A VPN may not be the right tool for IoT security
December 17, 2014
My grandfather used to say, "Use the right tool for the job." He was a production engineer, responsible for the manufacture and assembly of freight el...
My grandfather used to say, “Use the right tool for the job.” He was a production engineer, responsible for the manufacture and assembly of freight elevators and doors. Whenever, in my youthful enthusiasm, I tried to chisel wood with a screwdriver or tighten a nut with a pair of pliers, he would send me back to the toolbox to get the right tool. Manufacturing has adopted new technologies since his day, but that lesson hasn’t changed much. To do the best job, use the right tools.
Take for example the job of securing the Internet of Things (IoT). When you think of security on the Internet, one of the first things that may come to mind is virtual private network (VPN). And why not? Virtual private networks are good at what they were designed to do. They’re used worldwide to secure private networks on the Internet. However, when applied to the IoT, a VPN can leave you exposed.
Sure, a VPN provides a space on the network that’s securely isolated from all other traffic. However, within that space, all nodes are accessible by any participant. Think of an office building with one highly secure entry door. Only the holders of the key can get in. But once inside, they find the doors to every room on every floor unlocked. Thus, it becomes critically important to keep any keys to the building in the right hands.
Of course, for certain jobs like networking the notebooks of remote staff or linking a company’s datacenters over the Internet, a VPN is often the right tool. The IT manager can put safeguards into place to ensure that the physical hardware used to log onto the network is in a safe place, in authorized hands.
But this assumption isn’t necessarily justified on the IoT. Devices on the IoT could be located just about anywhere – in homes, cars, and streets, as well as factory production lines, solar grids, and oil pipelines. Most of these devices will have the necessary means to connect to the network automatically. The chance of some untrusted individual gaining access to one of these devices is significant.
In addition to the devices themselves, customers may want to work with their data from tablets and smartphones. It is the IoT after all, right? But a phone is a bigger risk than a laptop, simply because it goes with the user practically everywhere, and it can get lost or stolen more easily. According to Clemens Vasters, Senior Program Manager at Microsoft’s Connected Systems Division, “The security of a virtual network space solely depends on controlling and securing all assets that connect into it, which obviously includes physical access security.”
Another consideration is multi-institution connections. For some people, the vision of the IoT includes connecting devices that belong to different companies. Maybe you want to give certain suppliers access to the latest data in your production system, or permit consultants to poll devices in the field. Or perhaps several companies need to work from a common data set. Few IT managers would be willing to provide all these participants access to a corporate VPN.
And finally, there are the sheer numbers. The vision for the IoT is for millions of devices to be connected. Although not every device will be linked to every other device, the scale still dwarfs most current implementations of VPN. Each additional device becomes one more security risk, and adds to the tasks of maintaining the system. The per-device resources needed to support a VPN are significant, as are the requirements on the server side to manage such a vast network. The costs and workload add up quickly.
For all these reasons, a VPN is not the ideal solution. I encourage anyone who needs to connect securely to the IoT to dig deeper, carefully weigh the options, and then choose the right tool for the job.
Skkynet Cloud Systems