By Simon Pamplin, Chief Technologist WAN Edge EMEA at Aruba Silver Peak
The proliferation of IoT devices across enterprises brings new ways to monitor, automate and optimize business processes – from intelligent manufacturing lines to automated lighting in smart offices for energy savings. However, while IoT makes businesses more efficient through automation, it also increases the attack surface by adding a new dimension of security complexity.
Examples of enterprise IoT devices can include point of sale (PoS) credit card processing terminals, heating, ventilation, air-conditioning (HVAC) control systems, surveillance cameras, flow sensors and more. These network-connected devices communicate over the internet either to a control centre running in a public cloud environment such as AWS, Azure, Google Cloud, or a corporate data centre where the large data sets are recorded and analyzed. Because these enterprise IoT devices connect over the internet, they can introduce new threats and have become attractive targets for opportunistic cybercriminals. Why? Due to its connected nature, if a cyber-attack on an IoT device is successful, it provides a backdoor into an organization’s entire network.
Zero Trust Network Access
The acceleration of digital transformation over the last 15+ months has only served to intensify the problem, which has prompted technology leaders to assess the full spectrum of devices across their organizations. One way IT teams are tackling the growing mobile device security challenge is to deploy a Zero Trust Network Access (ZTNA) solution based on the Zero Trust model. A ZTNA solution works by installing an endpoint agent on a user device such as a laptop, tablet or mobile phone, which ensures traffic from the device is directed to a cloud-delivered security service before being directed towards a SaaS application or IaaS provider.
So far so good, however, unlike mobile user devices, ZTNA solutions won’t work on the majority of IoT devices since they are agentless and therefore don’t support the installation of third-party software agents. Because of this, enterprises require a different security solution for IoT devices. Enter SD-WAN – a new approach to securing enterprise IoT devices.
Advanced, Business-Driven SD-WAN Edge Platform
With an advanced, business-driven SD-WAN edge platform, enterprises can mitigate the risk of exposure to breaches associated with IoT devices without the need to install ZTNA agents. Instead, the platform is able to identify and classify IoT device traffic on the first data packet, and segment it at the network edge to an appropriate zone where it can be isolated from all other network traffic. This end-to-end segmentation spans the enterprise and enforces consistent and automated security policies with granular visibility.
Segment and isolate
The ability to isolate segments of IoT device traffic is one of the key benefits of the end-to-end segmentation that is made possible through an advanced SD-WAN platform. An independent security policy can be configured and applied to each segment which instructs the network where to send the traffic and subsequently defines role-based access levels and security restrictions such that IoT devices can only communicate with IoT headend systems. It’s this level of zero trust dynamic segmentation that isolates threats and prevents cybercriminals from gaining access to the wider network; since traffic in one segment is isolated from traffic in other segments, it prevents unauthorized access and means that even if a threat were to appear, its impact is contained only to the segment in which it emerged. Moreover, with an integrated zone-based stateful firewall, enterprises can secure remote sites and IoT devices from any potential nefarious incoming threats by blocking them.
A good example of this in action can be seen in the difference between how you might secure PoS and HVAC systems at a remote site. In the case of the aforementioned PoS device, given the sensitive nature of customer information involved a business may wish to direct the data back through the corporate data center where it hosts the credit card transaction processing application, allowing the existing firewall security services to verify the traffic. However, the same business may not want or need to handle data from HVAC in the same manner. Instead, it could define a separate policy that intercepts and directs that traffic to a cloud-delivered security service, for additional inspection enroute to the IoT control centre hosted in the public cloud. Since the two traffic types are kept separate and adhere to different security policies, a breach in the HVAC segment would not compromise any credit card and personal data in the PoS segment.
Safeguarding cloud-first enterprises
As well as the clear advantages of segmentation and isolation, the other benefits of an advanced SD-WAN Edge platform in an IoT environment are its abilities to autonomously track and respond to threats. It continuously monitors the state of the enterprise network and IoT applications to detect changing conditions – including spotting a DDoS attack – and will then trigger immediate, automated real-time responses to mitigate the impact of any security threat events.
This is critical in a cloud-first environment where rapid change, increased data, and potential cyber threats are growing in equal measure. According to IDC, the cloud services market alone will exceed $1 trillion by 2024, so it’s safe to assume that cloud-first enterprises are set to be the new norm. However, this transformation cannot rely on legacy security infrastructure or manual policy changes. Cybercriminals will be quick to identify any unsecure IoT device and businesses must be ready to detect and respond to intrusion instantaneously. Technology leaders must ensure they are safeguarding their enterprises throughout their transformation journey to ensure they are ready and able to embrace IoT's benefits without putting the corporate network at risk.
Final word
When applied correctly, IoT devices can help automate business operations, drive significant operational efficiencies, and deliver real-time intelligence that makes organizations more agile. But as enterprises continue to deploy more and more connected devices, it's critical to manage the unique security challenges associated with them. An advanced SD-WAN edge platform unifies the advanced technologies required to identify, classify, segment and secure the network and ideally suited to maximize the return on enterprise IoT investments, while protecting the wider business network and operations.