laptops as of today," he said, "but I wouldn't be surprised if we had a laptop fail over the next few months."

He joked that if the replacements weren’t sitting at the ready, the staff laptops would “probably already be breaking left and right. That’s’ how it works, unfortunately.”

IEEE's Coughlin suggested having two employees work as a team on the most critical data center operations.

"If you're on something that could potentially be critical if it goes wrong, have two people working on it," he told DCK. "If one of them disappears during a critical activity, the other can take over or stop any bad processes."

Step Up Phishing Awareness

QTS, the colocation provider Abacus uses, now has 700 employees working from home for the first time.

"Are people going to take advantage and send COVID-19 [phishing] emails? That's going to happen," said Brent Bensten, the company's CTO of products.

QTS has long had a phishing awareness training program in place, and in the next couple of months, Bensten said, the company is probably going to do a specific COVID-19-focused training campaign. "I'm sure it will come up," he said.

Meanwhile, the company has anti-phishing security measures in place, such as alerts that come up when a message comes from outside the company.

The problem, said IEEE's Coughlin, is that when employees work in the same office it's easier for them to check if an email from a colleague is really from them.

Employees may also be more distracted, because they're working in a new environment or might have family emergencies going on around them.

Coughlin suggested that companies set up verification channels – outside of email – to allow employees to easily confirm that potentially risky messages are from who they say they are.

Upgrade VPN Capacity

While VPNs are the first line of defense for remote data center management staff, they can quickly run into limits when many of them suddenly log in remotely.

As a result, many companies are now considering upgrading their VPN systems to newer approaches, such as SASE, which stands for “Secure Access Service Edge Technology.”

Colocation provider Cyxtera began upgrading from its traditional VPNs three years ago, to AppGate SDP, which it spun out as a separate business last fall.

According to Cyxtera CISO Leo Taddeo, traditional VPNs are more vulnerable to common attack vectors, are difficult to manage, and aren't as flexible as the more modern solutions.

For example, he said, Cyxtera needed a secure and flexible way to access building management systems remotely, not just for its own employees but also for third-party contractors.

"For example, the RF Code wireless temperature and humidity sensors are supported by specialized service providers," he said. "With AppGate, we can limit the contractor's access to those servers without opening up our other building management system platforms."

The platform also makes the data centers invisible to attackers scanning the public internet for exposed systems, he added.

"And we also have the ability to enforce certain security controls," he said. "If a laptop is not sufficiently updated and protected by antivirus software, AppGate blocks the connection."

Protect Endpoint Devices

When employees connect to enterprise networks from home, they might not have the same protections against, say, malicious downloads as they do in the office.

Some organizations, like Abacus, make sure endpoint devices are hardened and secure. Abacus's company-issued laptops, for example, are set up so that users can't download and install outside software, and the VPN functionality is right there on the laptop, ensuring that all communications are isolated.

That's not true for all organizations, especially those who had to rush to get their employees set up at home.

Instead, employees might be sharing a home network – or even their computers – with other family members, or finding that they need to download and install untested and unapproved new software in order to get their work done.

"Absolutely, there are more attacks based on the fact employees are working remotely," said cybersecurity expert Tim Chiu, VP of marketing at K2 Cyber Security.

He suggested that data centers make sure employees are running local endpoint security software on all devices.

"Home networks don't have the same security technologies to protect the devices connected to it," Matias Katz, CEO and co-founder at Byos Security, said, so these devices need extra protections.

Without that, malware may spread from these devices to internal data center networks, which could potentially cripple operations, he said.

And if the data center manager is sharing the same WiFi connection with teenagers and other family members, there's a greater potential that someone clicks on a malicious link – or downloads questionable apps from gaming sites.

In addition to installing antivirus or other endpoint protection software and using VPNs, he recommends that data centers make sure they enable multi-factor authentication.

Finally, data centers should consider deploying an endpoint micro-segmentation solution to isolate employee devices from untrusted home networks.

Plan Ahead and Test, Test, Test

Companies with disaster plans in place were the best prepared for this emergency, especially if they subjected those plans to robust testing.

Abacus, for example, spotted potential problems that could be caused if laptops crashed and added backup devices to its preparedness strategy. QTS found a couple of areas that needed fixing while testing, said Bensten.

One was the need for a mobile device management system. Over the last three years, the company rolled out an MDM platform for all its mobile devices.

"We're a big believer in sending people home with laptops, tablets, and smartphones all controlled by our domain," said Bensten. "That was step one. Step number two was digitization."

QTS rolled out a software-defined orchestration platform and replaced some traditional enterprise software with cloud-based systems.

"We're making the physical not physical," he said. As a result, when the pandemic hit and 700 employees were sent home, the company didn't see any impact on efficiency.

"In fact, we saw efficiency go up," said Bensten. "The commute time has dropped significantly. And people are logging in at earlier hours and later hours, which helps productivity."

But it’s not too late to start planning now and testing those plans.

The bad news about cyber threats continues to pile on, and there are plenty of indications that the pandemic might yet get worse, and now we have “Murder Hornets.”

Fine, murder hornets might not be going after data centers. Yet. But there are still lots of ways for things to take a turn for the worse. More personnel may be unable to work because of illness. Large swathes of the internet may suddenly go down. US might go to war with China, disrupting technology supply chains in ways even a pandemic couldn’t.

If 2020 has taught us anything, it’s that it’s never too early to plan for the unthinkable.