Solving IoT’s Access Control Conundrum

By Tim Boivin

By 2024, the number of Internet of Things (IoT) connections will grow by 130%, to 83 billion. Much of this growth will be driven by the business world’s focus on digital transformation. The question for your IT team is how to control access requests coming in through all these Internet connections.

Total Access Control (TAC) from PortSys offers the most robust access security available today for SSH services designed for Command Line Interface (CLI) controls, including those used by IoT devices.

TAC’s Zero Trust Access solution provides your organization with the ability to implement authentication for access to these services based on a user’s full context of access. TAC provides access only to the device/interface desired rather than access to the network itself. This microsegmentation can make a huge difference when your security is on the line.

TAC reduces the complexity that IoT devices introduce into your infrastructure, offers a centralized approach to fully authenticating access requests, and significantly reduces your IT security spend on IoT as well. TAC may also eliminate the need for a terminal client application such as PuTTY that is typically required for CLI or IoT access, since your SSH connections are provided by TAC to users through any modern browser.

Organizations today use SSH services to access a variety of CLI-based devices found in various applications – including Linux/Unix servers, switches, routers, AP controllers, and of course IoT devices. Those IoT devices are used for everything from monitoring cameras to locking doors to temperature sensors in refrigeration units.

While the financial services and healthcare sectors led the early IoT adopters, much of the ongoing expansion of IoT will be powered by the industrial sector – including the agriculture, manufacturing and retail markets. The industrial sector alone is expected to account for 70% of the new connections over the next four years.

Considerable growth is also expected in critical infrastructure. Municipalities are adapting IoT for traffic control systems, law enforcement agencies are using IoT devices such as bodycams, and utilities use IoT to help control power and water supplies.

Organizations historically have struggled, however, with securing access to IoT devices. Most organizations don’t even have an accurate count of how many IoT devices access their networks, and almost a quarter of companies report the risk from IoT as “extremely high,” according to the Marsh Microsoft 2019 Global Risk Perception Survey. That’s because IoT devices are frequently unpatched, configured incorrectly and poorly managed.

TAC helps make all those services invisible to the Internet – protecting your infrastructure against hackers who are increasingly targeting your SSH services to attempt to gain entry and then pivot within your network to launch attacks including ransomware, data exfiltration and more. 

Perils of Parallel Networks

To address those security issues, many organizations have built comprehensive air-gapped networks designed for the exclusive use of IoT devices. These independently managed parallel networks often connect to Command Line Interface (CLI) controls via traditional IP methods, but also through out-of-band communications to legacy serial-based interfaces as well.

But that parallel approach also means investing in many 1:1 wide area networks (WANs) consisting of routers, ISPs and other equipment for each independent network needed. This type of deployment architecture directly impacts the monthly run rate and management/administrative overhead involved as these networks scale.

In addition, organizations face significant security challenges in managing all the CLIs handling access requests for IoT devices. For instance, if there are multiple offices or locations, or if there are third-party vendors using IoT devices to monitor and manage equipment, these distributed entities often build their own TLS tunnels to connect back to a private cloud. Your organization loses visibility and control over access when that happens.

Also, organizations lack a centralized approach to manage access across the enterprise in a secure way. They instead use a multitude of port-forwarding rules and configure separate edge firewalls for each location or vendor to accommodate access for all these IoT devices. Even then, many organizations rely on the weak authentication – if any at all – incorporated into IoT devices, which historically have not been designed with security top of mind.

Microsegmentation for IoT

The source of many attacks today come from third parties – vendors that have a software or service that runs on your network. In an ideal world, those vendors would have robust security measures in place to prevent infections. But too often they don’t, and organizations end up getting attacked with their own valid credentials acquired through phishing or brute force attacks.

The truth is in today’s IoT world, you never really know how robust the security of your third-party vendor is. The moment one of them manages the connection to IoT devices in your network, you’ve lost access control. No matter how you architect your network, without centralized control and visibility into all access, you will never know how fully protected your infrastructure is.

TAC provides that centralized access control, along with the microsegmentation needed to effectively control what anyone is able to access on your network.

Any SSH services requests that come in through TAC’s gateway are fully vetted for their context of access. For example, you could know that they are coming in from a trusted network of a third-party vendor, they are using a trusted device, and they passed both TAC’s credentials check as well as 2-factor authentication…all before they are granted access to a CLI, router or switch. They may also only access those IoT devices they are specifically authorized for, and not to your entire network.

For instance, a retail chain may use a security monitoring service provider that delivers IP camera surveillance services and support. The MSP manages those cameras, which have their own operating systems and interfaces to manage, as well as their own cadence of upgrades, patches and everything else that has to be maintained.

Now multiply that by the thousands of locations a national retailer may need the service to monitor across the country. And start thinking about services using IoT devices to connect for other purposes – such as managing inventory, maintaining the proper temperatures in refrigeration units, running the secure entry doors, or managing HVAC systems. That IoT world very quickly becomes increasingly complex and more costly. And your network is still at risk.

However, if those IoT devices are accessed through Total Access Control, they can’t even touch those devices until they are fully authenticated. And then they only get access to the cameras – not your network, accounting systems, credit card data, or any other proprietary systems you need to protect.

What’s Next: Command with Control

TAC’s centralized approach to managing access offers organizations the unique ability for the first time to monitor and audit all access across the enterprise. For instance, now facility managers know who has been accessing their building’s systems and when; and power systems and water utilities have a full audit trail of all access attempts to their critical infrastructure and to IoT devices.

The move to digital transformation across our business world will continue to drive exponential growth in the use of CLI-controlled technologies and increase your use of SSH shared services. TAC offers you the ability to get control over access to CLIs and IoT devices. And soon, you will also be able to control the commands that are available for each user based on your own security policies.

Not only does TAC provide control for access over SSH services, but also over access to the rest of your applications and resources, both locally based and in the cloud. Finally, you will have the ability to centrally manage access to all your resources in one central place.