Securing IoT Devices on Mobile Networks
Senior Product Manager
February 22, 2024
Securing the over three billion IoT devices globally connected to corporate systems via mobile networks presents a formidable and growing challenge for organizations worldwide. Driven by the adoption of newer IoT-specific cell technologies like LTE-M, NB-IoT, and LTE-Cat 1, along with a boom in 5G module shipments as older 2G and 3G modules are phased out, the number of cell-connected IoT devices is growing 27 percent a year, taking market share from Wi-Fi and Bluetooth connections. My recent collaboration with the network and security team of one of our industrial customers provided a front-row seat to the complexities of safeguarding such an IoT ecosystem. The project illuminated several key lessons that can benefit any organization grappling with the security of their IoT devices.
IoT is its own world
The task of securing IoT devices is fraught with unique challenges – they are deployed in vast numbers in varied environments and geographies with security concerns that are distinct from traditional IT security. Traditional SASE and SSE services rely on VPN or Zero Trust clients to ensure that the devices can access the network securely. In contrast, most IoT devices are designed for low-power operation with minimal computing resources, which limits their ability to run conventional client security software – rendering them in fact “clientless.” In fact, the amount of computing power and bandwidth theoretically required to run such client software would almost always exceed the resources needed day-to-day for the IoT application itself. The question faced by IT organizations responsible for securing IOT devices is really, “How do you ensure security of devices which cannot install clients?”
Furthermore, this heterogeneity and lack of unifying client software combines with the sheer volume of potentially thousands of IoT devices spread across many locations, enforcement of consistent security policies, update management, and the process of patching known vulnerabilities can fast become a logistical nightmare.
The integration of SIM and SASE
The path out of the cellular-connected IoT security wilderness comes from the realization that such devices already have unique identifiers and an authentication process in the form of SIM, UICC and variants. Mobile Network Operators use this identity to authenticate and authorize use of their mobile network. By expanding the perimeter of the mobile network to include a SASE solution, the same SIM/UICC based identity can be leveraged to identify and authorize and secure the device. As the SASE solution is always inline of the device connection, traffic generated by the device (or destined for the device) can be scanned by the SASE solution in the context of the device identity, thus securing the IoT device without the need of an agent or on-device application.
For the customer, this meant their IoT devices were no longer a sprawling set of security silos, but were able to achieve the holy grail of unified security and network management. The SASE platform offered a comprehensive suite of security functions integrated with SD-WAN optimization capabilities. This consolidation significantly simplified the IoT management landscape, allowing for centralized policy enforcement and streamlined operations.
The company in question also found that they were now able to tame, from a security perspective, the sizeable number of users on its logistics team using SIM-enabled tablets. These devices ran on a variety of operating systems with agents that would have to be lifecycle managed across each variant, but could easily be transitioned to the unified SASE platform for security and routing.
Zero trust for things
While the security side of SASE brings to bear the full suite of security capabilities, like secure web gateways and cloud access security brokers, the most intriguing security aspect of the concept is the capability created to apply zero trust policies to things. The Versa Operating System (VOS), which undergirds its SASE service, comes with built-in capabilities to identify and fingerprint over one million types of devices, and will look at different attributes of traffic generated by the devices while running inline. Such attributes are then compared against different traffic fingerprinting and device identification databases to identify devices accordingly.
Once identified, devices are mapped to different device types and risk profiles to ease overall device management tasks. Now armed with detailed information on a per device basis, security and networking decisions can be implemented on a per device level of granularity.
Finding a provider of SIM-based SASE services
Versa is working closely with a diverse range of MNOs to integrate SASE on SIM with their mobile networks, thus ensuring optimal performance and security for IoT devices and end-users on mobile devices such as tablets and smartphones on these networks. If this use case is similar to yours, we can help guide users towards a provider in the Versa partner ecosystem.
