The cloud has made deploying servers easy and taken much of the complexity out of application delivery. Now, it will face its next challenge: rescuing the internet of things from itself.
By any measure, IoT is big business. Last year, global IoT spending reached $737 billion, according to IDC, and is expected to reach $1.29 trillion by 2020. The number of IoT devices was about 15.4 billion in 2015 and, according to IHS, will nearly double by 2020. Intel is even more aggressive in its projections, expecting the number of IoT devices to reach 200 billion by 2020.
But it’s difficult to see how IoT will fulfill its promise without addressing the vulnerabilities in IoT devices and systems. And make no mistake, IoT threats are real. Late last year, attackers exploited a vulnerability in a brand of IoT cameras to launch a distributed denial-of-service attack on the website of journalist Brian Krebs. The following month, 100,000 IoT devices were manipulated by the Mirai botnet to launch an attack on DYN, the DNS provider. Since then, we’ve seen more sophisticated IoT threats that have worked cross-platform.
Best practices for securing IoT: Logical but unrealistic
While numerous government and industry IoT security regulations and initiatives are in progress, IT pros are still left implementing best practices around network security. Several pieces have been written about IoT security best practices. For example, in this piece on best practices, Derek Manky identifies four steps:
- Buckle up on patch management. Advanced threats, such as WannaCry, underscore the importance of patching. WannaCry targeted a known vulnerability, largely impacting those who had not followed strong cyber-hygiene practices. Keeping patches current is important, but it is even more challenging with IoT, where patches may be unavailable for the billions of obscure IoT devices. This makes virtual patching using an intrusion protection system (IPS) essential, allowing IT to block IoT attacks on unpatched devices.
- Secure data backups using redundancy segmentation. Redundancy segmentation is a backup strategy that calls for creating multiple copies of backup data and isolating them off-network from other enterprise services.
- Improve the visibility into and control over internal traffic. Only protecting the perimeter is insufficient. Organizations need to understand what’s happening within the network to stop attackers or malware after they breach the perimeter. Visibility and control are needed over all enterprise traffic.
- Tighten up the time to defense. Tie together proactive solutions to reduce defense times. Reduce complexity by integrating different devices and providers and automating interoperability between them.
This is sage advice to follow which will undoubtedly help contain IoT threats. But it’s also a list of tips that many companies will have difficulty implementing. Here’s why.
What’s behind the problem with IoT best practices
Many of the challenges around IoT security relate to how we’ve evolved our networks. For too long, we’ve thought of networking and security in separate silos: The networking team connected our locations; the security team protected them. The two worked together, but each had its own domain. Networking teams concerned themselves with MPLS services, routing and solving the rest of our connectivity challenges; security teams managed the firewalls, IPSes and the rest of the security stack.
As a result, our visibility and control have become fragmented across many appliances and services. Expecting enterprises to automate an MPLS service, mobile VPNs, WAN optimizers, next-generation firewalls and more is unrealistic. Just getting them to work together is challenging.
The mix of appliances has also complicated patch management. Companies need time to test patches, schedule updates for maintenance windows and then deploy those updates. Practically, IT resources are often outpaced by the sheer volume of vulnerabilities, leading to delays in distributing patches throughout the network. The result is precisely the critical gaps in security that can be exploited by IoT threats.
Implementing virtual patching through an IPS makes sense, but has also proven difficult for many organizations. For one, security appliances and IPSes are no exception — they constantly require new signatures and software patches. The result of which is not only a big time-sink for IT teams, but it also requires additional processing in already resource-constrained, edge appliances.
HTTPS growth only compounds the problem. SSL (or TLS) inspection is now essential for any IPS, but it is also a particularly resource-intensive process. The result? Enabling IPSes or other advanced security features, as well as increasing traffic loads, put IT in the tough position of choosing between paying for unplanned hardware upgrades or compromising on security.
Then, there’s the issue of reach. An IPS is only effective at protecting devices on its network, and IoT devices often exist outside the tight confines of a standard office. Deploying an IPS into these environments is often impossible, making appliances additionally problematic.
A solution: Converge networking and security into the cloud
A better approach? Use the cloud. The cloud has already shown how it can simplify IT life. AWS redefined the way we think of our servers, storage and applications. It’s time to bring the same thinking to our security and networking infrastructure.
Instead of discrete, purpose-built network and security appliances, enterprises should think about converged network and security cloud services. With the cloud, enterprises can use its unlimited resources to inspect all traffic and implement virtual patching without concerns around performance degradation. And with the cloud’s ubiquity, connecting everything — offices, data centers, mobile users, cloud resources and more — together, regardless of location, becomes possible.
Already, there are signs that these trends are catching on in mainstream IT. Firewall-as-a-service (FWaaS) offerings replace security appliances with cloud-based security services. Locations send traffic to and receive traffic from a ubiquitous, cloud-based firewall that seamlessly scales for any traffic load, enforces unified policies and is maintained by a cloud provider.
At the same time, organizations are moving away from MPLS services as the basis of their WANs to more agile SD-WANs. Traditional SD-WANs still require heavy investment in appliances and have all of the problems inherent in appliance architectures. Secure, cloud-based SD-WANs avoid appliance limitations, and they combine FWaaS with SD-WAN across an affordable, SLA-backed network.
Cloud-based SD-WAN is more than just an appliance hosted in the cloud. It’s ubiquitous, cloud-scale software designed to use the elasticity and scalability of the cloud.
Traffic is inspected as it enters the SD-WAN, whether from the internet, a location, a mobile user or the cloud. With a complete advanced security stack that includes a next-generation firewall, IPS and secure web gateway, the cloud-based SD-WAN enables security policies to be built that restrict WAN and internet traffic based on full L7 segmentation. IT gains control over internal as well as inbound traffic.
And moving to a service eliminates the patching process. Once the cloud-based SD-WAN provider updates its platform, the problem is addressed across all customers instantly. Enterprises might be uncomfortable relying on a cloud provider to keep their service current, but consider the lesson from the Cloudbleed threat earlier this year.
Last January, Project Zero researcher Tavis Ormandy discovered that corrupted webpages were being returned by Cloudflare, a content delivery network provider, when fulfilling some HTTP requests. CloudFlare fixed the so-called Cloudbleed problem in less than an hour by disabling the relevant features. By contrast, the Heartbleed bug (after which Cloudbleed was named), affected many web servers in 2014 and continued to be an issue three years later. Some 200,000 servers were still vulnerable to Heartbleed at the time of the Cloudbleed incident because customers failed to upgrade their servers.
Use a revolution to enable a revolution
IoT is a broad revolution that will change our society. It’s an advancement that can have profound implications for many industries. But implementing security will be essential to realizing that potential. What better way to meet that challenge than with another revolution: the cloud-based, secure SD-WAN.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.