Citrix helps enterprises break down adoption barriers to IoT with the launch of its NetScaler Secure Event Delivery Controller.

There appears to be no lessening of the “buzz” around IoT; quite the contrary. However, concerns about data privacy and security remain the two biggest barriers to IoT adoption. Gartner states that “by 2020, more than 25 percent of identified attacks in enterprises will involve IoT, although IoT will account for less than 10 percent of IT security budgets”.

By 2020, more than 25 percent of identified attacks in enterprises will involve IoT, although IoT will account for less than 10 percent of IT security budgets. — Gartner

As we come off the back off yet another series of well-publicised cyber-attacks, the perceived threat related to the integrity of the global internet casts a murky gloom over the take-up potential of IoT. The proliferation of IoT enabled devices, delivering unprecedented access to data visibility and process automation significantly increases the surface area of attack — a fact of which enterprises are all too acutely aware. So, too, is the scale of the challenge in absorbing the data IoT devices generate. Cisco’s Global Cloud Index predicts that, driven by the growth of IoT, the total amount of data generated by devices in 2020 will reach 600 Zettabytes, quadrupling the data generated back in 2015.

To assist enterprises to securely scale their IoT workloads, Citrix is launching the NetScaler Secure Event Delivery Control (S-EDC) solution.

What is “Event Delivery Control” and why is this different from conventional “Application Delivery Control”?

IoT “sessions” aren’t like traditional web/app sessions. When downloading a web page, there are multiple TCP sessions to render that web page content (text, images, videos, etc.)  opening and closing very quickly. Not so with IoT sessions. IoT-specific protocols, like MQTT, create sessions that can last longer – much longer. The nature of these transactions is also rather different. Compared with the traditional web application model, where a client initiates the dialogue, let’s call this “client-pull” mode, IoT is very much “push” and “pull” in nature. It may well be the application side leading the “dialogue dance”, not the “thing”.

All this means you can’t simply repurpose a conventional ADC into the EDC role. To meet the projected needs of scale and performance, enabling your existing ADC with a smattering of new IoT protocols is, quite frankly, not enough. What is required is the optimization of the underlying ‘delivery controller’ platform architecture, along with purpose built message handling capabilities to handle these new IoT workloads.

Figure-1: Evolution of Load Balancing
Figure-1: Evolution of Load Balancing

Securing the IoT Application Perimeter

Whether an enterprise choses to deploy their IoT platforms within their own data centres or hosted within a public cloud offering, the security of that application perimeter is paramount – and something the enterprise will maintain the desire to control. Establishing an effective IoT Application Perimeter greatly mitigates the risk of a malicious attack.

From a historic perspective, we saw how the secure web application domain evolved towards leveraging ADCs to offload key critical security functions – becoming the ultimate arbiter for what sessions made it through to the web applications. With IoT, we see the same exact evolution in play. The exception here is that we have another component to contend with – the IoT Message Broker. This sits in a layer in front of the IoT applications.

We also see history repeating itself. Much like with the onset of HTTPS, many enterprises are initially choosing to use these brokers to provide these critical security functions within the IoT Application Perimeter. Let’s be perfectly clear here though – these broker solutions were never designed to facilitate security perimeter functions. Pushing such capabilities onto them is simply a “convenience of architecture” decision, made in the mad rush to get early IoT services to market. Quite frankly, an IoT Message broker has enough on its hands, doing its “day job”. To suggest it is the best place to implement heavy duty task such as SSL termination and device authentication is plain crazy. A fact that many of the customers we are working with would agree.

Putting the ‘Secure’ in Secure Event Delivery Control

The NetScaler S-EDC solution retains all the market leading SSL offloading performance capabilities of the NetScaler ADC platform, permitting the use of encryption between all actors (clients, applications and message brokers). This ensures that whilst sensitive private traffic never passes in the clear — either over the internet, or within the data centre — the NetScaler solution is still able to offload this task and decrypt the message exchanges to perform further data integrity checks and efficient workload balancing. The existing ‘limited’ world of clients (OSs, smartphones, laptops, etc.) makes the job of device authorization much simpler in the traditional application landscape, but given the multitude and variety of “things” bearing down on us it’s not so simple within the IoT landscape. The potential range of use cases are mind boggling and extensibility is key.

Citrix brings this extensibility within the S-EDC solution. Finally, given the sheer number of “things” we are talking about, what happens in the event of a major network outage? And how do we differentiate devices all simultaneously and genuinely trying to reconnect from a malicious Distributed Denial of Service (DDoS) attack? The NetScaler S-EDC solution provides a highly coordinated approach to differentiate between these scenarios and apply the most appropriate — DDoS Protection, Surge Protection — techniques to absorb the behaviours accordingly.

The trouble with all of this, however, is how to correlate all these behaviours across a large, globally distributed IoT Application Perimeter. An isolated occurrence of anomalous behaviour in one corner of the perimeter may not be easily picked up, but may be the precursor to something far more sinister. This equates to the proverbial “needle in the haystack problem”. Fortunately, Citrix has an ace up its sleeve in this regard.

Enter the Citrix NetScaler Management & Analytics (MAS) platform

NetScaler MAS plays a critical role in IoT Infrastructure Management & Analytics. Each of the deployed S-EDC nodes constantly stream analytics data back into the NetScaler MAS solution, which, through machine learning, can quite literally find the needle in the haystack – surfacing any attempts at perimeter exploitation. NetScaler MAS provides the “single pane of glass” into the S-EDC deployment and through advanced automation, orchestration, and certificate management, also greatly simplifies the deployment and operation of the S-EDC solution. Through centralized integrity checking of system configurations, MAS ensures consistency across the entire security perimeter. Given that many serious security breaches are the result of human error in system setup and configuration, MAS greatly reduces the likelihood of this happening.

Figure-2: Key elements of the NetScaler S-EDC Solution
Figure-2: Key elements of the NetScaler S-EDC Solution

Come and talk to us at Mobile World Congress (Barcelona, 27 Feb – 2 March 2017)

At Mobile World Congress, Citrix is announcing the availability of the NetScaler Secure Delivery Controller (S-EDC), a key solution to address the sheer number of connected devices, the impact of new network architectures & protocols and the emerging security risks surrounding the adoption of IoT. Through the combination of the new NetScaler S-EDC and NetScaler MAS, enterprises can begin to deploy highly secure IoT Application Perimeters to protect their evolving IoT assets.