Conversations among companies in the IoT world have been circulating around the opportunities and risks that they need to prepare for as they continue to support new business models related to mobility, cloud and the Internet of Things (IoT). These technology transitions represent significant drivers for growth and are already altering several facets of our daily lives. We have already seen significant changes in the way we deliver healthcare, heat our homes, run our manufacturing facilities and manage critical infrastructures.
Enterprises often recognize the need for cyber security models to radically change in order to provide the right level of protection for this new, connected world. One crucial aspect that companies should endeavor to think differently about is their approach to network segmentation.
Evolution of modern networks
Modern networks now extend beyond traditional walls and include data centers, endpoints, virtual, mobile and the cloud. In the early days of networking, a primary goal was to enable connectivity across and between everything. These networks and their components extend to wherever employees are and the data is. To ensure connectivity, this was largely done in a flat and unsegmented way.
As networks continue to grow and expand, new devices and applications with widely varying security postures are constantly connected. These devices often include, but are not limited to, mobile devices, web-enabled and mobile applications, hypervisors, social media, web browsers, and home computers. This growing trend greatly expands the attack surface and creates opportunities for attackers to compromise a non-critical asset and pivot from there to attack more critical assets and data.
What’s the best approach?
As the adoption of IoT strategies continues to evolve, maintaining a proper security posture will require security and network practitioners to rethink how resources on the network are separated and improper or malicious communication between resources is limited or disallowed. This is imperative for ensuring that highly secure access is consistently maintained, proper policies to protect valuable business data and intellectual property are applied, lateral spread of malware is limited and reconnaissance in an environment is inhibited.
Having the right approach in place to segregate valuable network resources enables practitioners to establish policies that only allow designated users to access sensitive information for specific applications, servers and network resources. In fact, applying proper network segmentation can make it much more challenging for an attacker to locate and gain access to valuable information. In some cases, when an attack is underway, segmentation can be used to provide dynamic controls to contain a network intrusion and limit the damage from an incident.
Crucial segmentation within healthcare
To illustrate how this might be applied in a real world setting, imagine the implications for a hospital or health care environment. In such an environment, segmentation is crucial. Clinical staff need uninterrupted access to critical tools like IV pumps, respirators and patient monitoring systems. At the same time, patients seeking care at the hospital want to enjoy Internet-enabled games and other forms of entertainment during their hospital stay. Segmentation makes sure that a savvy patient playing an Internet game on their smart phone or laptop cannot access patient records or disrupt the operation of a life-sustaining device in an adjacent room.
For organizations embracing technology transitions such as IoT, cloud and mobility, now is the time to revisit and evolve existing network designs that have been in place for years. The technology is available today to apply the segmentation strategies necessary to employ these innovations and maintain a proper security posture. For example, capabilities available now include those that enable the creation of advanced policies that can de-couple access entitlements from IP addresses. This means that practitioners can establish common access policies that are role-based to dynamically segment access without the complexity of multiple VLANs, replicating complicated access control lists across the network, or completely changing network architecture.
Attackers do not discriminate. Their motives and persistence have increased along with their understanding of classic security technologies and applications. Increasingly, they employ methods developed specifically to circumvent their target’s infrastructure.
To prevent falling prey to the catastrophic impacts of a targeted attack requires the right approach to network segmentation. Today, there are 10 billion connected devices but that number is expected to grow exponentially – exceeding 50 billion sensors, objects, and other connected “things” by the year 2020. The number and type of attack vectors will only continue to increase as we continue to connect the unconnected, creating a daunting challenge for those responsible to defend the infrastructure. In order to capitalize on the vast opportunities that the IoT represents and begin to tackle this challenge head on, we need to take steps now to apply network segmentation policies that can keep pace with the growth and diversity of the modern network.
Sugiarto Koh is the Director for Cisco’s Security business in ASEAN