The rollout of IoT technology throughout enterprise environments introduces new ways to monitor, report, alert, automate and optimize business processes. From manufacturing lines, to HVAC, to retail, and everything in between, IoT is transforming industries.
The benefits to automation through IoT are significant, but enterprises should still be cautious before launching their IoT transformation. From a security perspective, the fundamental nature of IoT increases an organization’s attack surface – adding more points of entry and adding greater complexity to the IT infrastructure that enterprise cybersecurity teams must already protect.
Examples of the expanding attack surface might include new point of sale (PoS) credit card processing terminals, heating ventilation, air-conditioning, and so on – any device that makes smart use of an internet connection. These devices connect and communicate over the WAN through a control center in a public cloud environment – such as AWS or Azure – or via the corporate data center, where large pools of data are stored and analyzed. Essentially, each device that connects over the internet represents a new point of entry to the corporate network for threat actors to mount an attack.
The trouble with Zero Trust and IoT
With the expansion of the organizational attack surface being driven by the proliferation of devices, companies must look towards security models that can meet this challenge. One manner for how IT teams have previously tackled this issue is through deploying zero-trust network access (ZTNA) solutions based on a Zero Trust model.
These ZTNA solutions operate by installing an endpoint agent on a user device such as a laptop, tablet or mobile phone. This software agent ensures that traffic from the device is automatically directed through a cloud-delivered security service en route towards a SaaS application or IaaS provider.
However, although ZTNA solutions can protect devices such as mobile phones and laptops, software agents cannot be installed on IoT devices, as they are agentless and thus do not provide capacity for the installation of third-party software agents. This means that enterprises must seek a different security solution that can identify and secure IoT devices connected to the corporate network from potential threats. The answer to this issue lies in advanced network solutions such as software-defined WAN (SD-WAN).
Security lies in the network
Advanced SD-WAN platforms represent a new breed of WAN edge solutions, evolving from traditional router-centric WAN and then basic SD-WAN. An advanced SD-WAN is business-driven and can automatically steer network traffic based on business priorities. Through advanced SD-WAN, companies can help mitigate the threat of exposure from breaches stemming from the proliferation of IoT devices.
This is because advanced SD-WAN solutions can automatically identify and classify application traffic on the first packet as it traverses the network edge. It can then direct this traffic to the appropriate zone or segment – and in the case of IoT, effectively isolate device traffic from other traffic on the network.
An advanced SD-WAN should also orchestrate end-to-end segmentation spanning the entire networking infrastructure of an enterprise – be it WAN, WAN-LAN, the datacentre, or cloud. This enables network managers to apply consistent and automated security policies uniformly across the network, enabling automated policy enforcement and visibility into what is happening on the company network.
Crucially for IoT security, end-to-end Zero Trust dynamic segmentation enables enterprises to create siloed segments for all IoT device traffic. Once IoT traffic is segmented, the SD-WAN can then enforce specifically defined security policies for this traffic, ensuring devices can only communicate with destinations consistent with their role. Segmentation creates internal barriers within a company’s IT networking infrastructure and even if one segment were to be breached, intruder access would be limited to that particular segment. Furthermore, by applying an integrated zone-based firewall, enterprises can secure remote sites and IoT devices from any potential nefarious incoming threats by blocking them.
Security while guaranteeing optimization
The security benefits of employing an advanced SD-WAN platform are clear – enterprises can secure users and IoT devices behind the integrated zone-based firewall, dynamically identify applications and IoT device traffic, apply individual policies, and granularly segment the network to meet compliance requirements. However, while providing such security benefits, an advanced SD-WAN also alleviates the strain placed on the network, allowing for greater optimization of application performance.
It does this by providing a smart path and automated path section across WAN links, such as MPLS, broadband and LTE/5G. This allows the network to automatically prioritize business-critical traffic, or traffic that demands a higher quality of experience across the WAN – such as voice or video calls – while also eliminating brownouts, blackouts of individual underlays. IoT devices naturally increase strain on the network by adding more devices – all creating data that has to be communicated over the networking edge – to the corporate network. Traditional WAN solutions simply cannot keep up with this demand and will stymie organizations with latency and complexity issues.
Furthermore, an advanced SD-WAN can continuously monitor the state of the enterprise network and IoT devices and business applications to detect changing conditions – including detection of a DDoS attack – and can then trigger immediate, automated real-time responses to mitigate the impact of security threat events.
It is an unfortunate reality of the modern business environment that enterprise networks are constantly under siege by cybercriminals or even state-backed threat actors. This being the case, security must come first and foremost. Not only can a successful breach shut down company operations, but it can cause massive damage to the brand and even result in a colossal GDPR fine.
IoT devices help advance digital transformation, drive significant operational efficiencies and deliver real-time intelligence that makes organizations more agile. However, they can also greatly expand an organization’s attack surface as a zero-trust solution cannot be adopted to protect the enterprise network.
As enterprises continue to deploy increasing numbers of IoT devices to the corporate network, it is pivotal to manage the specific security issues they bring to the table. After all, the benefits of IoT cannot be ignored and enterprises that adapt to incorporate the technology into their operations will be more competitive for their investment. The answer lies in advanced SD-WAN platforms, which can identify, segment and secure IoT device traffic, while optimizing the network. Failing to upgrade the network before undergoing an IoT digital transformation can quickly expose an organization to threat actors as well as slow business-critical application performance.
Simon Pamplin, Aruba Chief Technologist WAN Edge – EMEA, Aruba Silver Peak – a Hewlett Packard Enterprise Company