No doubt about it: The Internet of Things (IoT) will impact your strategy for a secure data center. Even if your...
organization isn’t collecting consumer-facing IoT data, there’s a significant chance IoT devices will be connecting to your enterprise data center. Security card readers, forklifts, environment sensors and handheld inventory devices are just a few examples of the gadgets and machines that are -- or will be -- sending information back to the data center. Let’s take a look at some of the security concerns IoT brings with it.
Encryption and the secure data center
One area IT administrators have to consider is how they will manage the unencrypted data transferred to applications based in the data center that power or integrate with IoT gadgets. IoT devices are at a disadvantage because they don’t encrypt data by default. Encryption is one of the features IoT manufacturers usually forfeit when designing a mobile device that runs off small batteries and weak processors, and that can have a serious effect on your hopes for a secure data center. Many times IoT manufacturers just assume the data gleaned from their devices is of low value, justifying -- at least to them -- that they can just skip security controls.
Such a perception is incorrect. All data has some level of liability associated with it. Security officers need to perform assessments of each application and understand the impact of the information transmitted. It’s difficult to assume the motives of an intruder. For example, attackers may want to target metadata around the logistics of manufacturing operations. Information regarding the movement of forklifts may prove valuable to an attacker looking to disrupt manufacturing operations. Another potential valuable trove may be metadata around the habits of an executive to tailor better phishing attempts.
A policy that encrypts network traffic from IoT devices will help limit an intruder’s ability to glean valuable information from clear text communication. The best option is to have the IoT device itself support host-based encryption. However, given the lack of standards in IoT and the overhead in processing and battery required for encryption, it’s unlikely end-to-end encryption will be an option when it comes to IoT communication.
An alternative is to encrypt IoT data at the edge of the network. There are several ways to do this. A simple option is to establish an IPsec tunnel between the IoT virtual LAN (VLAN) and the data center. Another variation is to create overlays that separate and encrypt IoT traffic onto a separate virtual extensible LAN (VXLAN). A major assumption in this approach is that all IoT devices will reside on a separate VLAN. To enforce a policy like this, organizations should consider deploying some form of network access control (NAC) to prevent an unauthorized IoT device from connecting to a non-IoT VLAN.
NAC isn’t always practical or even available. Another option is to isolate your IoT applications into a single data center VLAN. Isolating servers is a similar approach; that option is used today to create high-security zones for Payment Card Industry (PCI) data. A routing policy could be created to encrypt all data routed to the IoT security zone -- similar to a policy that encrypts all clear text data destined for a PCI security zone.
Rogue IoT users
A much more difficult threat to guard against is the rogue internal IoT user. One of the challenges organizations face is enforcing security policies via non-technical measures. It’s a given that, to have a secure data center, there should be both written policies to dictate the use of IoT and a mature program that secures physical access to IoT devices. As with all policies, there are challenges when a device is compromised or when authorized end users are intent on performing malicious activities.
The first layer of defense should always be application-based access controls. The application should ensure an authenticated user has the appropriate rights to perform any destructive actions on a system. The goal is to prevent a compromised device from issuing a destructive command that it’s authorized to perform.
Toward that end, vendors are adding capabilities within their security products to inspect traffic for common IoT commands. Consider outlaw contractors who intend to damage a supervisory control and data acquisition (SCADA) network at an electrical substation. If they, say, attempt to set a temperature gauge that’s outside an accepted range, context-based rules would prevent the activity and also limit or terminate their access to the network.
No conversation about creating a secure data center would be complete without a discussion around compliance. Compliance is a greater concern if your organization is in a regulated environment such as energy, health or payment card processing. Organizations should create policies that specifically apply to their particular IoT environments. As with any policy, network managers should ensure they can execute what’s in the policy and not commit to practices that staff can’t validate through the collection of system data.
According to Gartner, 20 billion Internet-connected devices will be in operation by 2020, four times as many as those that exist today. Now's the time to prepare, in order to ensure a secure data center.
What top management can do to prep for the Internet of Things era
Get more guidance on prepping the data center for the IoT era
Learn about the new data center architecture the IoT age requires
What are the best types of batteries for IoT devices?