The zero-trust security model, built upon the idea "never trust, always verify," offers an ideal framework for IoT because it requires IT security teams to continually review, revise and make changes as the network changes.
Zero trust offers a more efficient and scalable security strategy for IoT. IoT devices serve integral parts of business today and often perform critical tasks or handle sensitive data. IT security teams can no longer set it and forget it when it comes to IoT security.
The traditional security model often doesn't meet the security or user experience needs of modern organizations. IoT is the fastest-growing category of devices in the modern enterprise, with nearly 42 billion IoT devices forecast to be connected by 2025, according to an IDC forecast. Organizations increasingly deploy IoT devices in business-critical processes and systems, forcing IT teams to bypass their traditional perimeter-based defenses just to get them into production.
Security must be focused on where the threat is most likely to occur. For now, that means IoT devices because they are tempting targets for criminals. Attackers use edge devices to easily breach an entire network and cause havoc. Organizations that embrace a comprehensive security approach using zero trust can better adapt to the changing complexity of their IoT deployments and protect their people, devices, applications and data.
Understand what zero-trust IoT means
Zero trust is a security model that suggests that no person, device or service inside or outside the network should be trusted by default. For IoT deployments, this model focuses on protecting the network from breaches through IoT devices, even as organizations add more sensors to their deployments. Security measures require identity verification and device authentication throughout the network instead of just at the perimeter, which is how it's most often done today. Using microsegmentation, the model limits access to network segments to only the people and devices that require it and are authorized. This reduces the risk of potential breaches because access is limited to that segment only.
Zero trust is a model, not a product or piece of technology that organizations can buy. Instead, it's a desired state that can be achieved in various ways to protect company data, lower the breach risk and detection time, improve visibility into network traffic and increase control in cloud environments.
4 steps to deploy zero-trust IoT
No matter where IoT devices are deployed and how they're used, they fall under the same protective shield as the rest of the network. As a result, threats must be isolated before they affect the entire network, and IoT devices' critical work can continue.
IT administrators and security teams must adopt a few measures to apply zero trust to IoT and be ready for future threats.
1. Create a strong identity for IoT devices
Organizations can deliver strong device identities through a combination of hardware root of trust, passwordless authentication such as X.509 certificates and credentials with a limited lifespan. Organizations can create an IoT device registry to ensure that only authenticated devices can connect appropriately for their use.
2. Give least-privileged access to devices
Zero-trust security requires giving the least privileged access to devices, but enough access that they can still do their work. IT teams must create discrete identities to segment access for devices that run multiple workloads and allow conditional access to and from a device based on a set of defined security rules. For example, connections could be limited based on the device's location using an IP address or GPS or networks only permit certain operations during business hours.
3. Proactive security monitoring and response
Proactive monitoring adds a layer of protection for IoT devices, no matter where they're located or how they're connected to the network. IT teams use security monitoring to rapidly identify unauthorized or compromised devices and take appropriate action.
For some organizations, monitoring only means having a topology map of all devices and access to basic health indicators such as power and usage. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommends more in-depth measures, including identifying all communication protocols used by the devices and cataloging all external connections to and from the devices. Identifying vulnerabilities in IoT devices before they're compromised will ensure IT security teams have the mitigation strategies needed to handle issues should they arise.
4. Schedule regular device updates
A strong IoT lifecycle process will keep all devices working and secure. The process must include documentation on all related procedures, such as implementing updates, and a centralized configuration management system to track all devices. IT security teams can use management tools, such as Ansible and Chef, to scale device updates and management across the fleet, including pushing updates remotely to devices.
Even after handling these steps, security teams must also address several challenges of zero-trust IoT models, including integrating devices into an aging IT infrastructure; the limited computing power of devices to run security protocols; and the physical location of the devices.