Many enterprises have an information technology (IT) infrastructure that supports the various computing device used by the enterprise. More recently, there are many internet of things (IoT) devices with each IoT device being a physical object that features an IP address for internet connectivity and communicates with other internet-enabled devices and systems. For example, an IoT device may be a thermostat or other internet-connected device. These IoT devices may form part of the IT infrastructure of an enterprise. Unlike other elements of an IT infrastructure, these IoT devices have a number of serious security issues and technical problems that make them a threat to the security of the IT infrastructure of an enterprise. For example, the IoT devices are not deployed in a data center environment so that the traditional security features/services that protect data center elements cannot protect the IoT devices. Furthermore, a majority of these IoT devices have weak access mechanisms so that these IoT devices have vulnerabilities including password security, encryption and a general lack of granular user access permissions. In addition, the IoT devices exist across many networks, not just inside the data center (DC) so that the IoT devices may be exposed to the weaknesses of local LANs including physical and logical compromise as well as security interference. Furthermore, many of the IoT devices allow their software and firmware to be overwritten with few controls that creates a significant security vulnerability. Finally, the IoT devices are always connected and always on so that the IoT devices are perfect infiltration and compromise points for the infrastructure.
The National Institute of Standards and Technology (NIST) has issued a guide to industrial control systems (ICS) security (the “Guide”) that may be found at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf that is incorporated herein by reference. The Guide has a section that suggests that network segmentation and segregation is one of the most effective architectural concepts that an organization can implement to protect its ICS that includes an IT infrastructure. The Guide states that there are four common techniques to implement the security that may include: 1) technologies at more than just the network layer; 2) controls using least privilege and need-to-know (whitelist-based control); 3) separate information and infrastructure including separation of applications and policy enforcement points; and 4) implementing whitelisting. The Guide also suggests that firewalls can further restrict ICS inter-subnet communications between functional security subnets and devices. By employing firewalls to control connectivity to these areas, an organization can prevent unauthorized access to the respective systems and resources within the more sensitive areas.
Thus, it is desirable to provide an infrastructure architecture that provides better security for IoT devices that are part of an IT infrastructure using access privileges and segregation techniques and it is to this end that the disclosure is directed.