Aruba: Dynamic IoT security
Change is the only certainty for facilities and IT teams. Endless, unforeseen new IoT requirements sail in from building owners, tenants, and regulators. Today it could be adding EnOcean temperature and occupancy sensors to an existing BACnet IP network, tomorrow a ModBus motor control interface for predictive failure analytics, and the day after food safety refrigeration monitoring.
One would be forgiven for believing that IoT gateways are the solution, because from a data gathering perspective, that might be true. From a cybersecurity perspective, however, gateways are anathema to Chief Information Security Officers (CISOs) because they introduce a variety of security vulnerabilities. Increasingly, facility owners and tenants simply won’t allow IoT gateways to connect to their secure IT networks, or the installation of a parallel Ethernet network that is outside of IT’s control. The only safe harbor comes from leveraging existing secure IT infrastructure in a way that addresses the CISO’s concerns and adapts automatically to the tides of change.
Aruba and EnOcean have partnered to address these security-related headaches by leveraging the security features built into Aruba IT infrastructure to protect EnOcean networks. For example, space utilization in office buildings can be analyzed by EnOcean sensors, and then securely shared with hoteling and room booking applications. IT and IoT data are both securely segmented and reliably transported over one common network.
Segmentation of IT and IoT data
The standard today for accessing a network is called zero trust network access (ZTNA), under which segmentation, isolation, and control are fundamental tenants. New gateways and IoT devices that need network access, must be definitively identified, security roles assigned, and device traffic routed through secure micro-segmented tunnels to target applications. Ideally this process is automated and tunnels are dynamically segmented to lower the chances of misconfiguration and manual error.
Workloads are increasingly being moved to remote servers and both private and public clouds, which means that dynamic segmentation often needs to extend beyond the local area network. The system should permit users to access on-premises applications using ZTNA principles, while point-of-sale (PoS) data is tunneled to the PoS processing application, video conferencing traffic to the Internet, IoT gateway traffic to Azure IoT, and so on. The result is both an improved security posture and better user experiences versus sending all traffic to a data center and then hair-pinning it back or redirecting it to another site.
Aruba’s dynamic segmentation features built-in identity-based access control, and automatically applies consistent policies across wired, wireless, and WAN networks to keep traffic for any user or device separate and secure, regardless of the application or service. Dynamic segmentation seamlessly extends across SD-WANs to remote sites and cloud services, and provides channel bonding for non-stop operation across Internet, MPLS, cellular, and other media for high reliability applications.
A Layer 7 stateful firewall runs natively and works with Aruba ClearPass Policy Manager to eliminate the configuration of individual virtual LANs (VLANs), a traditional security approach that becomes unmanageable as IoT devices proliferate.
If you need to deploy IoT gateways on secure IT networks, Aruba’s ZTNA solution will ensure that wherever data needs to land, secure tunnels will guide the way. The solution is completely automatic and enables segmentation and enforcement to be achieved in any location for any IoT gateway.