Use a zero trust approach to combat IoT security risks
It’s now well-documented that IoT became an even bigger target for cybercriminals over 2020 with the rise of remote work.
IoT devices and Content Management Systems (CMS) will continue to be on the front lines of cybersecurity events in the battle for the internet, according to Fortinet’s FortiGuard Labs Threat Report. However, it is possible for organizations to stem the tide of these attacks by implementing a zero-trust approach to network security.
IoT is a highly desirable cyber target
Since the start of the COVID-19 pandemic, 9 out of the top 10 exploits fell into IoT or Content Management Systems (CMS) categories. Throughout 2020, researchers documented a marked increase in detected attempts to exploit vulnerabilities in consumer networking and other connected devices, largely in-home networks, in parallel with the rise of remote work.
While CMS and IoT devices may not be an organization’s most critical assets, there’s a good chance they’re network neighbors to critical assets. This makes them a potential gateway to valuable data or technology. It seems clear the cybercriminals see unsecured or under secured home networks of remote workers as an easily exploitable conduit back into the corporate network because they’re now effectively part of the corporate perimeter. That means employees may be accessing corporate resources from a compromised environment, which is a security model that many organizations aren’t used to. Because of the risk home networks pose to organizations, access to resources must be kept on a much tighter leash.
Trust is no longer an option
Bad actors have increasingly targeted emerging edge environments, including the home office and the cloud, and this trend could be the death blow for trust-based security. A never-ending expansion and erosion of the perimeter means that the inherent trust of devices and users in place in many networks is not sustainable. Instead, this evolution of the network puts increasing importance on moving deep security monitoring and enforcement out to every device, trusted or otherwise.
The work-from-home transition has been difficult for many. A disappearing perimeter creates ever-growing pressure to move security monitoring and enforcement to every device. Zero trust, the idea that users and devices should only be able to access those networked resources necessary to do their jobs, and only then after proper authentication, has gotten a renewed push because of the pandemic’s effect on the workplace. While human relationships might be built on trust, it’s increasingly apparent that zero trust as a security model builds healthier IT relationships.
Zero trust provides a better approach
Traditional perimeter security only defends against outsiders while extending a measure of trust toward people and devices. A zero-trust network security model is based on identity authentication rather than on natively trusting users based on their position relative to the network. A zero-trust approach provides least access privileges to users and devices to protect networks and applications. Zero trust is predicated on the idea that no one inside or outside the network should be trusted unless their identification has been thoroughly checked, their device meets baseline security requirements, and that policies are predicated on the who, what, when, where and how of contextual information.
Zero trust runs on the principle that threats from both inside and outside the network are always active, and that anyone and any device may already be compromised. It also assumes that every attempt to access the network or an application is a potential threat. These assumptions compel network administrators to redesign their networks and network security products to support rigorous, trustless security measures.
Implementing a zero-trust policy entails establishing micro-perimeters and regulating traffic around critical data, components, and network sectors. At the edge of a micro-perimeter, a zero-trust network employs a segmentation gateway that monitors and controls the entry of people and data using security measures designed to thoroughly vet users and data before granting them access. Multi-factor authentication, endpoint verification, micro-segmentation and least-privilege access are all components of this type of policy.
Don’t trust — verify
Competing in today’s digital world means organizations cannot survive without IoT devices and a secure CMS. Attackers know this, and they know that the events of the last year have seriously weakened the network perimeter. Evidence shows that attackers are willing to exploit any possible vulnerability to gain access to critical assets. Currently, 90% of exploits focus on IoT and CMS.
It’s also why simple trust is no longer possible. In this new environment, best network access practices require a zero-trust access approach. And the most effective zero-trust access strategy is holistic and brings visibility and control to three key areas: what and who is on the network, what are they doing when on the network, and what happens to those devices when they leave the network. Vetting solutions with the criteria noted above in mind will enable your organization to be on its way to a trustless — and more trustworthy — future.