Download to read offline
Uploaded byBarcoding, Inc.
Security Architecture for Small Branch and IoT
This document discusses the benefits of parallel networking and network segmentation for IoT devices. It describes how traditionally networks are monolithic with everything connected, but this poses security risks. The solution proposed is to use separate, dedicated networks for different systems like POS, customer WiFi, digital signage, HVAC etc. This physically segments the networks for increased security. The benefits are improved PCI compliance by reducing the scope of networks auditors need to assess, and eliminating opportunities for hackers to pivot from one network to another. It gives an example of how network segmentation could have prevented the Target data breach.
More Related Content
Similar to Security Architecture for Small Branch and IoT
Security Architecture for Small Branch and IoT
- 1. Parallel networking andIoT Kent Woodruff, CSO, Cradlepoint
- 2. Internet / Private Network TheMonolithic Network Server Employee Tablet Back Office Customer Area Equip Room Customer Smartphone Corporate Applications and Data Center (Cloud-based ) Network Admin Customer Marketing Security Mgmt Store Operations Primary Network (WAN) Typically T1, DSL or Cable Failover Connection 4G-LTE as a backup WAN connection 4G-LTE
- 3.
- 4.
- 5.
- 6.
- 7. The Result andImpact • The Industry Experts’ Analysis – They passed its PCI Compliance audit in September – They may have not done enough to wall off its payment systems from the rest of its vast network people who work with large corporate networks said. – The company has since moved to isolate its different platforms and networks to make it harder for a hacker to move between them an executive said. – So-called segmentation issues, where computer systems that shouldn't be connected for security reasons are in fact linked, are a problem at a number of retailers a person familiar with retail breaches said. – There shouldn't have been a route between a network for an outside contractor and the one for payment data people familiar with large corporate networks said. Source:
- 8. Why is SegmentationHard?
- 9.
- 10.
- 11. Internet / Private Network TheMonolithic Network Server Employee Tablet Back Office Customer Area Equip Room Customer Smartphone Corporate Applications and Data Center (Cloud-based ) Network Admin Customer Marketing Security Mgmt Store Operations Primary Network (WAN) Typically T1, DSL or Cable Failover Connection 4G-LTE as a backup WAN connection 4G-LTE
- 12. Solution: Parallel Networking Physicallyseparate networks for 3rd parties and non-core applications Kiosk Network 4G LTE 4G LTE Digital Signage Network HVAC System Network 4G LTE Customer WiFi Network 4G LTE Employee Network 4G LTE 4G LTE Energy Mgmt Network Point-of-Sale Device Network 4G LTE 4G LTE 4G LTE Security System Network Store within a Store Network 4G LTE Internet / Private Network Solution Overview Cloud-managed IoT/M2M routers dedicated to a single use Typically used by 3rd-parties for BYON (BringYour Own Network) Creates physically separate networks for increased security Benefits Increases PCI Compliance by reducing scope of network – PCI Auditors must evaluate everything in the Cardholder Data Environment (CDI) – Removing usage from the CDI such as customer WiFi, digital signage, 3rd=parties, etc reduces scope, increases PCI compliance, and reduces security risk. – Dedicated networks for POS devices (checkout, kiosk, etc) have fewer security risks Eliminates 3rd-party dependencies on branch/store network – 3rd-parties include kiosks, store-within-a-store, digital signage, security, HVAC, energy mgmt – 4G-LTE enables network connectivity with no wires to install or manage – 3rd-parties prefer to homogeneous networks for control, consistency and manageability Security through Separation – Eliminates the opportunity for thieves to hack into the network and launch a “pivot attack” – Network segmentation that is “logical” rather than “physical” is prone to misconfiguration – The Target breach highlights the susceptibility of monolithic networks to a pivot attack. Enables Offload of Non-Core Traffic from the Private Network – Eliminates the opportunity for thieves to hack into the network and launch a “pivot attack” – Network segmentation that is “logical” rather than “physical” is prone to misconfiguration
- 13. In-Vehicle Networks • TheConnected Bus Trends Driving In-Vehicle Networks • Mobility (Access & Deployment) • Pervasiveness of Affordable, High Bandwidth, 4G LTE • Cloud-basedApplications • Big Data CCTV Cameras for Security Internal Digital Signage Passenger WiFi Credit Card Processor Connected Exterior Digital Signage Bus DriverTablet
- 14. …and if youdon’t segment?
- 19. DEMOs • Reverse EngineeringCANbus • Searching for easy IoT targets • Spoofing email
- 20.