5 Steps For Securing The IoT Using Aruba ClearPass
Historically the Internet of Things (IoT) has been much more hype than substance. Sure, there have been a few verticals such as oil and gas and mining that have embraced the trend, but those vertical have been active in IoT since it was known as machine to machine (M2M).
Now, however, we sit on the precipice of IoT exploding. I’ve seen projections that by 2025, anywhere from 50 billion to 200 billion new devices will be added to the network. Which is right? Doesn’t really matter. The main point is that we’re going to see a lot devices connected over the next 10 years, and businesses need to be ready.
IoT does present some unique security concerns for organizations. In fact, the most recent ZK Research Network Survey asked what the biggest impediment was to broader IoT adoption, and security ranked #1 by an overwhelming amount. Why is IoT security so difficult? It’s a fair question, as we’ve been connecting devices to our company networks for years.
Challenges of securing IoT devices
IoT devices are different, though. First, scale is an issue. Consider a hospital where the number of connected medical devices could outnumber traditional computers and printers by a factor for 4 or 5.
Also, IoT endpoints are often the domain of the operational technology (OT) group, not IT, so there many not be any awareness from the security team that new devices are being connected.
Lastly, IoT devices can be hard to secure. Some are old, some have proprietary operating systems, some have no security capabilities and the list goes on. The main point is that these devices have either never been connected to a network before or, at most, connected to a parallel closed network where security wasn’t a concern.
Given the magnitude of IoT and the concerns regarding security, it’s safe to say that businesses need to rethink their security strategy when it comes to IoT.
Securing IoT endpoints: 5 steps
Onboard the devices. There’s no single way of onboarding a device. Aruba’s ClearPass supports a wide range of methods, including 802.1X authentication with RADIUS, MAC authentication, agents, MAC plus 802.1X or captive portal.
Fingerprint the devices. This step requires gathering data and understanding the behavior of the endpoint. This is a critical step in looking for breaches, as any deviation from the normal behavior could indicate malicious activity.
Put the devices into a profiler. ClearPass includes a built-in profiling service that can classify the devices. A variety of contextual data can be used to profile, including MAC OUIs, DHCP fingerprinting and other identity-centric device data. Unmanaged devices can be identified as either known or unknown when they connect to the network. The identity of these devices is based on the presence of MAC addresses in a database within ClearPass.
Create a policy. A policy is only as good as the data used to build it and the tool used to enforce it. Aruba takes an ecosystem approach to policies by partnering with a broad set of technology partners, including MobileIron and Palo Alto Networks. This lets policies be applied and enforced at every level of IoT, including the device, network edge, applications and internet. This gives customers tight control over how devices operate and communicate, resulting in better containments of threats when they emerge.
Monitor and analyze traffic. ClearPass pulls data out of a number of systems, including control, authentication, communication, security and management systems. Data is gathered and then analyzed for odd behavior, and the device is either removed from the network or quarantined. That would happen, for example, if a medical device attempts to communicate with an accounting server. If that occurs, it could indicate a breach. When that kind of traffic is discovered, ClearPass can disconnect the device from the network, minimizing the damage.
Adequately securing IoT devices depends on organizations being able to quickly recognize a device when it joins the network. Aruba has thousands of profiles already created, and it has an exchange for partners to create their own, adding to the list of supported devices.
Source: networkworld.com