Securely connecting IoT involves replacing VPNs with zero trust networks — end to end, from routers to IT and OT teams
In today’s world, protecting our homes and businesses from unwanted visitors is more important than ever. That’s why we lock our doors and windows, install security systems, and keep our valuables out of sight.
The same emphasis on protection is true for an enterprise network. The imminent threat of hackers means companies must take extra precautions to ensure their data stays in the hands of only trusted users. But with increasingly complex networks, IoT deployments, and more outsiders needing remote access, how can enterprises better protect their wide-area network (WAN)?
It’s easier than you might think. Let’s dive into the concept of secure IoT access from anywhere, why it’s important for businesses, and what adopting zero trust principles looks like, from A to ZTNA.
Why is IoT remote access important?
Third-party contractors and suppliers are a vital part of doing business for many enterprises seeking ways to save money through outsourcing. However, granting set up, troubleshooting, management, and operating access to people outside the network is a risk — one that is becoming increasingly common as more enterprises add 5G to their infrastructure and WANs continue to transform.
For example, many organizations use video surveillance systems for safety and security purposes to provide real-time monitoring and recording of activities within and around the premises. But, like most IoT devices, these cameras often require ongoing management and maintenance.
Businesses can opt to have a third party remotely manage their cameras to reduce costs associated with on-site visits and enhance operational effectiveness. Secure IoT remote access using policies built on zero trust principles establishes an isolated connection between the contractor and the video cameras, meaning they can securely monitor live video feeds, review footage, adjust camera settings, and perform necessary maintenance and troubleshooting without physically being present on site.
While this can be a convenient and cost-effective way to manage IoT devices, it doesn't come without risks that should be mitigated through the establishment and application of security policies.
Why is IoT access from anywhere a security risk for enterprise WANs?
Enterprise IoT devices — video surveillance cameras, kiosks, digital signs, and more — are especially vulnerable to security threats due to their simple hardware and communication protocols. Remotely managing them further complicates things by allowing users to enter the network through blind spots found in these connected devices, whether they are accessing them through a router or a client. Without the right policies and security measures in place, users can move laterally to other parts of the network once they’re in, putting the entire network at risk and making it difficult to track and monitor user activity.
How do most companies today handle IoT remote access?
Today, many companies use traditional Virtual Private Networks (VPNs) to protect their WAN edge. But enterprise networking is constantly evolving, and as more users and resources exist outside traditional perimeters, VPN protocols aren’t robust enough to protect these networks.
The solution? A zero trust network that is secure, simple, and scalable. Zero trust implementation — a critical component of 5G security — means an enterprise can better manage security by denying all by default and eliminating risky broad network access. Instead, users are connected only to the resources they need to do their job — and nothing else.
Many enterprises are eager to dip their toes in zero trust, but how to replace VPNs with zero trust architecture can leave lean IT teams wondering where to start. Replacing a VPN needs to be painless, especially when it comes to complex WANs with widespread IoT deployments.
Fortunately, switching from a VPN to a network built on zero trust principles, such as Cradlepoint’s NetCloud Exchange (NCX) Secure Connect, is easy and goes almost entirely unnoticed by users on the network. Other than changing the architecture and security protocols, deployment looks virtually the same as a VPN. IT teams simply install a second headend alongside the existing VPN headend, which already has multiple routers connected to it. Once that’s up and running, the routers are reassigned to the zero trust network, establishing secure IoT connections in sites such as stores, offices, vehicles, or even standalone.
How to extend the zero trust network to those managing data remotely
Securely connecting sites with zero trust is only part of the IoT story. The other involves further extending access to certain users outside of the network who are managing IoT data remotely. But how is that done?
Let’s go back to IoT remote access. Enterprises need a ZTNA solution, such as Cradlepoint’s NCX ZTNA, that manages user-to-resource (or user-to-IoT) connections and extends certain parts of the network to third party contractors, suppliers, and certain employees without giving them access to any resources on the main network. ZTNA gives companies the ability to evolve to user-based access policies, enabling remote access from either a router or client.
For example, think about HVAC systems, which are found in virtually every enterprise building to help control temperatures and air quality and create a healthy working environment. Like video cameras and other IoT devices, consultants can access HVAC systems remotely via a client, giving them access to monitor and adjust temperature settings, control ventilation and air quality, and receive real-time alerts regarding system performance and maintenance requirements.
But modern-day organizations should always have their guard up when it comes to protecting their WAN, which is why a ZTNA solution should be continuously verifying users as conditions change, such as the location of where the user is logging in from and the time of day that they are logging in. These changes in user context are important to monitor and integral to the values of ZTNA.