CSO Insights: DataBank’s Mark Houpt on Looking Beyond Securing Infrastructures in the New Normal

Mark Houpt, Chief Information Security Officer of DataBank, provides security insights that highlight challenges and learnings from both corporate and customer perspectives.

It has been several months since the Covid-19 pandemic has caused a massive shift in how enterprises conduct businesses worldwide. The new reality that Covid-19 has painted for enterprises and employees alike is one that heavily relies on remote work to keep business operations afloat. In fact, employees might continue working virtually until at least the middle of 2021 or in some cases, even permanently.

The big move to working remotely wasn’t completely difficult for Mark Houpt, Chief Information Security Officer (CISO) of DataBank. After all, he has been doing so even before Covid-19 hit. However, when the pandemic did happen, DataBank, like countless other companies across the globe, had to help most of their employees transition securely and smoothly to virtual work. This highlighted several important security considerations, including continuous monitoring — not just of infrastructures, but also (and more importantly) of employees’ welfare.  

With over 25 years of information security and information technology compliance experience under his belt, Houpt is responsible for developing and maintaining a cybersecurity program roadmap that allows DataBank and their clients to continue operating securely. In this interview, he shares with Trend Micro some important security considerations that enterprises can look into to keep remote teams working with visibility and security at the forefront. He also gives enterprises a glimpse into what security looks like from his unique vantage point, which highlights challenges and learnings from both corporate and customer perspectives.

Transitioning to working from home: from corporate and customer perspectives

Even before the Covid-19 pandemic, most enterprises already had an existing remote work setup for some of their employees. Still, it was rare to have one for majority of their workers. Even DataBank — which provides data center services and managed solutions 24 hours a day, 365 days a year to clients in nine locations, including Salt Lake City and Dallas — didn’t have such a setup in place for a majority of their employees.

Stress testing mission critical systems is necessary to ensure that they can withstand heavy loads and different challenges as employees work outside office walls. “Whenever our teams did move out of the offices and into their homes, there were a couple of challenges that we had to deal with. Most of them were related to testing the technological equipment that we have because we always have people working remotely, but we never had everybody working remotely. So we had some stress testing that we needed to accomplish, and we found out that we were fully capable of handling that,” shares Houpt.

It’s also important to ensure that employees who are working from home for the first time have the support and training that they need to continue working with ease: from making sure that internet circuits don’t overload as spouses and children share internet connectivity within the residence, to teaching employees some essential work-from-home tips.  

“Some of us work from home all the time, but there were people who didn’t, so they had the challenges of how to deal with their children and animals when they’re on meetings, things like that. Those of us who had to work from home in the past were able to share our experiences and how we were able to work through those situations and help people through that,” Houpt remarks.

The use of a virtual private network (VPN) should also be prioritized when working remotely to keep network connections protected against hacking and other threats. It’s also important to keep communications as agile as possible and provide a venue for employees to ask questions and get immediate assistance. “For this, we set up a Slack channel 'war room,' if you will, almost like an incident response plan in a response situation where we had a war room where people can come and put their problems on the table. We have a team that’s always there. They could triage and address those problems,” explains Houpt.

Unfortunately, the shift to remote work wasn’t as smooth sailing for all of DataBank’s customers, especially those who belong in heavily hit industries such as entertainment and travel. In such cases, flexibility in providing options apart from the usual offerings can help struggling clients amid the global health crisis: “In some cases, we’ve been going above and beyond, either doing remote hands types of functions inside our data centers or even doing some managed services functions that we typically wouldn’t do because there are people at home who aren’t able to access systems.”

With the work-from-home setup becoming increasingly universal, the importance of monitoring data centers has become all the more emphasized. Houpt shares that potential customers are becoming more interested in moving data centers from an on-premises type of solution to a function that can be monitored 24/7 and maintained by professionals outside of their respective companies.

“We’re going to see a lot of people, even large enterprises, being interested in moving their data centers and data closets, either to the cloud or to a facility that is not their responsibility to manage and maintain so that they can ensure that their people are protected.”

As accessibility becomes an even bigger challenge for business continuance during the pandemic, the cloud — which allows users the capability to store and process huge volumes of data and access services and software over the internet — enables enterprises to proceed full steam ahead with business operations. However, simply opting for cloud-based solutions will not be enough to protect enterprises from an expansive and ever-evolving threat landscape. In addition to all of these, continuous monitoring remains essential to an enterprise’s overall security.

The cybersecurity risks related to working from home

Although the work-from-home culture has swiftly become indispensable for companies, it also comes with several critical obstacles that companies need to be aware of. Vulnerable home networks are one such obstacle. Houpt warns, “There’s always a home network threat. The attackers are out there taking advantage of anything they can get.”

On top of capitalizing on Covid-19 to launch campaigns, malicious actors are also seen to be waging several attacks on companies during the global healthcare crisis. For instance, during the start of the pandemic, a recent uptick on distributed denial-of-service (DDoS) attacks that aim to congest networks and contribute to service outages were seen.

“One of the things that we’ve seen right at the beginning of Covid-19, for about the first month, were some pretty significant DDoS attacks that were coming in from botnets. Most of them were coming in from overseas. In fact, we had one situation wherein an attack of over 10 Gbps was coming in,” recounts Houpt.

Aside from DDoS attacks, Houpt also noted an increase in old-style web defacements, where hacktivists and cybercriminals exploit vulnerabilities to vandalize websites. As it turns out, web defacement, though anything but novel, is still in use by defacers to spread specific political agendas. Because of the pandemic, more people — including cybercriminals and hacktivists — are staying at home with more free time on their hands than before. And with 20% of American adults remotely working during the global health crisis, the attack surface has undeniably widened: a situation which malicious actors are quick to take advantage of for personal gain.

Houpt also attributes the increase in web defacements to a lack of proper and timely patching of online infrastructures. “We had a situation a couple of weeks ago where a patch was not applied to an application that should’ve been applied three years ago and it resulted in a significant compromise. We’ve seen a lot of WordPress content management system (CMS) types of attacks coming in where people just had not updated the plug-ins or had not updated the overall CMS for defending it against that kind of thing,” Houpt shares.

To keep their websites from being defaced, enterprises need to enforce strong passwords, web application firewalls, secure coding practices, and timely patching. “Patching is a common security hygiene practice that everybody should be doing,” Houpt remarks. But he is also quick to emphasize other functions that require enterprises’ attention: “There are other functions that, if they don’t stay on top of, from a security perspective, they’re going to get left behind.”

Securing cloud-based applications through continuous monitoring

Contrary to popular belief, storing or hosting data in the cloud doesn’t necessarily mean that the data is already resistant to threats and risks. “A lot of people think that when they put things in the cloud, that the cloud is a turnkey security solution. There is not one cloud provider that I’m aware of on this entire planet that would agree with that statement,” expresses Houpt. To keep the environment as secure as possible, the shared responsibility model — where both the user and the cloud service provider have delegated responsibilities — must be implemented.  

“It doesn’t matter if you go to AWS, Azure, DataBank, or anybody else. If you don’t subscribe to security services and you don’t maintain a security posture yourself as a cloud user, then you put your applications at risk."

Houpt shares that their consultative approach helps ensure that their clients are properly guided throughout their big move to the cloud and that they understand their respective responsibilities and tasks. “In other types of cloud environments, somebody will just go and turn on the cloud and say, ‘Here you go, here’s your server, now you have to stand it up. You have to secure it the way you want to secure it.’ At DataBank, we take the hands-on consultative approach to doing that so that our customers actually have an implementations engineer across the phone that whom they can talk to when things aren’t going right, or when things are challenging throughout the process. We also have a project manager who guides everyone, both customers and DataBank, through the process, and who gets the customer to transition over and up and running on our side of things. So that’s our view: The consultative approach is a real key to overcoming some of the major challenges that exist in moving a data center or an application or other type of IT product from an on-premises solution, sitting in a data closet somewhere, and into a more secure cloud environment,” Houpt expounds.

In addition to the consultative approach, in order to strengthen enterprises’ security postures and keep systems and cloud-based applications protected from compliance issues and risks, Houpt also advocates for one critical process. “The biggest thing that I preach all the time is setting up a continuous monitoring program,” he remarks.

“The first thing you need to do is to select a security methodology that you’d want to follow, such as the Payment Card Industry Data Security Standard (PCI) if you’re a heavy PCI user, NIST SP800-53R4 or ISO/IEC 27002, if you’re heavily into privacy or federal work.”

Once a methodology is chosen, it’s important to check existing controls and decide which level of monitoring should be employed and at what frequency. DataBank, which uses the NIST Special Publication 800-53 methodology at the federate moderate level, has a total of 325 controls, some of which are monitored on a daily basis. “I actually have my security engineers looking at reports on a daily basis for particular types of issues and functions. Usually, those are based around access control, such as making sure that people are not accessing the systems or locking themselves out. Then you’ve got a weekly monitoring, a monthly monitoring, a quarterly monitoring, and an annual monitoring,” describes Houpt.

To keep track of functions that need to be done, Houpt recommends the use of a ticketing system. Based on a preset schedule, a ticket is auto-generated for specific teams that need to monitor certain functions. DataBank also has a protocol that discourages team members from closing the ticket without monitoring a function: “There’s some oversight on it. It requires two people to close the ticket. So one does the work and they pass it on to a second person to monitor or verify that the work was done.”

Continuous monitoring is also essential for companies that operate on any type of cloud deployment or environment and hire managed security services, as it will help them check if their providers are doing what they’re contracted to or are obligated to do. “Too many times, our customers will go and hire a managed security services vendor or just a managed services vendor to do the cloud functions for them and they’ll never check up on them,” says Houpt. Aside from continuous monitoring, it’s equally important for enterprises to stay on top of their overall security by employing the right tools and techniques for their business.

“So the bottom line is that continuous monitoring is important at all levels, and customers cannot just assume that when they’re there, they’re already secure. That is the one thing that gets people in trouble all the time. They believe that they’re secure because they put something in the cloud, and that’s just not accurate."

Looking beyond infrastructures for a holistic cybersecurity approach

Although securing online infrastructures and systems is not a newfangled concept, the swift shift to remote work has nevertheless introduced numerous security gaps that go beyond mere technological preparedness. To close these gaps, Houpt anticipates the need for enterprises to introduce new policies to help highlight privacy and security while working remotely. “I think that you’ll see some new security policies that are driven toward work-from-home types of situations whereas in the past we really haven’t had those policies in place,” explains Houpt. Additionally, these policies would need to cover the particular security standards that a remote work setup would need to adhere to, such as how employees should set up their home routers or which providers are vetted and approved by the company. Employees who use their own devices for work must also be equipped with robust VPN capabilities and proper security solutions.

Enterprises must also have tools that have comprehensive monitoring capabilities that will provide accurate insight on setups involving “bring your own devices” or BYODs and even corporate laptops. This will enable enterprises to see the different types of attacks and malicious activities even while employees work from home with their own devices and networks. It’s important for these monitoring tools to have a centralized database where all the data and logs can be offloaded. This will also allow security teams to perform proper security incident response investigations.

Houpt also recommends for enterprises to have a security professional on their staff who can provide an extra layer of visibility. “On top of continuous monitoring, a customer who’s on the cloud should have either a security professional on staff or somebody that’s on retainer, like a virtual CISO, whom they can reach out to and say, ‘Hey what’s going on with security these days? What do we need to be monitoring? What do we need to be involved in? What do we need to be asking our cloud provider? What should and shouldn’t they be doing?’”

Aside from securing and properly monitoring applications, systems, devices, and infrastructures, Houpt points to monitoring another vital facet of the business — the employees’ welfare. “The reality is, a lot of people are struggling right now with mental health issues, with being asked to stay home, with not being able to go out, and with having to work from an environment that they’re not typically used to working from,” he remarks.

For Houpt, it’s vital to monitor how employees are doing and to keep their welfare in mind when making decisions that can affect their physical and mental health. “I’m also concerned, as this continues to go on, that companies will either try to move back into the offices too quickly or not quickly enough. It’s a fine line and really does depend on where you live and what kind of company you have,” says Houpt.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.