5G & SDN converge to connect & protect people, places & things
The reality is that in today’s world, when the bad guys are hacking the NSA and flaunting it, something has to change. Do we need to do a better job securing our networks? This is not the right question. Doing a “better” job isn’t good enough anymore. We need to take a different approach, especially as networking becomes far more pervasive with 5G and IoT (Internet of Things) technologies.
What’s 5G Got to Do with It?
5G will bring tremendous changes to cellular networks, many of which I’ve previously laid out in the rest of this series on 5G:
5G — Better Broadband Bandwidth
5G — A Few Frequency Facts
5G — Network Slicing – What is it, and Why You Should Care
5G — Connection Density – Massive IoT and So Much More
There are three enhancements in particular that will have a significant impact on existing security architectures, which in my view will hasten a different approach.
Bandwidth, Latency & Connection Density
When people think about 5G, most often what comes to mind is higher throughput, and in many cases, that’s true (some IoT devices notwithstanding, but we’ll get to that in a bit). In fact, some of the 5G trials have delivered multiple Gigabits per second, in one case as much as 32 Gbps, and that was in only a fraction of some of the spectrum being allocated for 5G. That’s orders of magnitude greater than what’s available today. While that’s not likely the real-world throughput at every endpoint, think about the circuits into your data center security appliances. Are your concentrators able to handle 10 times the traffic... or more?
Latency improvements are also a big part of 5G. Most 4G connections deliver sub-100 millisecond round-trip latency, and most of the time sub-50 ms. The 5G standard’s design goal is a blazing 1 ms — and lower than that has been seen in trials. Now, the typical security model of a VPN connection routes traffic from the endpoint to a centralized concentrator, then out to the destination server (nowadays often on the Internet), then back to the concentrator, then back to the endpoint. Depending on where those three elements (endpoint, concentrator, destination server) are located, tens if not hundreds of milliseconds can be added to each transaction. With users’ increasingly insatiable expectations for performance, something’s going to have to give.
5G is also being designed to handle many more devices. Strike that — many, many, many more devices. IoT has been talked about for years — but in reality, we’ve only just begun (to quote a cheesy 70s song). While Gartner estimates the current number of IoT devices at about 8.4 billion, they also predict that there will be 21 billion by 2020. Can you imagine your VPN concentrator salesperson salivating when you ask for the cost to license all those devices you plan to deploy? Oh, that’s right — you have to upgrade your hardware as well, don’t you? IT budgets are unlimited, aren’t they?
But wait, there’s more...
Keep in mind, that many of those IoT devices aren’t the usual IT endpoints, such as a PC, tablet, or smartphone, for which traditional endpoint security and VPN clients are available. And what about these connected devices accessing containers or IoT services in the cloud? Head spinning yet? I think by now you’re catching my drift that IoT network security can’t be achieved with the traditional IT security models, especially when considering the implications of 5G.
So, what’s the answer?
To understand why we need to rethink network security in the IoT era, you first need to understand the evolution of traditional enterprise network security over the past two decades. Like the Internet, enterprise networks were designed to connect first, then ask questions later. Additionally, they have been built with a contiguous, or routable, address space that makes it possible for an endpoint to reach any other endpoint on the network. This approach required network admins to overlay a “filter-out” security paradigm in order to restrict access and flow of traffic between specific users, resources, and devices. These conventions have worked reasonably well to “segment” networks with thousands of endpoints that remain fairly static. But that does not represent the world of IoT networking and 5G where volume and variety of endpoints are massive and velocity of change is mind-numbing. It will not be unusual to see hundreds of thousands, or even millions, of devices attached to your network as IoT continues to proliferate. In a parallel universe, the volume, variety, and voracity of threats that are emerging around IoT will soon overshadow what we have experienced in traditional enterprise networks.
The answer to this problem starts with flipping the traditional enterprise network model upside down, moving network functions to the cloud and software that overlays the Internet. This cloud networking approach, called Software-Defined Perimeter (SD-Perimeter), enables IT and OT teams to deploy a perimeter-secured virtual network over the Internet that is completely “cloaked” t the outside world. After all, you can’t attack what you can’t address. Instead of connect first, authenticate second, SD-Perimeter based IoT networks act like closed user groups and require an invitation before a device can join and connect. From a device segmentation and isolation perspective, the tedious and vulnerable filter-out methodology of traditional enterprise networks is replaced by the ability to spin up different virtual overlay networks for each class of device, such as surveillance cameras, sensors, and actuators, which are cloaked from one another. Since SD-Perimeter networks are cloud-based, they easily integrate IoT devices with IoT cloud resources, scale to millions of devices, and work seamlessly with mobile networks, from narrowband LTE to broadband 5G.
To understand why we need to rethink network security in the IoT era, you first need to understand the evolution of traditional enterprise network security over the past two decades. Like the Internet, enterprise networks were designed to connect first, then ask questions later. Additionally, they have been built with a contiguous, or routable, address space that makes it possible for an endpoint to reach any other endpoint on the network. This approach required network admins to overlay a “filter-out” security paradigm in order to restrict access and flow of traffic between specific users, resources, and devices. These conventions have worked reasonably well to “segment” networks with thousands of endpoints that remain fairly static. But that does not represent the world of IoT networking and 5G where volume and variety of endpoints are massive and velocity of change is mind-numbing. It will not be unusual to see hundreds of thousands, or even millions, of devices attached to your network as IoT continues to proliferate. In a parallel universe, the volume, variety, and voracity of threats that are emerging around IoT will soon overshadow what we have experienced in traditional enterprise networks.
If you think about it, 5G along with IoT and Software-Defined Networking represent a nexus of disruptive technologies that have the power to transform businesses, converging on today’s CIO. Visionary CIOs will recognize that security in the emerging connected economy will require a new approach to connecting and protecting people, places, and things.
Find Out More About Keeping Networks Protected
Learn about IoT security challenges and best practices for mitigating risk, including Software-Defined Perimeter technology, in the Protecting IoT Devices & Networks From Cyber Crime on-demand webinar.