HPE Aruba Networking Blogs

SASE Doesn’t Completely Address IoT Security

By Derek Granath, Senior Director, Product and Technical Marketing

Augment SASE with Identity/Role-based Access for the Highest IoT Device Security

The explosive growth of network connected devices, known as “Internet of Things” or IoT, is well-understood. In a study conducted in September 2020, IDC predicted that by 2024, more than 51 billion IoT devices – that’s billion with a “b” – will be connected to the internet[1]. These include printers, display panels, heating ventilation and air conditioning controllers – think of a Nest thermostat like you might have in your home – credit card processing terminals, security cameras, temperature sensors, flow sensors, medical devices, wind speed sensors on windmills, and even refrigerators and self-driving cars. And lots more.

But unlike a mobile phone or a laptop, most IoT devices are unmanaged and therefore it is not possible to install a security agent. IoT devices are agentless; IT can’t install a VPN client or a Zero Trust Network Access (ZTNA) agent on them. Therefore, we need another way to secure these devices and the applications that support them to minimize business risk and help meet compliance requirements.

The secure access service edge (SASE) architecture doesn’t fully address the securing of IoT devices. Enterprises need a zero trust security framework that segments devices (and also users) to ensure they can only reach applications and data on the network that are consistent with their role in the business.

 Zero Trust Security Best Practices

Network security originally relied on a “trust but verify” model. Authenticated users and devices were trusted within the enterprise network and given access to virtually everything. But this leaves the network vulnerable to malicious activity. Zero trust is the opposite. It’s a “never trust, always verify” model.

The traditional way of accomplishing user and device segmentation was to configure VLANs. But the VLAN approach just doesn’t scale with the huge increase in the different types and the sheer number of devices connecting to the network. Managing spreadsheets of VLANs is cumbersome, and it’s complex.

Aruba ClearPass secure network access control provides visibility into device (and user) identity and associates them with their role in the business. With this additional role-based context, IoT devices are automatically assigned the proper access control policy and dynamically segmented from other devices and the applications that support them – the network automatically enforces fine-grained segmentation such that users and devices can only reach destinations consistent with their role in the business.

As enterprises continue their journey toward SASE, it’s important to confirm that the SD-WAN can support fine-grained segmentation. It’s important to understand how the SD-WAN identifies users, devices, and roles in addition to application identification to enable fine-grained segmentation to minimize business risk and assist in meeting compliance requirements.

To learn more about complementing SASE with user, device and role identity with the Aruba EdgeConnect SD-WAN platform, watch our fourth episode, “Special SASE Considerations for IoT Devices.” To learn more about SASE and the benefits it delivers, tune in to our video series.

Related Resources

[1] IDC, Future of Industry Ecosystems: Shared Data and Insights, September 2020