Augment SASE with Identity/Role-based Access for the Highest IoT Device Security
The explosive growth of network connected devices, known as “Internet of Things” or IoT, is well-understood. In a study conducted in September 2020, IDC predicted that by 2024, more than 51 billion IoT devices – that’s billion with a “b” – will be connected to the internet[1]. These include printers, display panels, heating ventilation and air conditioning controllers – think of a Nest thermostat like you might have in your home – credit card processing terminals, security cameras, temperature sensors, flow sensors, medical devices, wind speed sensors on windmills, and even refrigerators and self-driving cars. And lots more.
But unlike a mobile phone or a laptop, most IoT devices are unmanaged and therefore it is not possible to install a security agent. IoT devices are agentless; IT can’t install a VPN client or a Zero Trust Network Access (ZTNA) agent on them. Therefore, we need another way to secure these devices and the applications that support them to minimize business risk and help meet compliance requirements.
安全访问服务优势(SASE)体系结构doesn’t fully address the securing of IoT devices. Enterprises need a zero trust security framework that segments devices (and also users) to ensure they can only reach applications and data on the network that are consistent with their role in the business.
Zero Trust Security Best Practices
Network security originally relied on a “trust but verify” model. Authenticated users and devices were trusted within the enterprise network and given access to virtually everything. But this leaves the network vulnerable to malicious activity.Zero trustis the opposite. It’s a “never trust, always verify” model.
完成用户和设备细分的传统方法是配置VLAN。但是,随着不同类型的大幅度增加和连接到网络的大量设备,VLAN方法并没有扩展。管理VLAN的电子表格很麻烦,这很复杂。
Aruba ClearPass secure network access control provides visibility into device (and user) identity and associates them with their role in the business. With this additional role-based context, IoT devices are automatically assigned the proper access control policy and dynamically segmented from other devices and the applications that support them – the network automatically enforces fine-grained segmentation such thatusers and devices can only reach destinations consistent with their role in the business.
As enterprises continue their journey towardSASE, it’s important to confirm that the SD-WAN can support fine-grained segmentation. It’s important to understand how the SD-WAN identifies users, devices, and roles in addition to application identification to enable fine-grained segmentation to minimize business risk and assist in meeting compliance requirements.
To learn more about complementing SASE with user, device and role identity with the Aruba EdgeConnect SD-WAN platform, watch our fourth episode, “Special SASE Considerations for IoT Devices.” To learn more about SASE and the benefits it delivers, tune in to ourvideo series.
相关资源
[1] IDC, Future of Industry Ecosystems: Shared Data and Insights, September 2020
