One may assume that Virtual Private Networks (VPNs) can simplify the task of setting up secure connections to remote machines and IoT devices.
Let us first understand what the original purpose was behind the creation of VPN. VPN solutions were originally designed primarily to secure office campuses, data centers, and for secure remote access by field workers to their corporate networks.
The lack of flexibility or intelligence of VPN to meet machine builders’ specific needs leads us to the five major defects of VPNs that users experience in aiming to apply the same to machines and things:
Time-consuming setup requires extensive IT knowledge. Several manual steps are required to properly establish secure authentication and connectivity with remote machines and things. This process is complex, time consuming, and requires extensive IT knowledge, which most field automation engineers are not familiar with.
Compromises in corporate security policies are needed for remote access to machines. VPNs need specific network rules to permit 2-way traffic to flow. As a result, creating flexible firewall rules has proven a major challenge for most IT departments – especially those managing dispersed industrial networks.
Securing remote connections involves complexity and high cost. Most VPNs between machine builders and machine operators are usually site-to-site connections. They do not have the ability to restrict access to selective groups of machines and IoT devices.
Applying patches is not even feasible. Applying software updates over the air or security patches is not feasible without manual intervention.
Access credential management is hard to manage and does not scale. Management of pre-shared access credentials does not scale and becomes extremely difficult to manage. For example, when VPN servers or client systems are changed, certificates must be regenerated, and so on.
The conclusion is that VPNs have been reduced to ‘very primitive networks’ and just do not fit the needs for secure remote access in today’s emerging world of things and machines.
As Gartner recommends, what security and risk professionals in today’s digital enterprise need is a worldwide fabric / mesh of network and network security capabilities that can be applied when and where needed to connect entities to the networked capabilities they need access to. Think of an edge compute friendly, modular network infrastructure that functions as a global virtual LAN with firewalls, identify and access management, over-the-air updates, remote access and troubleshooting, etc. are all built-in foundationally. This network runs over any untrusted host as well as over any access or cloud infrastructure for any edge computing needs. The network can self-isolate depending on user needs while remaining invisible to the rest of the public Internet. Lastly, such a network infrastructure must offer a user-friendly interface for facilities operators to manage the network seamlessly, all from a single pane of glass based dashboard.
Industrial enterprises with dispersed assets and diverse data sources are increasingly realizing that relying on VPNs that were originally designed to provide secure connectivity with enterprise data centers and campuses is simply futile. Legacy VPNs do not simply scale for machines, devices, sensors, and so on. Instead, the digital enterprise of tomorrow needs an identity-centric, network-security based model that is akin to a global virtual LAN that makes assets invisible from the public Internet. This helps enterprises realize economies of scale, and democratize the remote access security and connectivity needs of the dispersed networks of things and machines aiming to drive business efficiencies with the power of data analytics going forward.