When a Nutanix employee connected a Raspberry Pi computing device to his home network without changing the default password, hackers hopped in and tried to launch attacks. The next time he logged in with his work laptop, automated security software inside Nutanix’s data center flagged the blacklisted IP address and alerted the user that his network was at risk.
Contrary to the employee’s first reaction, this was not an Orwellian tactic to surveil his home network. It was a fast act to save the company and all of its employees, explained Sebastian Goodwin, Chief Information Security Officer (CISO) at Nutanix.
“We can’t monitor what employees are actually doing on their personal networks,” Goodwin said. “We can just identify suspicious addresses and malware” and take measures to keep them from compromising the Nutanix IT infrastructure.
Managing data security in the remote work era is just one of the many big challenges keeping today’s enterprise IT security teams hypervigilant.
“There was a rapid shift to everyone working remotely, and not all companies were set up to work that way,” said Goodwin. “Some had to make hasty moves to let people access systems and applications from home.”
It forced many IT departments to quickly shore up risks and teach their workforce how to mitigate cyber threats. Every threat or breach is a chance to build resilience and reinforce the troops.
Why Passwords are Passé
In addition to being Nutanix’s CISO, Goodwin is also an adjunct professor at the University of California Berkeley School of Information, where he teaches classes in the Masters in Cybersecurity degree program.
Reflecting on his experience teaching the next generation of IT leaders, Goodwin said the complexity of the technology stack has increased exponentially since he entered the field.
“Security teams have to not only understand a multitude of technologies that operate across disparate substrates and platforms but also understand how those technologies can be exploited and how to protect them,” he said. “With unique vulnerabilities in each platform, it’s a constant challenge to prioritize and mitigate risk.”
One of the major changes Goodwin would like to initiate is moving past passwords. He believes any resources accessible with user ID and password should be considered unprotected.
“Passwords are obsolete at this point,” he said. “You need multifactor authentication,” which requires a combination of biometrics, phone authentication, hardware or software tokens, or other verification methods.
Passwords once sufficed, because “10 years ago it was time-consuming and processor-intensive to create a list of a billion passwords to hack a user account,” he said. “But now it’s a trivial task.” This is driving many IT leaders to implement password-less access.
Password management issues continue to rank near the top of the list of enterprise cyber worries, he said, along with phishing emails with bogus links that facilitate “stealing your password or exploiting a vulnerability in the software you’re running. Email is still the number one way people break into data systems.”
These compromises can lead to big-ticket breaches by getting someone to click a link or open a file that kicks off ransomware. Ransomware encrypts all the accessible data and can only be restored using a decryption key that must be obtained by the hacker, who usually charges a handsome fee for providing it.
Creating regular, fixed data backups keep data accessible so businesses can continue operations in the event of a ransomware attack. Goodwin said going beyond those regular backups, it’s important to have the backups themselves protected from the ransomware. This can be achieved by keeping them offline or in read-only storage. However, increasingly, ransomware is about more than depriving organizations of access to their data.
“Hackers are threatening to release your data on the internet in extortion schemes designed to make sure people pay,” Goodwin said. “In these cases, having immutable data backups doesn’t help.” That’s because confidential information, which could include trade secrets, is at risk of being made public to competitors and others.
Best Defense Uses Tech Combo
Strong cyber defenses require comprehensive endpoint protection, said Goodwin, requiring any devices employees use to access corporate data to run security software that’s always in compliance with the company’s security standards. The software has expanded from standalone antivirus programs to include such capabilities as threat detection, device management and virtual private networking (VPN), which encrypts data as it traverses a communications network such as the Internet.
Some highly regulated industries such as governments and banks also use encryption to protect files. But for other businesses, that approach can be a double-edged sword, according to Goodwin.
“File encryption has been around a long time, but it’s cumbersome,” he said. “Users can only access files if they’re running the encryption agent with the encryption key. People share files all day long, and there’s confusion when people share a file outside the company with others who can’t open it. So businesses tend to use file encryption sparingly because it adds an extra layer of administrative overhead."
Disk-level encryption protects against data theft only if someone steals a disk out of a machine or if a company sends a decommissioned device to a recycling company without wiping and reformatting it.
“Once the computer is booted up and the disk is unlocked, the files themselves aren’t encrypted,” he said.
Managing Security in Hybrid Multiclouds
Goodwin is at the helm during a time when many IT leaders are building and operating hybrid multicloud systems. His company Nutanix makes software that helps enterprises run private and public cloud IT operations, but it also uses it to run the business Goodwin must protect. He sees firsthand how this trend is shaping the world of IT. He witnesses the benefits of automation and agile systems, but also experiences the challenges.
He notices that when application developers working in cloud environments aren’t familiar with networking-level-and-up security they tend to work without security guardrails, often because they believe these slow down development.
“But as soon as you open something on the Internet, hackers act immediately,” he said. “You need the same security capabilities in the cloud that you’ve always had in the data center.”
He said the developer and security skillsets need to merge.
“The mindset of a lot of developers is to build the thing until it works,” he said. “The security mindset is ‘how would someone exploit it – how can we make it do something other than what the app was built for?’”
The growing complexity of cloud technologies and services requires new security perspectives and skills, he said.
“There are security tools you can turn on, but you have to know what they are. You run into multiple layers and permissions that cross different products and tools, drawing a picture that you didn’t expect. “
Goodwin also pointed to the importance of internet application configuration, particularly considering the growing ineffectiveness of user passwords. If Internet-based business applications such as Office365, Google Drive, Salesforce.com, and Slack are left open or misconfigured, hackers can exploit an account with a simple password “and take advantage,” he said.
Just as hybrid multicloud management is being eased by cross-cloud tools that leverage an abstraction layer between apps and the underlying cloud platform, security ultimately will benefit from the same setup, said Goodwin.
“In this hybrid multicloud era, we will see a convergence of security capabilities into platforms that can be used to manage the full stack of security capabilities across the on-premise and public cloud estate,” he said.
Spanning data encryption and backups to malware detection, vulnerability management, and network micro-segmentation, Goodwin said it is too cumbersome to manage all of these using disparate toolsets across the hybrid multicloud environment.
“As a security leader, I look forward to seeing more of this convergence into simplified platforms that make the underlying complexity invisible.”
Editor’s note: Learn how the Nutanix Enterprise Cloud provides native platform hardening, security auditing and reporting, and protection from network threats.
Joanie Wexler is a contributing writer and editor with more than 25 years of experience covering the business implications of IT and computer networking technologies.
© 2021 Nutanix, Inc. All rights reserved. For additional legal information, please go here.