HomeFeaturesArticlesUsing a Software-defined Perimeter to help plug IoT Security Gaps

Using a Software-defined Perimeter to help plug IoT Security Gaps

The Internet of Things promises to be the biggest thing in the history of technology’s next big things. Many view it as the culmination of years of investments in high-speed networks, sensors and analytics that will help to bring greater understanding, awareness and insight into all manner of behaviors, including buying, driving and eating habits.

By 2020, nearly every large corporation, organization or government agency will be neck deep in IoT, or at least want to be, with Gartner predicting the aggregated value and economic benefit of IoT will exceed $1.9 trillion by that date. In the Cradlepoint State of IoT 2018 Business Intelligence Report, we found significant levels of interest in IoT from IT leaders, with more than 69 percent of companies surveyed saying they had adopted or planned to adopt IoT solutions within the next year.

Keeping IoT in-house

Of particular interest was the number of organizations preparing to implement IoT on their own. The survey found that half were designing their own network architecture to support IoT, 57 percent preferred to manage their own IoT device security and 53 percent were comfortable building their own in-house IoT solutions. Just under half of those surveyed planned to implement IoT on their core enterprise network, using legacy network approaches associated with known vulnerabilities.

While I admire their initiative and innovation, I wonder if they appreciate the potential risks to their operations and, by extension, to their internal business clients and customers.

Organizations that implement, house and manage IoT on their own will have their hands full when it comes to securing IoT deployments. If they don’t do it right, they could expose their core networks to security threats, such as the recent Reaper and Mirai botnet attacks that infected two million IoT devices in one month, including Internet-connected webcams, security cameras and digital video recorders (DVRs). IT departments deploy several clients on all of their computers, but these solutions don’t yet exist for IoT devices.

One way to mitigate the risk associated with an IoT implementation is to use a combination of Software-defined Networking (SDN) and Software-defined Perimeter (SDP) technologies to reduce the attack surface.

The case for SDP

An SDP, also called a “Black Cloud”, is a computer security approach developed by the Defense Information Systems Agency (DISA) under the 2007 Global Information Grid (GIG) Black Core Network initiative. When combined with a SDN, a SDP makes it easy to connect people and things to applications and resources quickly. With Active Directory integration, LANs can be extended to remote users without changes. The technology offers a private address space that is invisible to potential hackers with a natural policy management interface that makes it easy to micro-segment users, applications and devices so they access only the appropriate resources to them.

Invitation only network

SDPs use invitations to ensure only pre-authorized users are added to a network. This adds an additional layer of security to traditional networks and all transactions are fully encrypted using the AES 256-bit standard encryption algorithm.

Support for multiple devices

Multiple device types can be connected with SDPs, including Windows, Mac, Linux, iOS, Android, and even Docker containers. For unsupported devices, such as IoT sensors or security cameras, admins can connect the device into the perimeter network behind a router acting as a NetCloud Gateway. This technique adds a layer of security to an IoT deployment, reducing the attack surface by integrating IoT devices into an enterprise network.

Always on connectivity

Finicky traditional VPNs often require multiple logins, which can be problematic and frustrating for network users. SDPs maintain an “always-on” connection. After an invitation is accepted, there is no need for the user to re-login or authenticate, making the WAN as easy and secure as the office LAN.

Many organizations opting to implement IoT in-house are in the process of preparing their enterprise networks for a major digital transformation. Most will evolve from hardware-defined networks to software-defined networks, which are better suited to dealing with the complexities of the elastic edge, where enterprise resources such as IoT devices are widely distributed and deployed at scale beyond traditional security boundaries. Using tools like SDP can help make the prospect of the elastic edge less terrifying for many of them.