Why zero trust security is a growing trend in IoT management
The rise of remote work is creating new challenges for enterprises at every level, especially when it comes to technology management and enablement. As more people shift to work-from-home environments, the need for proactive IT controls becomes increasingly difficult to ignore.
The use of remote access channels can expand an organization's attack surface, as every device connected to the central network can be used to launch malware, ransomware and brute-force attacks. Companies that have integrated internet-of-things technologies are even more susceptible - IoT-focused attacks surged 300% in 2019, according to research from the cybersecurity firm F-Secure - especially when employees are allowed to use their personal computers to access business applications and sensitive information. As IT administrators look for new ways to protect critical assets and data, many are questioning whether zero trust security frameworks are the next step in IoT management.
How zero trust improves IoT security
Zero trust security is a strict IT framework that requires every device attempting to connect to a private network to verify its identity, according to the web-infrastructure company Cloudflare. These access controls are applied to users regardless of whether they're working in an office or connecting to the network remotely. The idea is that IT administrators can use zero trust methodologies to prevent any device (no matter how harmless it may seem) from gaining automatic access to enterprise networks.
In environments that rely on a web of IoT devices, however, limiting access comes with its own operational constraints. For one, imposing strict verification guidelines can reduce the speed at which data travels from one device to the next. This can be a major disadvantage for job sites that integrate their IoT sensors with real-time monitoring tools, such as manufacturing plants, energy distribution stations and telecommunication hubs. That said, the potential consequences of poor cybersecurity far outweigh the limitations imposed by a zero trust framework.
Cybercrime is one of the biggest threats to businesses across industry lines and is a key contributor to widespread adoption of zero trust policies. According to the National Technology Security Coalition's Cyber Security Report 2020, the growing use of IoT devices will "increase networks' vulnerability to large-scale, multi-vector Gen V cyber attacks." This, paired with subpar device-level security controls, make IoT the weak link in many organizations' cybersecurity programs. Another issue is that it can be difficult to maintain visibility over IoT devices without a centralized management platform. Of course, the oversaturation of the cloud services market has provided more options than companies can realistically compare.
In terms of integrating a zero trust framework, Cloudfare points to three key practices and technologies that are vital to any organization's success:
- Least-privilege access
- Multi-factor authentication
To prevent costly data breaches and cyberattacks, companies must control access for individual users and devices at scale. Considering 152,200 new IoT devices will be connected to the internet every minute by the year 2025, according to estimates from IDC, it's crucial to develop a forward-looking cybersecurity program that addresses both current and future risks.
Zero trust security implementation tips
Beyond limiting automatic access for users and workstations, organizations must also create a "zero trust ecosystem" that can identify and control "non-user devices," according to TechRadar. Non-user devices include network routers, environmental sensors, IoT appliances and other pieces of equipment that do not have dedicated users, or don't require consistent human intervention. When creating a zero trust framework, IT administrators should use an "agentless device visibility and a network monitoring solution" that is compatible with IoT and OT devices. When combined with real-time data collection and analysis tools, these monitoring solutions can provide a holistic view of network access, traffic flow and device usage that will help inform zero trust policies and architecture. When implementing such a system, organizations must also address what infosec expert and Threatpost contributor Tony Kueh calls the "five pillars of zero trust security:"
- Device trust: Creating a detailed inventory of devices that are controlled and owned by a company can help maximize visibility and quickly identify unauthorized devices connected to a private network.
- User trust: In some cases, standard passwords are not enough to protect user profiles from exploitation. By incorporating passwordless authentication and conditional-access policies, companies can improve their security posture and reduce the threat posed by internal actors.
- Transport/session trust: Users don't need access to every nook and cranny of enterprise networks. By incorporating the principle of least-privilege access, IT administrators can grant the minimum permissions employees need to perform their work.
- Application trust: Application-level security threats can be hard to manage without a modernized form of user authentication. Utilizing a virtual desktop environment offers more oversight and control over business applications without introducing more IT weaknesses.
- Data trust: Leveraging data loss prevention strategies and tools can help ensure sensitive data is protected from breaches, exfiltration and destruction from both internal and external users.
Perle offers powerful connectivity tools that can help organizations maximize their network security and develop a zero trust framework. Our industrial-grade Ethernet switches and console servers are designed for big data environments that depend on the uninterrupted flow of data. Read some of our customer stories to find out more.