Jacob Chacko, Regional Director –
Middle East, Saudi & South Africa at Aruba (a Hewlett Packard Enterprise
company) says that the proliferation of
IoT devices across enterprises brings new ways to monitor, automate and
optimise business processes – from intelligent manufacturing lines to automated
lighting in smart offices for energy savings. However, while IoT makes businesses
more efficient through automation, it also increases the attack surface by
adding a new dimension of security complexity.
Examples of enterprise
IoT devices can include point of sale (PoS) credit card processing terminals,
heating, ventilation, air-conditioning (HVAC) control systems, surveillance
cameras, flow sensors, and more. These network-connected devices communicate
over the internet either to a control centre running in a public cloud
environment such as AWS, Azure, Google Cloud; or a corporate data centre where
the large data sets are recorded and analysed. Because these enterprise IoT
devices connect over the internet, they can introduce new threats and have
become attractive targets for opportunistic cybercriminals. Why? Due to its
connected nature, if a cyber-attack on an IoT device is successful, it provides
a backdoor into an organisation’s entire network.
Zero Trust Network Access
“The
acceleration of digital transformation over the last 15+ months has only served
to intensify the problem, which has prompted technology leaders to assess the
full spectrum of devices across their organisations,” says Warren Gordon,
ARUBA/HPE Business Unit Manager at Duxbury Networking, local distributors of
ARUBA/HPE technology.
One way IT teams are
tackling the growing mobile device security challenge is to deploy a Zero Trust
Network Access (ZTNA) solution based on the Zero Trust model. A ZTNA solution
works by installing an endpoint agent on a user device such as a laptop, tablet
or mobile phone, which ensures traffic from the device is directed to a
cloud-delivered security service before being directed towards a SaaS
application or IaaS provider.
“So far so good,
however, unlike mobile user devices, ZTNA solutions won’t work on the majority
of IoT devices since they are agentless and therefore don’t support the
installation of third-party software agents. Because of this, enterprises
require a different security solution for IoT devices. Enter SD-WAN – a new
approach to securing enterprise IoT devices,” says Chacko.
Advanced, business-driven SD-WAN Edge platform
With an advanced,
business-driven SD-WAN edge platform, enterprises can mitigate the risk of
exposure to breaches associated with IoT devices without the need to install
ZTNA agents. Instead, the platform is able to identify and classify IoT device
traffic on the first data packet, and segment it at the network edge to an
appropriate zone where it can be isolated from all other network traffic. This
end-to-end segmentation spans the enterprise and enforces consistent and
automated security policies with granular visibility.
Segment and isolate
The ability to isolate
segments of IoT device traffic is one of the key benefits of the end-to-end
segmentation that is made possible through an advanced SD-WAN platform. An
independent security policy can be configured and applied to each segment which
instructs the network where to send the traffic and subsequently defines
role-based access levels and security restrictions such that IoT devices can
only communicate with IoT headend systems. It’s this level of zero trust
dynamic segmentation that isolates threats and prevents cybercriminals from
gaining access to the wider network; since traffic in one segment is isolated
from traffic in other segments, it prevents unauthorised access and means that
even if a threat were to appear, its impact is contained only to the segment in
which it emerged. Moreover, with an integrated zone-based stateful firewall,
enterprises can secure remote sites and IoT devices from any potential
nefarious incoming threats by blocking them.
A good example of this
in action can be seen in the difference between how you might secure PoS and
HVAC systems at a remote site. In the case of a PoS device, given the sensitive
nature of customer information involved, a business may wish to direct the data
back through the corporate data centre where it hosts the credit card
transaction processing application, allowing the existing firewall security
services to verify the traffic. However, the same business may not want or need
to handle data from HVAC in the same manner. Instead, it could define a
separate policy that intercepts and directs that traffic to a cloud-delivered
security service, for additional inspection en route to the IoT control
centre hosted in the public cloud. Since the two traffic types are kept
separate and adhere to different security policies, a breach in the HVAC
segment would not compromise any credit card and personal data in the PoS
segment.
Safeguarding cloud-first enterprises
As well as the clear
advantages of segmentation and isolation, the other benefits of an advanced
SD-WAN Edge platform in an IoT environment are its abilities to autonomously
track and respond to threats. It continuously monitors the state of the
enterprise network and IoT applications to detect changing conditions –
including spotting a DDoS attack – and will then trigger immediate, automated
real-time responses to mitigate the impact of any security threat events.
“This is critical in a
cloud-first environment where rapid change, increased data, and potential cyber
threats are growing in equal measure. According to IDC, the cloud services
market alone will exceed $1 trillion by 2024, so it’s safe to assume that cloud-first enterprises are
set to be the new norm. However, this transformation cannot rely on legacy
security infrastructure or manual policy changes. Cybercriminals will be quick
to identify any unsecure IoT device and businesses must be ready to detect and respond
to intrusion instantaneously. Technology leaders must ensure they are
safeguarding their enterprises throughout their transformation journey to
ensure they are ready and able to embrace IoT’s benefits without putting the
corporate network at risk,” says Chacko.
“When applied
correctly, IoT devices can help automate business operations, drive significant
operational efficiencies, and deliver real-time intelligence that makes
organisations more agile. But as enterprises continue to deploy more and more connected
devices, it's critical to manage the unique security challenges associated with
them. An advanced SD-WAN edge platform unifies the advanced technologies
required to identify, classify, segment and secure the network and ideally
suited to maximise the return on enterprise IoT investments, while protecting
the wider business network and operations,” says Gordon.