Aiming Towards an Unfettered and Secure IoT
Last week, we heard bold claims by a networking vendor that they could make the Internet of Things (IoT) safe because they “own” the network. One of the ways they plan to do this is to certify products to take advantage of network security capabilities.
As a player in the networking space that is addressing IoT security, Avaya agrees “that there aren’t enough people on Earth to run the network the way it’s being run today, when you look at the scale of IoT.”
But, we strongly disagree on a number of other claims and respectfully offer these counterpoints:
One Pipe, One Gatekeeper:
Their point of view shouldn’t be surprising—they are a vendor that has long relied on proprietary approaches designed to keep out the competition. The plan to certify devices to run on their network is yet another cog in the wheel whereby they soundly eliminate competitors and increase their revenue instead of allowing the market to decide who has the better approach to securing IoT. This brings us to our next point.
Innovation: Supporting or Suffocating?
Does a single vendor governing who and what has access to the network encourage innovation or does it stifle it? While the concept of whitelisting is generally good, it requires a significant level of execution to be effective without hindering innovation. The sheer scale of the IoT means that it’s likely billions of devices will ultimately be connected. Each type needs to be certified, demonstrating compliance to a standard that gives them permission to onboard. Not impossible, but this is not the domain of a single vendor. In addition, as the market continues to trend towards more flexible networks and elasticity enabling greater innovation, the one-vendor-owns-the-network approach is rigid and exclusionary. The ecosystem for devices becomes extremely limited.
Say Bye-Bye to Your Legacy Equipment:
While newer devices may be able to incorporate new standards and technology, there are still many, many legacy devices in operation that don’t have that level of intelligence. Many of these devices are regulated and would require significant back porting to support the operating systems they run. Requiring a forklift to remove non-compliant legacy devices is a huge moneymaker for some vendor—something we’ve seen them do in the past. But, for the company that needs to change their entire legacy operation, it may mean closing the doors due to a prohibitively expensive demand to update. Alternatively, they will be forced to manually manage the whitelists for legacy devices—an extremely cumbersome process.
An Alternative Approach
Avaya has already taken ground-breaking steps in securing IoT—steps that are much less costly and cumbersome, and support the innovation that IoT stands for by its very nature. Let me elaborate:
Automatic Onboarding, Configuration and Management:
While the competition suggests that its approach will include not only “IoT onboarding and management capabilities, it will go beyond security to include automation of other tasks like network configuration that administrators would otherwise have to do.” Hello there. Let me introduce myself. This is fundamental to Avaya SDN Fx™. More than 800 Avaya customers are already enjoying the unique simplicity delivered through automation to the edge found in Avaya Networking. However, it’s still networking. Fundamentally, IoT needs to be separate from the network. While interaction between the solutions may offer benefits, any IoT solution needs to be capable of providing unique value regardless of the network underneath.
Keep What You Have, Use What You Want:
IoT is gazillions of unique endpoints like medical imaging equipment, video devices, specialty printers, and more. Thus, you must protect 100% of your devices for a secure network. To manage this, and to secure legacy devices and a broad ecosystem of devices, Avaya built the Open Network Adapter—a small adapter about the size of a deck of cards enabled with an Open vSwitch. The Open Network Adapter allows these special devices to automatically connect to the network with a granular security profile based on their individual communication characteristics. Once fitted with the adapter, a session can be automatically set up, torn down and re-established—even if moved to a new location. This ensures that devices always have the proper security and can be tracked for both logistics and analytics purposes.
Securing the Future and Making Whitelisting Practical:
Avaya’s SDN Fx IoT solution takes a different approach by providing proxy capabilities for devices to protect existing investments. This lets budgets be focused on innovations that are important to the business strategy. The SDN Fx IoT solution is based on the concept of intelligent profiling to dynamically understand the expected conversation patterns of whitelisted devices. This is important, as devices can be spoofed or hacked. Many IoT devices are in public domains where people may have physical access. They are often implemented by non-IT personnel and may not be secured to the level an enterprise expects. Gaining permission for whitelisting the device is a low threshold most will be willing to accept. From there, IT is free to characterize the traffic patterns of the devices and dynamically narrow the security profiles to a very refined set of flows within the whitelist.
Hyper-Segmentation for Hyper-Secure Networks:
For those looking to evolve their defenses beyond an overlay solution and fully integrate their end-to-end security, Avaya’s SDN Fx provides a perfect complement to the IoT solution with automated connection into hyper-segments directly from the Open Network Adapter. Recently, we announced the hyper-segmentation capabilities of Avaya Networking. This end-to-end segmentation creates isolated traffic lanes within the network that limit where a hacker can go. They can’t get to the core and wreak havoc with sensitive data and operations. With hyper-segmentation, you get on the on-ramp to a dedicated toll road, where you are the only car on the road. Your isolated road leads directly to your destination, with no off-ramps. No one can see you, and you can’t see anyone else. But more importantly you can’t get off at any other destination than your own.
Avaya has already done much of the work needed for securing IoT that the other networking vendor is proposing, although we’ve left out those aspects that are not in the best interests of customers and innovation. While they are trying to make this about the network, the network has yet to stop many of the recently publicized breaches.
Any IoT device has the potential to be compromised whether remotely or physically, so end-to-end security is absolutely necessary, but absolutely should not be an old school, proprietary approach. Instead, it starts with micro-segmenting between applications and extends that level of separation and obfuscation out to the device and cloud edges. Anything less is like a football player taking the field with full pads but no helmet. Most hits will be absorbed, but the ones that aren’t can be the most damaging.