The Limit Does Not Exist: Why Defending the Perimeter Is Not Feasible in the IoT

Perimeter defense technologies can help in blocking external attacks, but often fail to prevent attacks by inside devices or apps.
By Chirag Pathak
Nov 01, 2017

Information technology (IT) teams of the past had a fixed, almost rigid approach toward enterprise security. Organizations focused on a perimeter network security approach, which allowed only a fixed set of machines and devices to operate, only trusted enterprise apps to run and only business tasks to be accomplished. Then came the "cloud era," which forced enterprise IT teams to abandon this rote security model to make provisions for a multitude of devices (read: BYOD) and digital apps.

Before they could fully draw a foolproof plan to counter this rise, however, the phenomenon known as the Internet of Things (IoT) emerged, which ensured the existence of a perimeter-less world. The IoT has enabled almost any device to turn digital, which means that users can connect to enterprise networks using even their home refrigerators, making them more vulnerable to data breaches than ever before. Since IoT perimeters can be infinite, having perimeter defense technologies like firewalls, intrusion detection systems (IDS), application proxies and VPN servers may not be enough. These methods can help in blocking external attacks but often fail to prevent attacks by inside devices or apps.

Perimeter Security: Key Features
In cybersecurity, the perimeter is a security barrier that defines a trust boundary within which digital assets are stored. There are three implicit constituent concepts:

Trust: The general rule of thumb is that components and logic within the perimeter are trusted, whereas everything external, such as clients, are not. Trust is one's innate belief that the components, users, etc., will exhibit predictable behavior and collaborate according to mutually agreed law or policy governing the use of assets.

Asset: The perimeter protects digital assets from untrustworthy actors. The general rule of thumb is to store them on centralized secure databases and enforce strict access control. In an information system, the assets are generally information that is either directly generated by users through interactions or by the system as part of business process logic.

Security Barrier: The perimeter is protected by security controls, such as authentication (Password, SAML 2.0, SRP, TLS, etc.), authorization (RBAC, ABAC, DRM, etc.), firewalls, intrusion detection, SIEM, and so forth. These controls are identified by performing an information risk analysis that determines the likelihood of an attack and its impact with respect to an asset's business value. The likelihood analysis is generally an assessment of vulnerabilities and threats against the assets by predicting attack scenarios. Most of these controls either use whitelisting or blacklisting algorithms to detect malicious access. This is possible because the system defines what input and output information it expects.

Thus, perimeter defense identifies the zone of trust to store the asset, which can be protected through security controls to defend against identified threats. In other words, as the number of unknown vulnerabilities and threats increases, the perimeter strength decreases. Perimeter defense techniques and methodology have served us well up until now, but we find them inadequate in IoT systems.

Unbounded Vulnerabilities
Even a simple IoT system is more complex than a complicated closed cyber system, because:
• It is composed of a number of different and diverse components (software and hardware).
• It is an open system—it can affect the physical environment and be affected by it.
• It consists of multiple feedback loops, e.g. reflexive and deliberative control.
• Most importantly, it exhibits an emergent systemic behavior, which is not an aggregation of the behavior of its constituents.

JOIN THE CONVERSATION ON TWITTER
Loading
ASK THE EXPERTS
Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations