Software-Defined Perimeter Helps Solve Emerging IoT Challenges
Enterprises, public sector organizations, and businesses of all kinds face two changing paradigms: the growing presence of the IoT, and the need to enable employee mobility. Both of these changes present exciting opportunities: More than ever, enterprises can do their best and most important work beyond the walls of the office.
At the same time, the IT team can no longer depend on a tightly controlled perimeter to keep the network secure. Today’s Network’s Edge is an Elastic Edge that is constantly expanding, contracting, and evolving. This observable shift makes it much more complex to provide users and devices with controlled but efficient access to company files, data, and applications in the cloud and at the datacenter.
Software-defined Perimeter (SD-P) takes a completely new approach to connecting and securing IoT devices on an organization's network — providing IT teams with a simplified network architecture, reducing resources needed to manage the network, and offering end users a better management experience.
The Challenges of the IoT
Connecting IoT is fundamentally different than connecting branch locations. For example, a utility monitoring system might be located in a place without access to traditional wired internet, without any on-site employees, and without computers to monitor and manage the devices. Organizations that have implemented IoT systems, or are planning to do so, need a way to connect these devices back to a centralized location in simple fashion.
A related pain point is the need to ensure that traffic flow from mobile and IoT devices is managed efficiently, and that it can’t be intercepted and manipulated by hackers. This has traditionally been conducted using Virtual Private Networks (VPNs). However, VPNs are complex and require significant resources to plan and implement; they also create latency issues because traffic that needs to get from one point to another often must take a longer route on the network due to logical, physical, and security constraints.
What is SD-Perimeter?
SD-P addresses many of the new networking challenges that legacy technologies only complicate. Instead of connecting networks or locations, SD-P uses a host-based approach, connecting people and things directly to the applications and resources they need. For example, a laptop that needs access to a server in the company datacenter will have a direct, encrypted, and hidden connection right to that server. Different devices and users can easily be granted tailored, granular permissions without the complexity of managing an access control list.
SD-P functions similarly for IoT systems. IoT devices are typically very simple, having been engineered with enough logic to perform a singular function — usually data gathering — and not actual computing. Processing, interpreting, and distributing the data must occur elsewhere, and SD-P can provide a secure, direct connection between an IoT device and the computing device or application.
Further, SD-P actually enables management and control of IoT devices themselves from a remote location. Thanks to the direct, LAN-like connection between the IoT devices and other computers or applications, the computing to control and manage IoT devices need not take place on site.
Cradlepoint’s SD-Perimeter Solution
Cradlepoint’s SD-P services are delivered as a service through the NetCloud platform. SD-P makes it possible to set up a Virtual Cloud Network on top of the public Internet — in other words, an invisible, instant, private network that functions independent of the connectivity source.
There are two ways to add devices to a virtual overlay network through NetCloud. First, any device capable of running software can have the NetCloud client installed directly on the device. Once the NetCloud client is installed and the network administrator has added the device to the network, the user never again has to go through the authentication process for that device. For IoT devices or third-party users, network administrators can install the NetCloud client on a Cradlepoint router, which then serves as an SD-P gateway device; then the administrator can grant overlay network access to users and devices that are connected to the gateway.
Instantly Create a Secure, Private Virtual Cloud Network
With SD-P, it is a simple process to spin up a Virtual Cloud Network (VCN) nearly instantly, without complex configurations and back-end maneuvering. SD-P provides LAN-like performance to any remote user and any IP-addressable device. Every person and thing is cloaked — hidden from attackers in a dark cloud — because of the VCN’s private address space.
Easily Microsegment Users, Groups, Applications & Resources
Simple policies enable micro-segmentation to ensure devices and people are connected only to the users, applications and resources to which they need access — by invitation only. For example, if a company has 500 security cameras on its network, each of those cameras can have direct access to the management interface, but each camera is separate from the others, limiting the attack surface and mitigating the risks associated with a DDoS attack.
If a hacker happens to take control of one IP camera, he or she can’t pivot to the others, or to other parts of the network. They can’t hack what they can’t see.
Remote Visibility & Control of IoT Operations
Through a Cradlepoint routing platform with SD-Perimeter, network admins can gain connectivity, security, visibility and control of LAN devices that reside beyond the gateway. Such IoT devices that can be controlled remotely via NetCloud range from security cameras and printers in an office to PLCs and HMIs for complex heavy machinery.
These capabilities can drastically reduce truck rolls and on-site management of LAN-connected devices.
Save Time & Money
In theory, it is possible to implement strict control of device and user access using traditional access control lists; in reality, this is a laborious, error-prone task. Without enough resources devoted to managing network access, it’s common to end up with “super users” who have access to far more applications and files than they need, or for small mistakes to create “holes” between network segments, which hackers can exploit.
SD-P significantly reduces the amount of time and money spent managing access. With Active Directory integration, network administrators can extend LAN access to remote users without detailed command lines or complex configurations.
Achieve True Network Access Control & Security
VCNs are invitation-only, meaning only pre-authorized users can be added to the network. This adds an additional layer of security with less back-end complexity than traditional networks require. Also, all transactions are fully encrypted using AES 256-bit encryption.
Reduce Shadow IT
By eliminating the latency and authentication associated with traditional VPNs, IT specialists can ensure that users and their mobile devices are always operating subject to the security controls designated by the IT team. Users have both less motivation and fewer opportunities to circumvent security.
Learn More About SD-P
Join us for a live webinar, “Software-Defined Everything at the Elastic Edge,” on Aug. 16.