As IoT devices connect to our networks, we need to provide secure, reliable connectivity to the back-end applications that manage and extract information from these devices. But all too often, current security architectures risk exposing those applications to network attacks, such as denial of service, SQL injection and more.
When the IoT device in question is your refrigerator, downtime is nothing more than a nuisance. But for IoT to move from consumer curiosity to industry workhorse, organizations need confidence in the availability and performance of IoT architectures. Eliminating blackouts and brownouts is a requirement for manufacturing plants, making the difference between a positive or negative quarter. And when it’s a hospital medical system that’s taken offline, downtime can translate into something far worse — the loss of life.
IoT’s networking and security problem
Building predictable, reliable IoT networks has been complicated by the changes in enterprise networks. Traditional enterprise networks were secure because of the firm perimeter blocking external users from accessing internal resources. But as users and applications have moved beyond the enterprise, the perimeter has dissolved.
Today, attackers can easily gain access to internal networks, whether at a remote branch or in the headquarters, by taking advantage of mobile devices and BYOD policies. They do this by posing as on-site contractors or launching phishing attacks against employees. And by breaching the security of cloud providers, attackers can strike companies without bothering with the traditional perimeter.
Once attackers authenticate onto the network, they can connect to the applications used for IoT. With many enterprise architectures, cybercriminals can execute network-layer attacks — even if they are unauthorized to access the application — disrupting the service.
But that’s not the only networking issue facing IoT infrastructure. Moving traffic across the internet core exposes IoT infrastructure to connection blackouts and, more likely, brownouts.
Internet routing is based on economics, not application performance, which leads to the strange and indirect routes all too familiar to network engineers. Congestion, particularly at internet exchange points, only adds packet loss. Within well-developed internet regions, internet limitations are often masked by the relatively short distances and the plethora of routes between any two points. Between internet regions, though, is a different story. Latencies are much longer and, with fewer routes available, congestion is often higher.
Best practices around IoT management are also undermined by the realities of today’s networks. Many IoT best practices will struggle in the face of IT realities. The disaggregation of our networks has given us freedom of choice at the expense of visibility and control. The outgrowth of this is immense complexity, complicating even mundane tasks, such as patch management — the combination of which risks undermining IoT availability and predictability.
How SDP can help IoT
A shift in both how we secure our applications and how we build our wide area networks provides some clues as to how we might better protect IoT infrastructure.
Rather than allowing network users and devices to view and connect to all resources, many enterprises are looking at tailoring their view of the network. They can only see and connect to specific resources based on their role and privileges.
To make this model a reality, applications are hidden behind gateways that reject all connection requests except from authorized users. Users must authenticate first with a controller that informs the servers or gateways to accept connections from the particular user on a specific station. Only then can they connect to the requisite applications.
This best practices approach has long been advocated by standards organizations, such as National Institute of Standards and Technology, and was recently codified into an architecture, the software-defined perimeter (SDP) by the Cloud Security Alliances. Adapting this model to SDP protects the infrastructure from network attacks. IoT devices, like users, must authenticate first before accessing the requisite application.
How SD-WAN can help SDP
At the same time, such an approach increases network complexity. IT must either install SDP software on each host or deploy gateways to protect applications. What’s more, left unaddressed are the numerous performance and availability problems posed by internet transport. Secure SD-WAN as a service provides a way forward.
With secure SD-WAN services, a global SD-WAN backbone functions as one, massive next-generation firewall. Not only do the encrypted tunnels of the SD-WAN control branch access, but the security capabilities of the SD-WAN as a service restrict user access to defined network resources. Users must authenticate before connecting. Gone are the days of open network access that allowed for network-layer attacks to be launched against IoT components from other network locations.
Availability of IoT deployments is also helped by secure SD-WAN as a service. IoT traffic leaving a branch office is balanced across redundant internet access lines. Should one line suffer an outage or a slow-down, traffic can be automatically steered to the secondary connection.
And instead of forcing IoT devices to reach back across the internet, SD-WAN as a service provides a more predictable long-distance transport. A global, SLA-backed backbone connects all of the points of presence (PoPs) comprising the SD-WAN as a service. The sites housing the applications and devices in the IoT infrastructure connect to the closest PoP and, from there, traverse the SD-WAN-as-a-service backbone, not the internet, to the remote location. The short distance across internet access line (less than roughly 25 milliseconds) minimizes the internet’s impact of internet routing.
IoT made secure and reliable
Current remote access and networking approaches risk leaving IoT implementations grounded by internet performance and security problems. But by including security best practices as part of a global, secure SD-WAN as a service, organizations can improve the resilience, uptime and security of their IoT deployments wherever they may reach.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.