Part 6 of 8: Pairing Expeto with ZTNA for Device to Application Trust
Virtual Private Networks (VPN) are dead. Long live the VPN ? There is much confusion when it comes to the best methods of protecting IoT data at rest and inflight. For years, setting up a VPN over public internet or even on private circuits was seen as “just how it’s done”.
The Old Way
VPNs provide point-to-point connections between networks that allow devices to communicate using a supposedly “trusted” transport method. However, the VPN often allows for lateral movement on, queries about and possible packet capture as a side effect of being “on the network”. This is a problem – and one that is often overlooked in the world of Shadow Operational Technology (OT). When business units deploy Shadow OT solutions without consultation from IT, any given vendor could recommend using a VPN with little consideration of risk because “that’s just how it’s done”.
The New Way
Expeto Wireless mitigates part of the Enterprise risk equation for Shadow OT by offering the Enterprise full control over a trusted underlay network using cellular connectivity. However, there is often still an urge to put a VPN overlay network on top. Zero Trust Network Access (ZTNA) provides an alternative. Most industrial sensors or other OT devices have a specific purpose and report data to a specific application such as an IoT Broker service. ZTNA can set up an application to device trust association on demand. Various metadata properties from the user, device and – with Expeto – even the cellular network can be used to enforce intent based policies. ZTNA does not put the device “on the network”, it provides a software defined perimeter allowing secure access to applications without exposing them to the broader network. Lateral movement, queries and other hijinks are forbidden.
What about data sovereignty and strict regulatory obligations, including privacy? Many business verticals have strict rules around where and how data can flow. In Australia, for example, certain critical infrastructure is forbidden from traversing the public internet or leaving the country. Healthcare also offers many classic cases where strict data privacy control must be met. Using a generic SIM card with a generic ZTNA service may unknowingly violate these obligations resulting in serious repercussions. Why? The flow of data is not deterministic and auditable.
The trusted network underlay offered by Expeto empowers the Enterprise to control and attest to the known path data will travel. ZTNA creates a dynamic trust association between the application and the device to ensure data is protected by policy and encrypted along the path. Expeto users can even terminate data directly onto a hyperscaler service of their choice along with ZTNA services also within their own domain. This combination ensures the device to application trust relationship is intact without ever touching the public Internet.
Put Your Trust in Expeto
As digital transformation continues to gain momentum in the industrial space, more and more devices will be added to the enterprise domain of attestation and accountability. Corporate IT may not always be directly involved in specific solutions from 3rd party vendors. Standardizing on a data communication platform that offers full enterprise control from SIM to server reduces the attack vectors and residual risk by default. Policy enforcement can be set up with support from Corporate IT and Security, then broadly deployed to in-house IT and 3rd party Shadow OT devices with far less worry so long as both use the enterprise standard issue SIM card with ZTNA enabled.
Expeto offers the experience, expertise and an Enterprise First platform to deploy and manage public and private networks according to mission critical business needs.
To read more in Brian Baird’s Shadow OT series, click below!
