How IoT fits into SASE

In our recent series of SASE blog posts, we already covered the primary use cases Secure SD-WAN, Firewall-as-a-service and Secure Web Gateway, and Endpoint Protection together with Secure Remote Access.  In today’s blog, we are going to look at how Internet of Things (IoT) devices fit into the SASE story.

As a quick reminder, SASE, or Secure Access Service Edge, is the convergence of connectivity and security and helps organizations to achieve a consistent security posture by implementing a decentralized concept, where security is provided directly at the edge (regardless of the location), but the management of all the involved components is done in a single pane of glass in the cloud. The fundamental idea is a new and distributed security architecture that replaces traditional castle and moat concepts, and at the same time unifies and simplifies the management and configuration of its components.

In the IoT area, organizations deal with hundreds or even thousands of devices – ranging from small sensors that measure ambient values, to medical devices, retail equipment, and right up to heavy machinery in industry, power, oil & gas, and other verticals. There are no limitations to the size, form factor, and price of the device, but dispersed environments and security challenges are characteristic. And that’s where SASE can really make a difference to solve well-known problems.

What’s different in IoT projects?

In the simplest terms, the challenge with IoT projects is these projects are not about security. There always is a different purpose. Nobody is connecting devices just for the sake of having them connected. For an IT administrator, the implementation of security solutions is part of the job description, and many of them want to learn the details of every device so they can configure and optimize every setting. Unfortunately, IT professionals have less and less time to spend on this, and an increasing number of them do not want to be burdened with repetitive tasks that could be automated.

When it comes to IoT deployments and support, security is an item on a checklist. Skilled cybersecurity professionals are hard to find, and it’s rare for an organization to have a dedicated IoT security staff.  The people responsible for the success of an IoT project pursue different tasks, for instance, remote condition monitoring of devices, gathering analytical data for cost and efficiency optimization, or predictive maintenance. This means security solutions for IoT should be easy to deploy and easy to maintain, even easier than pure connectivity solutions. Security can only win with a seamless user and administrator experience. Security vendors do not want to create additional complexity in a world that is all about quality, efficiency, and cost optimization.

The challenge in IoT

Vulnerabilities in software on IoT devices are not new. These devices generally lack security because they are not built with security in mind. Device vendors often are specialists in their industry segment, and their focus is on the use case of the device.

Over the lifespan of an IoT device, it is difficult – if not impossible - to maintain a high level of security. Device vendors usually cannot keep up with the software patch cycles that would be necessary to fix known vulnerabilities timely. Every software patch must be tested carefully to avoid any kind of malfunction, and the installation of software updates on a large number of devices, often located remotely, can be a challenge on its own.

But at the end of the day, it does not really matter. IoT devices should always be considered 'at risk,’ and should never be trusted by default.

Zero Trust for IoT

The simplest way to deal with insecure devices that cannot be fixed is to wrap them up in something secure. In a dispersed environment with many devices geographically distributed, the first challenge that emerges is usually connectivity.  There are dozens of hardware connector solutions in the market that will solve the connectivity question but completely neglect security and scalability. No company should deploy this kind of device if there is a more secure and scalable alternative.

The following should be considered when looking for an IoT solution:

• Be mindful of how many devices you plan to deploy.  In small labs almost everything will work, even DIY projects on consumer devices, but production deployments are full of scalability issues. Keep this in mind as you think about the future growth of your network and the lifespan of your devices.
• Connectivity through LAN, Wi-Fi, 5G/4G/LTE, or another technology will require a hardware device. Ideally, this hardware device will be capable of more than just connectivity.
• The IoT devices cannot be trusted (Zero Trust is our principle).  Thus, they should be isolated from other devices and must never be exposed to the internet. Use an IoT firewall to provide connectivity and security. Never assign a public IP to an IoT device. If you are not sure why, go to https://www.shodan.io/.
• Protecting the device from internet-borne threats is half the battle, but you also have to secure communication over public networks and consider the possible flaws in Industrial protocols.  Additional encryption prevents exploitation and hides plain-text communication. That requires VPN technology to protect the communication itself, and next-generation security such as IPS and Advanced Threat Protection to block all kinds of malicious content.
• Allowed network communication from and to the device must be restricted to the necessary minimum. Firewall rulesets based on IPs and ports were popular in the past, but these restrictions are now based on applications with intent-based routing.
• If there is no IT expert on-premises in each location, the hardware rollout and replacement should be as easy as possible. That requires true Zero Touch Deployment technology. Whoever is available on site should be able to plug in the device and be done with the installation. The physical installation could be done by an electrician or shop assistant, but the configuration and license assignments are managed remotely. This deployment system should work outside regular office hours too.
• Centralized management is key to being able to apply security fixes and firmware updates, and to maintain the configuration of devices in such an infrastructure. Although IoT devices often look the same, each one is unique, and many organizations require a granular security ruleset and configuration to be able to provide a high level of confidence in security. That is only possible if there is a simple but powerful centralized management portal to work with.
• There is no fire-and-forget approach in IoT security. Regardless of what devices you deploy, always assume that further adoption or optimization will be necessary. The key consideration here is how these future changes can be implemented across the deployment. Will you be able to make changes to hundreds of devices in dispersed places? If you think that won’t be necessary, your security policy likely is too loose.

So why SASE?

The convergence of security and networking seems to be exactly what’s needed to let IoT devices securely participate in the corporate infrastructure.  Today’s hybrid environments require secure connectivity for people working remotely or at home, accessing workloads in the public cloud, on-premises, or using Software-as-a-Service offerings. SASE is the state-of-the-art concept for a consistent security posture across all edges, regardless of location. Adding IoT devices seems to be the obvious next step in building a solution that securely and efficiently connects sites, things, people, and the cloud. All of that is brought under one roof and managed through a single pane of glass.

The Barracuda solution of IoT

At Barracuda we recommend using our purpose-built Secure Connector solution in dispersed IoT infrastructures. The Secure Connector uses Barracuda’s proprietary Traffic Independent Network Architecture (TINA) VPN protocol over ethernet, Wi-Fi, or 4G/LTE and is available as regular or rugged hardware. The compact appliances work with Barracuda CloudGen Firewall or with Barracuda’s new SASE platform SecureEdge to connect remote devices and micro-networks to corporate resources, providing full next-generation security and effectively serving as a connectivity hub for all connections between the IoT devices and the internet.