As enterprises and manufacturers add tens of thousands of devices to their networks, Internet of Things (IoT) management and security have become critical issues. Seattle-based Tempered Networks, this month's Network Innovation Award winner, thinks it has a better way to address these propositions with its Host Identity Protocol-based portfolio of HIPswitches and software. The company, rebranded from Asguard Networks in November 2014, aims to provide what it calls "well-tempered" services to its industrial and enterprise customers, which include identity management and security features.
SearchNetworking spoke with Lucas Kane, Tempered Networks' director of product management, to discuss the technology behind the company's platform.
Editor's note: This Q&A has been edited for length and clarity.
Tempered; that is an unusual name. Is there rationale for that? What does Tempered Networks mean?
Lucas Kane: When we rebranded the company in 2014, CEO Jeff Hussey gave the new name a lot of thought. His premise, basically, was that he wanted to deliver a well-tempered network that is hardened and resilient. That's the thought; like tempered metal.
What's the technology behind HIPswitch and how does it improve IoT management and security?
Kane: The technology was actually born out of the large airplane manufacturing environment. Manufacturers were moving to more mobile tooling, but they needed to find a way to securely network these tools. There wasn't anything available to suit their needs, so after some research and discussions, they discovered the Host Identity Protocol (HIP), which essentially bakes in a cryptographic identity [that replaces a device's IP address] and automates how identities are managed across a network.
What we've done at Tempered is commercialize this technology and put a wrapper around HIP, which allows users to manage a large number of [devices] through what we call HIPswitches.
When a customer deploys HIPswitches, you're building private overlay networks between these devices, and that overlay network is completely isolated from the underlying network.
Sounds like SDN.
Kane: Right. In fact, sometimes we say it's like SDN -- with encryption and network access control -- on steroids. Once the HIPswitch is deployed into the underlying network, it essentially checks with what we call a conductor [akin to an SDN controller] and says, 'OK. I'm ready to be managed.' You then plug your devices into the HIPswitch, and through the UI in the conductor, you white list all of your devices and determine who talks to whom. It's very easy; it's about as complicated as Gmail.
Lucas Kanedirector of product management, Tempered Networks
What's the advantage of using HIP for IoT management over some other security standards?
Kane: Where HIP really shines is that it allows an automated management of [device] identities. With a lot of traditional security solutions, managing your certificate authority or your public key infrastructure can be a challenge. Other options might rely on a shared password or key. With our technology, each HIPswitch has its own identity and the management of those identities is all essentially automated within the conductor and the user interface.
So let's talk about the evolution of industrial IoT and IoT management and how that dovetails with the capabilities within HIPswitch.
Kane: What people are recognizing is that the more devices they have connected, the more information they can gather. So, there's been a real land rush, if you will, to connect everything. But as you connect devices -- especially random devices on, say, a manufacturing floor -- it can expose your environment. As a result, IT is often looking for ways to protect those devices -- for obvious reasons. We let IT protect a large number of devices very quickly and efficiently, but it's the ongoing management of these devices -- via communications policies -- where we truly shine. We call that orchestration, and what it allows you to do is quickly and efficiently manage a large number of devices. And the UI is simple: There is very little risk of misconfiguration. So, you have a very clear definition of what's communicating with what.
What are industrial IoT customers most concerned about?
Kane: As industrial IoT continues to grow, customers are worried about managing the sheer volume of devices and connectivity options, and doing so in a way that's easy to understand. They also want to be assured there is no backdoor, no side door [or other security vulnerabilities]. We're seeing attacks via HVAC systems; there are vending machines that are being put on the network. There are monitors and screens; there are white boards; everything now has an Ethernet port, but inherently, it's not secure. So, the challenge for IT, and definitely CSOs, is to find ways to add these devices to the network in a way that's very secure and very stable.
Is security the main function? Or can a user get performance metrics as well from HIPswitch?
Kane: The conductor keeps track of all the metadata associated with the HIPswitches and their devices. We're providing visualization across the network -- essentially, single-pane-of-glass management --where you aren't just configuring the communication policies, but you're also getting a great deal of visibility into your environment. Troubleshooting tools, firmware updates, all of that good stuff can be pushed out to your devices from the conductor.
As more 'things' are connected wirelessly, how does HIPswitch work in those environments?
Kane: Some of our customers use wireless for failover. A HIPswitch can prefer wired, and if the wired connectivity goes away, it'll fail over to cellular. And then we have other customers that are leveraging just the cellular capabilities because it's the most efficient way, for example, to connect to a remote site. So, rather than having to rely on a customer network or a third-party network, what we're allowing them to do is leverage a cellular network very securely. We sell different HIPswitch products: wired only, wired and Wi-Fi, and wired and cellular. It's really customized to what your use case is.
If customers of yours are using either Wi-Fi or cellular connectivity options, are there particular vulnerabilities or IoT management issues those companies have to be aware of?
Kane: Definitely so. With cellular in general, companies or enterprises are not comfortable allowing the cellular network or the cellular provider to not only be in charge of their security, but to dictate what happens and when. So, what we're allowing them to do is add another layer of security -- in other words, encrypt all of that data. We actually cloak or hide the device on the network. As a result, anything that's protected by a HIPswitch is not visible. So, if someone is trying to scan or sniff the network, they won't see any of the devices protected by a HIPswitch.
What's next for Tempered?
Kane: We'll continue to formalize partnerships with automation vendors, and we're also looking at programmable logic controllers (PLCs). PLCs are something most people have never heard of but they probably rely on them every 15 minutes of their day. We have quite a few customers that are using Tempered to safeguard their PLCs and we'll be working with [automation vendors like Rockwell and Siemens] to tighten up those relationships so we can help customers better secure their endpoints.
We are also moving into the cloud space, and what that means is you will be able to deploy a HIPswitch in different cloud providers and, therefore, protect all of your data, say, from the headquarters to the cloud or from cloud to cloud. We're also releasing a HIP app, which will essentially turn a laptop or a mobile device into a HIPswitch so you can secure remote access or allow a specific user access to a specific device. And then we're also partnering with other third parties that can provide additional visualization and data analytics tools.
IoT security: How real is the threat?
Taking IoT management to the next level
How orchestration benefits IoT
- Aruba Clearpass Network Access Control –Aruba Networks
- Market Guide for Network Access Control –ForeScout Technologies, Inc.
- WLAN Access Control and Wi-Fi Network Needs –SearchSecurity.com
- Secure Network Access For Highly Secure Environments –Aruba Networks