Recent events have shown that it is no longer a question of if your IT infrastructure will be compromised, but when and what the impact will be to your organisation. The question for everyone is what can be done to limit the impact of such an incident?
While traditional security technologies typically focus on the perimeter (firewalls, email scanning) and the end-station (anti-virus), this is only a small part of your security posture. The local network (LAN and WiFi) often has no embedded security features other than the password for the wireless network. Once on the local network all is fair and any internal destination is reachable with any protocol.
The problem is that not all devices on the network will have the same level of security. While corporate installed desktops only run approved applications and never leave the safety of the internal, trusted network, there are laptops and other mobile devices that do. Worse, some devices may not even be managed by your IT organisation as they are owned by the employee. Increasingly the network connects with devices that do not run the latest and most secure software. These range from network connected printers, IP phones, cameras, automatic doors and time registration devices to the actual controllers of your manufacturing processes. The Internet-of-Things (IoT) will cause a further influx of connected devices on your network.
Not only do all of these connected devices create a larger attack surface, they also increase the impact to the point where everything comes to a grinding halt and the time to repair is increased by an order of magnitude.
How can the network provide security?
The key question to ask yourself is, does my desktop PC need to connect to my time registration clock and does that clock need to communicate with my PLC controllers? More than often, the answer is “no”. If the answer is “yes”, then most likely it is not “yes” for all types of communications.
Segmenting the network is the answer and can be relatively simple. Most LAN switches support VLANs and Wireless access points and can be split into multiple logical access points. The bigger challenges lie in managing cross domain communications. Special firewalls for so called “east-west” traffic can secure the network without compromising the throughput that we have come to expect.
Another challenge is ensuring that devices remain inside their designated network segment or are automatically moved to a less trusted segment based on behavioural changes. A patch mistake is easy to make and can go unnoticed. Then there are the “convenience” mistakes where a device was connected to a more trusted segment because “I knew what the WiFi-password for that segment was and not for the other”.
Devices that are not up-to-date should be automatically moved to a less trusted network segment until they have been validated as secure to the level required for their default network segment. Devices that start exhibiting unexpected communication patterns should automatically be isolated until their behaviour has been corroborated.
How can Infradata help?
Infradata has 13 years of experience in building public and private data centres and carrier WAN solutions. We can help you to identify the types of devices on your network, the associated security risks and how they can be segmented into functional domains. Infradata can also (re)design your local network to implement the functional separation, ensuring that devices remain in their segments and that new devices by default can only connect to the least trusted segment, until they have been explicitly assigned a higher trust domain. Added management features, for instance Software Defined Networking (SDN) can automate these tasks and make changes on-the-fly in case of behavioural changes on the network.
Talk with an Expert
Speak with a solutions expert or architect. Give us a call or leave a message. Our team is ready for your business.