Going forward, almost every electronic device in your house, or in your work environment, is going to be connected to the network or internet and sending data of one kind or another back to its manufacturer. For example, if you walk into a conference room, the light switch could be wireless. The HVAC is probably wireless, which is the far more cost-effective option these days. The ROI for the company is immediately obvious. You can completely reconfigure an environment at minimal cost because now everything is wireless.
Most of the growth in the devices market comes from headless devices. Combine these headless devices with BYOD, and organizations are dealing with a massive influx of devices coming into the network that IT teams simply do not have the same control over that they traditionally had.
Part of the problem is that people, both at home and in the workplace, might not grasp the risk to their information if they keep these “headless” devices connected yet unsecured. There has been a massive spike in the amount of malware targeting unprotected IoT devices. However, protecting these IoT devices by cutting them off from the wider network and the cloud can seriously impact their value to the organization. The back-end data that these devices stream online may be why they were chosen in the first place, which means they’re not much use if a firewall is blocking them.
Extending network security
Even just four or five years ago, almost anything that was on your network was locked down. You knew exactly what it was, and you had full control over it. It may have also been possible to make the argument that it wasn’t totally necessary to have security fully integrated, from your policies in the middle all the way out to your edge – where the endpoints connect to the network. That’s because you owned and controlled the edge. Today that is no longer the case.
Cybercriminals have not overlooked this significant opportunity. The lack of control you have over your “edge” network makes your entire network vulnerable. This is why an integrated and cohesive approach to cybersecurity is critical to defend these new headless and BYOD device environments. And the reality is that if you really want security at the wireless access portion of your network, you need a topology that extends network security all the way to the endpoint device.
This requires two things. First, WLAN security needs to be tied to the larger security framework, allowing security policies and protocols to be applied to all data wherever it travels to or resides. Second, organizations need to implement a reliable and secure BYOD and IoT onboarding process that includes identification, authentication and tracking all connected systems in a dynamic and centralized inventory system where they can be monitored, cross-checked against known vulnerabilities and exploits, and be subject to policy orchestration. The reality is that far too many organizations have no idea what is on their networks at any given moment, and if they remain unchecked, they represent a huge liability to the organization.
The need for segmentation
What these environments call for is network segmentation. The concept of internal segmentation essentially means deploying network-based security enforcement technology throughout the extended network, even into the cloud, and not just at the traditional edge and chokepoints between places in the network.
The standard deployment method for firewalls is to place them at the outer edge of the network, and often about as far away from valuable data as they can possibly be. Because a firewall generally only inspects the traffic that passes through it, this distance between security and the valuable data you need to protect can lead to vulnerabilities caused by malware that has managed to breach your external defenses and now lives inside your network. Traditional firewalls aren’t any help because they do not provide any security beyond the point on the perimeter where they have been deployed. And this problem is compounded by WLAN and BYOD.
For example, headless devices are often “unmanaged,” making it very difficult to determine if they’ve been compromised. Consider a device like an IoT thermostat. If it continued to pass temperature data regularly to other devices, as was expected, how would your firewall know if it was also busy accessing your financial records and sending that data to an outside server through that same port?
To address this challenge, BYOD, guest networks, IoT and other such solutions need to be considered, by definition, to be inside your perimeter. You can accomplish this through the implementation of internal segmentation firewalls (ISFWs). ISFWs are an integrated system of defenses placed at critical points across the network to monitor and inspect laterally moving data. These firewalls can also be positioned to protect servers that host valuable data or even a set of devices or cloud-located web applications.
Additionally, ISFWs segment the network with the goal of separating traffic, protecting network resources, and controlling malware propagation. When an outbreak or a breach occurs, ISFWs are then able to immediately restrict attacks to an isolated location or network segment, thereby minimizing their ability to spread to the rest of the network.
Benefits of segmentation
Organizations that deploy ISFWs will see three key benefits:
Protection: Network security is in place to thwart attacks. Without an ISFW, the security team may spend weeks or months sorting through data, log files and alerts to find and respond to attacks. An ISFW eliminates that overhead by proactively implementing segmentation and protection in order to defend against attacks and malware in real time by leveraging the latest security updates to see threats wherever they occur across the network.
Flexibility: One of the primary benefits of ISFWs is the ability to place them anywhere across the network. This flexibility not only expands security touch points but also allows the internal network to be integrated with other parts of the enterprise security system into one unified view. Further, ISFWs allow the organization to quickly insert security into the network where it’s needed most with minimal impact to critical business processes.
Visibility: When an ISFW is deployed, CISOs and their network security teams gain immediate visibility into the traffic that’s moving in and out of and between specific network assets. With this deeper visibility into the network, they can quickly identify abnormal traffic and behaviors and make actionable decisions in real time, without needing days or weeks of advanced preparation.
Digital transformation creates an opportunity for organizations to take advantage of connected technologies like cloud, mobility, analytics, IoT, and BYOD. It also creates huge cybersecurity headaches, as the perimeter begins to vanish and enterprises no longer own their network’s edge.
This is why securing IoT, and BYOD Wi-Fi environments is no longer a “nice to have” but a mission-critical objective. Having good segmentation that extends all the way down to the access layer is key. That’s because while an uncompromised thermostat will never attempt to move into areas of the network it shouldn’t, a compromised one certainly might.
Using a variety of isolated security solutions leaves seams between areas of security coverage, creating or exposing vulnerabilities. This is why a holistic, integrated and overarching security layer is essential. With proper segmentation, you can create checkpoints to ensure that the policies you set up are being applied everywhere across the network. As digitization continues its inexorable march through the business world, organizations must take advantage of new technologies and strategies to secure their networks and digital assets in new and stronger ways.
Typical Wi-Fi and switching solutions can’t properly address these network, application, and device management requirements. Only Fortinet's Secure Unified Access solution provides comprehensive security on the LAN infrastructure, delivering the most flexible security platform with end-to-end enforcement. The tight integration between FortiGate appliances at the core of the network, FortiSwitch devices, and FortiAP Wireless Access Points enables a common security policy across the network, extending the protection of the firewall out to the edge.
For more reading, our paper on "Covering the Gaps in IoT Security” provides details on the security risks of IoT and what organizations can do to address them with Fortinet's Security Fabric.
This byline originally appeared in Enterprise IoT Insights.