How to secure the enterprise network in the era of IoT?
Internet of Things (IoT) is the new trend that has fueled the transformation of many industries and reshaped our enterprises today. The variety and volume of connected devices grow on a daily basis. According to a new forecast from International Data Corporation (IDC), there will be 41.6 billion connected IoT devices by 2025, generating a staggering 79.4 zettabytes (ZB) of data in 2025.
In this new context, enterprises are tasked with handling traffic on an unprecedented scale and cybersecurity threats arising from the influx of IoT devices. Nevertheless, the conventional security architectures and network management models seemingly fall behind facing the growing traffic from these miscellaneous untrusted devices. IoT makes the traditional perimeters non-existent; instead, enterprises need a holistic approach to secure the everywhere perimeter.
Below are a few steps to help IT teams embrace the influx of IoT while ensuring network security and compliance.
Implement Zero Trust Policy
IoT devices are unmanaged by nature, but enterprises need to provide secure internet connectivity. Zero Trust is a foundational cybersecurity framework that can be applied to IoT. The core principle can be simplified as “trust nothing and consider no network segment inherently safe.” It states that all people, devices, services, etc., shall be deemed untrusted and not allowed to access the network unless their trustworthiness is proved. Zero Trust security model requires enterprises to understand all IoT devices and make both identities- and context-based security policy implementation decisions.
Zero Trust Network Access (ZTNA) is the architecture that enterprises can implement to enforce security based on the context of the transaction: who is the user, what device is being used, what application is accessed, where is the user/device located, how is the user/device connected to the network? ZTNA authenticates users and/ or devices, verifies both managed and unmanaged devices, and therefore provides enterprises with a practical framework to secure unmanaged and unagentable IoT devices. ZTNA enables enterprises to enforce granular access control based on user, group, device posture, location, and apps, and be integrated into enterprises’ existing identity and authentication mechanisms.
Identify the untrusted devices (Discover and Categorize)
To ensure your network security, the first step is to gain visibility into all IoT devices trying to get connected to your network. Multiple data can be leveraged to accurately authenticate a new device, such as the reported data, device fingerprint, and the generated traffic.
Enforce Granular Access Control
Then the enterprise has to determine whether devices connection shall be allowed and allow devices’ access to only necessary resources in the network.
Segmenting network traffic and tailoring access control per category allows automatic and secure IoT devices onboarding, and dynamic and continuous monitoring of IoT devices. This would potentially restrict the attacks on the whole network through one weak point. Even though attackers can compromise a device, they will only have access to that particular network segment. If the compromised device tries to communicate with a non-official and non-authorized resource on the Internet, the alert for remediation will be triggered. Not only the threatening traffic will be denied but also the unauthorized attempt will be reported. This mechanism can protect the rest of the organization from possible compromise.
The network segmentation is defined in the DHCP (the Dynamic Host Configuration Protocol) server in the form of subnets. DHCP servers can grant IP addresses and lease time-based on the profile of IoT devices. Every time a new device is added to the network, DHCP will place it in the quarantine network by default for initial configuration, where it cannot communicate with any other devices from other network segments or subnets. While in quarantine, the device’s fingerprint would be extracted and analyzed. Enterprises can, therefore, contextually segment the network based on the behavior of any IoT devices.
Apply Judicious Security Policies
Once IoT devices are categorized into multiple network segments or subnets, enterprises can enforce stricter control and apply appropriate security policies on both macro and micro levels. Each subset of devices or individual devices can only access the internet resources needed and approved by the administrator. This partitioned approach also enables enterprises to have a security buffer.
By implementing all these security measures, enterprises can manage many IoT devices using the guest Wi-Fi network without sacrificing security.