IoT security and the new branch office
IoT is now an integral part of every networked environment, from corporate headquarters to the home network. Branch offices and retail locations have been adopting IoT at a breakneck pace, using these devices to provide a wide range of services, while using SaaS cloud servers as their management interface. Much of this growth goes beyond upgrading traditional devices, such as printers, to a smarter IoT version that can collect data and track usage.
IoT in the branch and retail space
Here are a few examples:
- Surveillance and security monitoring has moved beyond things like CCTV systems. Today’s physical security systems include connected IoT cameras, badge readers and alarm systems that can do things like tie a badge scan to a video facial recognition system to ensure secure access to a facility, link video images from an IP camera to a credit card transaction to enable fraud detection and assist in PCI investigations, and dynamically restrict access to physical resources based on a variety of contexts, including role or time of day, and even lock down a facility in the event of a breach or emergency.
- IoT sensors, especially in retail environments, are being deployed to simplify the monitoring and management of critical systems. They include things like temperature sensors on the refrigerators in quick-serve locations to ensure food is kept at required temperatures and tank pressure sensors in gas stations for safe operation.
- Retailers are using IoT devices to better connect with customers and to personalize their shopping experience. They use IoT-enabled sensors to perform passive smartphone scans to identify and welcome repeat customers and track them through the store to collect information about shopping habits. Beacons can be used to broadcast product information and sales to customer smartphones, and proximity devices can deliver special alerts and coupons when a shopper is near a specific item or section, or even place personalized ads on IoT-enabled kiosk and cart screens throughout their visit based on previous shopping history.
- Facility managers can use IoT sensors to automatically turn off lights and devices and change the temperature when offices, conference rooms or parts of the building are unused. These sensors can also be integrated with things like a corporate calendar to perform tasks such as ensuring that conference room hardware is booted up and ready prior to the start of a meeting, and is turned off once participants leave the room.
Branch IoT security challenges
While each of these IoT-based systems have direct benefits to the organizations using them, they can also introduce risk that the local branch or retail staff is unqualified to address. According to a recent Fortinet Threat Landscape Report, IoT devices remain at the top of security challenges for customers. Six of the top 12 global exploits that were identified and ranked by FortiGuard Labs, for example, targeted IoT devices, with four of them related to IP-enabled cameras.
The fact is that IoT devices expand the potential attack surface of the network. Worse, IoT devices are also notoriously insecure due to things like limited CPU and memory, built-in backdoors, the fact that they are often headless — meaning they cannot be easily updated or patched — and that they were not designed with any sort of security in place. As a result, IoT devices are increasingly being targeted by cybercriminals to steal data, hijack CPU, spread malware and launch attacks into the network.
The challenge is two-fold. The first is that there are rarely any qualified IT personnel onsite at a branch office or a retail location to deploy, manage or troubleshoot IoT devices and related security incidents. And second, even remote security deployments far too often include devices from multiple vendors that have their own management consoles and complicated interfaces. Vendor and device sprawl can actually get in the way of effective security management.
Securing IoT with the new SD-branch
Addressing the challenge of securing the proliferation of branch IoT devices requires rethinking security. As part of their digital transformation efforts, organizations have begun to adopt SD-WAN to enhance the communication and data links to and between their remote branch offices and retail locations.
However, many are quickly discovering that trying to add security to their SD-WAN system after the fact can be very difficult to deploy and even more complicated to manage. As a result, secure SD-WAN — where security is woven directly into the SD-WAN technology — has been introduced, enabling it to not only inspect and secure traffic and applications, but also dynamically adapt to today’s digital networks that automatically scale and transform to meet shifting business requirements.
SD-branch takes this idea a step further by extending the security provided by secure SD-WAN deep into the branch network, providing security for applications, workflows and connected end user, network and IoT devices. This system includes the following elements:
- Network edge protection: A next-generation firewall (NGFW) is the ideal foundational component for securing SD-branch deployments. An NGFW needs to be able to extend security from the SD-WAN connection to wired and wireless access controllers to ensure that all inbound and outbound IoT traffic is secured.
- Access edge protection: Secure physical and wireless access points not only need to provide adequate capacity and throughput to keep up with expanding IoT bandwidth needs, but share device connections and traffic with the NGFW to secure IoT traffic moving laterally across the branch network. Switches also need to offer higher power (PoE) to run today’s most power-hungry IoT devices.
- Device edge protection: The proliferation of IoT devices at the branch can represent a significant threat to organizations as far too many IoT devices were never designed with security in mind. As a result, all IoT devices must be properly identified and segmented using an integrated network access control (NAC) mechanism that can provide automatic discovery, classification and security for IoT devices being connected to the network.
NAC technologies, in coordination with the NGFW, should also continuously scan network traffic for anomalous behavior, enabling the security system to not only detect bad device behavior, but also respond by dynamically isolating those devices for quarantine and remediation.
Conclusion
IoT devices play an increasingly critical role in the ongoing digital transformation efforts of today’s enterprise organization. Extending IoT devices into the branch office and retail locations allows organizations to personalize their interaction with customers, provide intelligent services that increase productivity, reduce overhead and address risk, and gather critical information to continually refine their services, workflows and applications.
IoT devices also expand the potential attack surface of the network in that because of their inherent lack of security, they are increasingly targeted by cybercriminals to steal data, hijack CPU, spread malware and launch attacks into the network. Realizing the benefits of IoT deployments while addressing the challenges they introduce requires a branch architectural strategy with security at its foundation. This allows an integrated security system to reduce risk by seeing all devices, intentionally segmenting IoT devices based on context, tracking and monitoring device traffic, and quickly adapting when a security event occurs to eliminate threats before they have the ability to impact the organization.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.