Cloud management for IoT gateways can reduce security risk compared to onsite hosted management servers
During Cradlepoint’s many experiences with connecting routers and gateways at the network’s edge, one of our customers’ biggest challenges has become the multi-faceted security risks surrounding IoT deployments and managing them via onsite system management servers. Protecting IoT-related data and systems from risks of cyberattacks is a priority for every enterprise — risks that can be ameliorated with cloud-based network management.
A recent report by Mandiant, FireEye’s consulting team, underscores this fact, revealing several key findings based on engagements with hundreds of companies that use IoT for industrial control systems (ICS). According to Mandiant’s analysis, the most common critical and high-severity security risks include:
- Vulnerabilities, patches, and updates (including system management server) = 32%
- Identity and access management = 25%
- Architecture and network segmentation = 11%
Unfortunately, onsite system management servers continue to pose additional unnecessary risk to businesses. Managing onsite management servers — usually companies have two of these to ensure redundancy — can be labor-intensive and involve manual tasks. A variety of components for an onsite management server architecture must frequently be patched and updated, including:
- Hardware (including end-of-life transitions)
- Basic input/output system (BIOS) firmware that runs the hardware
- Operating system updates and patches
- Hypervisor configurations, updates, and patches
- Various software packages and libraries
- Network segmentation rules for management traffic
- Access control lists, firewall rules, and endpoint security and monitoring software
On-premises Operational Technology (OT) and IT managers also must enforce physical access controls to these servers. Considering all these factors, I believe that using an on-premises management server to manage IoT gateways and routers will likely introduce additional and unnecessary risk to most enterprises that are lean on IT staff and software automation budgets.
Conversely, management of these IoT gateways and routers can be done through a cloud-delivered network management service that eliminates or reduces the risks of on-premises network management platforms. A cloud management service is especially ideal for customers with lean IT and OT staff, as it minimizes manual processes, usually costs much less upfront, doesn’t require additional hardware, and can be implemented much faster.
Using a public cloud-based network management service such as Cradlepoint NetCloud Manager (NCM) running on Amazon Web Services (AWS) leverages a shared responsibility model for security and compliance. AWS manages, operates, and controls the cloud computing resources, including the host operating system, virtualization layer, and the physical security of the facilities in which NCM operates. Cradlepoint manages the security and compliance for the NCM application. This architecture also enables Cradlepoint to provide a self-attestation of compliance for our NCM service that adheres to the Payment Card Industry (PCI) standards — essentially demonstrating that we have controls, processes, and procedures in place that conform to the PCI DSS standards and best practices.
Additionally, with cloud-based network management, no customer IoT data is stored in the service — just the encrypted configurations and analytics that help customers proactively monitor, manage, and patch their IoT gateways and routers.
Our customers find peace of mind in the fact that NCM is continually patched and upgraded behind the scenes as a part of the service. Cradlepoint also conducts frequent third-party testing and compliance checks that continually verify the security controls and processes for our NCM application comply with our security standards, which conform to PCI DSS and Criminal Justice Information Security Policy (CJIS) requirements.
If you look at the common critical and high-risk vulnerabilities found in ICS from Mandiant’s experiences over the past couple of years, a robust cloud-based management service such as NCM reduces these risks for most companies with a lean IT staff. The cloud-based service minimizes vulnerabilities by automating golden configurations, thus reducing human errors in the architecture, segmentation, and patching of IoT gateways and routers. Additional features from a cloud-based service such as Federated ID with single sign-on (SSO) and multi-factor authentication (MFA) further cuts down on risk for identity and access management errors and compromise.
All that said, what about our law enforcement customers? Many law enforcement agencies ask us if cloud management conforms with the CJIS policy that every law enforcement agency must adhere to. The answer is “yes.”