IoT is a big security headache for a lot of reasons. By its very nature, these devices are untrusted. They usually can’t have a security agent installed on them, they are typically designed with little thought to security, and their presence on a network can be difficult to detect as they often don’t look like IT. We faced a somewhat similar issue with BYOD (Bring Your Own Device). However, a lot of BYOD looks and behaves like our corporate IT, but IoT is a different more difficult to secure beast. Our conventional security models have been falling behind in the face of IoT and BYOD. Our legacy architectures can only scale so much, and the cracks arising from this are exploited by new kinds of attacks and ones that move more easily laterally while the IT scales outwards. With more IT and security becoming software defined, Zero Trust (ZT) is seen as a fundamental fix to the security approaches we’ve been struggling with.
At first glance, the idea of ZT + IoT might seem incompatible, however, these innately untrusted, presumably insecure IoT devices are the perfect use case for why Zero Trust architectures are important for enterprise security.
So how can these be part of a Zero Trust architecture?
What is Zero Trust
Zero Trust is an approach, not a number on a gauge, a binary state, or something that can be purchased by the pound. Just like a company will never be “100% secure,” it will never likely have “achieved zero trust.” That doesn’t mean security and Zero Trust are abandoned, but instead they are goals in the same way as “quality” or “health” that are continuously strived for. The closer that you (and your business) get to them the better off your security and trust placed in the architecture. This isn’t a card trick or a verbal dodge to “just accept the risk.” It is the very nature of the cybersecurity job that you must continue to strive for security in the face of continuous change both by making security continuous and expecting change.
New devices, people, apps and things will arrive maybe every second into your enterprise, so the words ‘continuous,’ ‘risk,’ and ‘posture’ are very meaningful in the architecture of Zero Trust.
Applying Zero Trust with IoT
So far, a lot of talk about securing IoT has been about microsegmentation. That is a bit deceptive but knowing what to segment is a precursor to separating it. Also, pre-Zero Trust thinking was about creating zones for IoT to live in, which is not how Zero Trust works.
A core foundation of Zero Trust is knowing about the presence and posture of as many identities, users, devices, apps, and other elements as possible. Without that visibility, your state of trust, and therefore risk, is unknown. So, finding things and knowing how trusted they can be is fundamental.
As fundamentally unknown and untrusted devices, both finding and assessing the risk posture of IoT in your domain is incredibly valuable and critical to including them in a Zero Trust architecture. More value is achieved by knowing the communications history of those devices, the posture of things and users they have talked to, as well as being able to apply pre-patch shields and block them when they do things that are bad or too risky.
Underlying this challenge is the fact that this all must be done continuously. It is not just as a one-time snapshot when a device comes into your network.
Continuous Risk Insight for IoT Means Less Misplaced Trust and More Automation
In addition to the Zero Trust architectural knowledge that can support a SOC’s efforts, risk insights about unknown devices, whether IoT or more traditional BYOD, can be applied automatically in subsets of the Zero Trust envelope such as SASE (Secure Access Service Edge) and ZTNA (Zero Trust Network Access). Connections to the IoT, and connections from IoT to the web, apps, or SaaS (that may themselves involve an IoT component) can be better trusted (or blocked) when the knowledge of the posture of all parties involved is continuously assessed.
IoT is so untrusted it is one of the best candidates for being secured using a Zero Trust architecture, as reducing risk via unfounded trust is what Zero Trust is all about.