Daily news reports of high-profile breaches and massive credential dumps underscore the problems with relying on passwords for security. Users either opt for simple easy-to-guess passwords or, when required to come up with more difficult ones, use the same passwords everywhere they go. After all, who has time to memorize dozens of long random strings of characters?
Fortunately, cybersecurity professionals have many other security tools they can use to augment or even replace traditional passwords. But in a recent survey conducted by Data Center Knowledge and its sister Informa Tech brands, 78 percent of respondents said they used “strong passwords” as their most common security best practice.
Meanwhile, only 50 percent said they were using multi-factor authentication or network segmentation, 41 percent said they conducted penetration testing, and only 16 percent had zero-trust architectures.
Todd Matters, chief architect and co-founder at RackWare, said he isn’t shocked that data centers lag behind in implementing some of these modern security controls.
Download the full DCK Data Center Security survey report here
“Data center managers are torn every day between providing the high availability that’s required and trying to balance that with other security measures, a disaster recovery plan, and all the other things they have to do,” he said. “I’m actually surprised that the use of multi-factor is as high as 50 percent. I expected it to be a lot lower to tell the truth.”
The survey shows that data centers are putting too much faith in passwords alone, experts said.
“Secure passwords are worthless if they’ve all been stolen,” said Chris Rouland, co-founder and CEO at Atlanta-based Phosphorus Cybersecurity. “We should absolutely use dual-factor.”
He pointed to the recent data dumps of passwords, one of the latest with more than 2 billion credentials. And the leaks just keep on coming. Now, attackers can use these stolen credentials to attack data centers, not just by directly trying passwords to see which ones work but also by using stolen information to create very convincing phishing emails.
“An overwhelming percentage of data breaches occur as a result of compromised or stolen credentials,” said Leo Taddeo, CISO at Cyxtera Technologies, a large data center operator based in Florida. “Passwords are quickly becoming obsolete.”
It takes time to move to biometrics, least privilege, and passwordless authentication, he said, but data centers are moving in that direction.
Taddeo said that data centers should be also adopting zero trust principles and segmentation.
“Leveraging micro-segmentation to apply the principle of least privilege to the network completely reduces the attack surface,” he said. Zero trust is a transformative technology and can dramatically lower risk.
“It was first discussed nearly a decade ago yet is just gaining momentum,” he said. “The good news is emerging technologies using micro-segmentation are among the most promising innovations our industry has seen in recent years.”
Wendy Nather, who used to head IT security for UBS, said she first heard about zero trust more than 15 years ago.
“When I heard that, I thought, ‘That makes sense,’” she said. “But I have no idea how I would implement that.”
It took Google seven years, she added. “There are still a lot of organizations trying to figure it out.”
Nather, who is now head of the advisory CISOs team for Duo Security at Cisco, said she expects to see more adoption of zero-trust architectures in the next two to three years.
Meanwhile, even basic network segmentation can be hard to do.
“When I was a CISO, trying to do network segmentation, you needed to know which systems need to talk to other systems,” she said. That can require monitoring traffic for long periods of time. “If you have operations that only happen on a periodic basis, such as applications that only get significant use once a year, then you have to monitor traffic for a year to get the data you need to do the segmentation.”
Enterprises can be reluctant to adopt network segmentation because they worry that something will break, she said. “Psychologically, it can be very difficult.”
Download the full DCK Data Center Security survey report here
