Over the past two decades, secure outbound remote access to enterprise IT resources (servers, applications, services, cloud, etc) became a stable, but often neglected, technology. With the advent of edge computing, industrial enterprises have been increasingly realizing the need for secure inbound remote access for a variety of reasons, including remote troubleshooting, run-time configuration changes, and remote monitoring.
MQTT and CoAP: Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP) are two of the most popular publish-subscribe machine-to-machine (M2M) protocols. Both are very easy to use, adaptable and lightweight protocols suitable for effectively connecting a large array of devices over the Internet, and are specifically designed for resource-constrained, M2M use cases (e.g. low power, high latency, limited bandwidth).
However these communication protocols between devices and cloud brokers come with their own risks and pitfalls. A report “The Fragility of Industrial IoT’s Data BackBone: Security and Privacy Issues in MQTT and CoAP Protocols” from Trend Micro in December 2018 puts the issue of M2M security vulnerabilities front and center. The report highlights how attackers have been able to locate exposed IoT servers and brokers to leak over 200 million MQTT messages and 19 million CoAP messages. Attackers can then weaponize these in industrial espionage, denial-of-service attacks, and targeted attacks:
Traditional VPN Models: Legacy VPN models also lack the flexibility and the ability to scale to meet machine builders’ specific needs with secure inbound remote access.
As Gartner recommends, today’s digital enterprise needs is worldwide fabric / mesh of network and network security capabilities that can be applied when and where needed to connect entities to the networked capabilities they need access to. Think of an edge compute friendly, modular network infrastructure that functions as a global virtual LAN with firewalls, identify and access management, over-the-air updates, remote access and troubleshooting, etc. are all built-in foundationally. This network runs over any untrusted host as well as over any access or cloud infrastructure for any edge computing needs. Besides, the network can self-isolate depending on user needs while remaining invisible to the rest of the public Internet. Lastly, such a network infrastructure must offer a user-friendly interface for facilities operators to manage the network seamlessly, all from a single pane of glass based dashboard.
Industrial enterprises with dispersed assets and diverse data sources are increasingly realizing that relying on conventional VPNs or point-to-point MQTT/CoAP device-to-cloud-broker connections do not scale and are not relatively secure. Instead, the industrial enterprise of tomorrow needs an identity-centric, network security-based model that is akin to a global virtual LAN that runs invisibly over the untrusted public Internet. This helps enterprises simplify the inbound secure remote access and connectivity needs of the dispersed networks of things and machines realize economies of scale.