The proliferation of IoT devices across enterprises brings new ways to monitor, report, alert, automate and optimize business processes – from manufacturing lines to automating HVAC and lighting for energy savings. IoT makes businesses more efficient through automation, however, it also increases the attack surface by adding a new dimension of complexity.
Examples of enterprise IoT devices can include point of sale (PoS) credit card processing terminals, heating, ventilation, air-conditioning (HVAC) control systems, IP cameras, flow sensors, cameras, smart air systems and more. These network-connected devices communicate over the internet either to a control center running in a public cloud environment such as AWS, Azure, Google Cloud, or a corporate data center where the large data sets are recorded and analyzed. Because these enterprise IoT devices connect over the internet, they can also expose the enterprise to threats.
Zero Trust Network Access
The manner in which IT tackles the growing mobile device security challenge is to deploy a zero trust network access (ZTNA) solution based on the Zero Trust model. A ZTNA solution works by installing an endpoint agent on a user device such as a laptop, tablet or mobile phone. That software agent ensures traffic from the device is directed to a cloud-delivered security service before being directed towards a SaaS application or IaaS provider.
However, unlike tablets and smart phones, ZTNA software agents cannot be installed on IoT devices since they are agentless and therefore don’t support the installation of third-party software agents. Because of this, enterprises require a different security solution for IoT devices to protect corporate networks from potential threats that could enter the network and expose the enterprise to security risks.
Advanced, Business-Driven SD-WAN Edge Platform
With an advanced, business-driven SD-WAN edge platform, enterprises can mitigate the risk of exposure to breaches associated with IoT devices. An advanced SD-WAN platform identifies and classifies application traffic on the first packet, intercepts it at the network edge to an appropriate zone or segment, and isolates IoT traffic from other traffic on the network. An advanced SD-WAN platform orchestrates end-to-end segmentation spanning the enterprise LAN-WAN-LAN and LAN-WAN-Data Center/Cloud, resulting in consistent and automated security policy enforcement with greater visibility.
With end-to-end segmentation, enterprises can create isolated segments for IoT device traffic. An independent security policy may be defined for each segment defining the security policies to enforce for IoT device traffic. Since traffic in one segment is isolated from traffic in other segments, it prevents unauthorized access to broader network segments. Even if a threat were to appear, its impact is contained to the segment in which it emerged. Moreover, with an integrated zone-based stateful firewall, enterprises can secure remote sites and IoT devices from any potential nefarious incoming threats by blocking them.
Let’s look at an example. In a remote site where agentless IoT devices such as PoS and HVAC systems are installed (Figure 1 below), an advanced SD-WAN edge platform identifies applications used by the devices uniquely. A system policy intercepts PoS traffic and directs it to the corporate data center where the credit card transaction processing application is hosted. Existing next-generation firewall security services deployed within the data center in this example are applied to verify the traffic.
On the other hand, HVAC system policies segment and direct the HVAC traffic to the cloud-delivered security vendor such as Zscaler, Netskope, Checkpoint, Palo Alto Networks, or McAfee for additional security inspection before reaching the IoT control center that is hosted in the public cloud. Since IoT traffic is isolated according to business policy, a breach in the HVAC segment does not compromise or put at risk credit card and personal data in the PoS segment. Segmentation also helps organizations in meeting PCI (or other) regulatory compliance requirements for their business. As shown in this example, a comprehensive security deployment with an advanced SD-WAN edge platform can better safeguard today's cloud-first enterprises in their transformation journey as they embrace IoT's benefits.
Figure 1: Using an advanced SD-WAN platform, enterprises can protect IoT devices behind the integrated zone-based firewall, dynamically identify IoT device traffic, configure individual policies, and granularly segment the network to meet compliance requirements. As shown in the diagram, all point-of-sale transaction data from the branch is destined to the enterprise data center, whereas the HVAC traffic is routed to an IoT control center in the cloud.
An advanced SD-WAN edge platform also provides intelligent path selection across WAN links such as MPLS, broadband, LTE/5G to eliminate the impact of brownouts and blackouts on any underlay network. Moreover, it continuously monitors the state of the enterprise network and IoT applications, detects changing conditions – including detection of a DDoS attack – and triggers immediate, automated real-time responses to mitigate the impact of security threat events.
Securing Enterprise IoT with Advanced SD-WAN
IoT devices help automate business operations, drive significant operational efficiencies and deliver real-time intelligence that makes organizations more agile. As enterprises continue to deploy more and more connected devices, it's critical to manage the unique security challenges associated with them. An advanced SD-WAN edge platform unifies the advanced technologies required to identify, segment and protect enterprise IoT investments and to secure business operations.
