The Importance of Zero Trust for Enterprise IoT Deployments
by Ken Dulaney
Cisco estimates that there will be 10.6 billion IoT connections growing to 14.7 billion by 2023. While this number reflects both consumer and enterprise, we must recognize that consumer technology constantly invades the enterprise, and that the crossover point is transitory. IoT devices are supported by a variety of platforms where the ultimate test of whether a particular IoT device is or is not an entry point for malicious activity is determined. The latest data from IoT analytics indicates that there were over 600 IoT platforms worldwide as of December 2019. We believe that this figure has likely increased to well over 1000 today. The IoT market is clearly fragmented, and its rapid expansion creating large volumes of attack points is of high concern, especially since IT is ultimately responsible for the security footprint of the enterprise.
Planning for IoT Security
The threat from IoT devices, new security precautions, and methods must be taken when reviewing and selecting solutions. While large, all-encompassing platforms that cover the bulk of current and future installations are not possible, a methodology for selection and implementation is the best alternative. It is important for IT to develop and publish such a methodology and to publicize its existence among departments that may deploy IoT solutions. IT must recognize that stopping IoT deployment is almost impossible, and prevention attempts will often be trumped by business improvement needs. However, with proactive education of proper IoT implementations, IT can simultaneously protect the enterprise and at the same time guide IoT acquisition toward acceptable solutions or even toward deployment delays that await architectural maturation.
There is a wide array of IoT deployment publications from both platform and networking vendors. One example that supports a sound approach toward the security aspect is Microsoft Azure’s “Zero Trust Cybersecurity for the Internet of Things” whitepaper. A zero trust architecture is of paramount importance in IoT because of the newness and fragmentation of solutions. This makes IoT a prime target for hackers. Furthermore, implementations can contain old components (e.g., instrumentation of a decades-old water pump). IoT implementations also have limited onboard capability to defeat sophisticated attacks. IoT management frameworks are difficult because they must cover a highly varied solution set. So, the best approach is to deny trust to all IoT devices.
The whitepaper spends a significant portion of its writings on what details must be included in a zero-trust deployment for IoT. Strong identity encapsulated in non-compromisable hardware root of trust, least-privileged access that installs limited access and only at time of need, device health that assesses a device’s risk profile, continual updates as threats are uncovered and understood, and lastly, monitoring and responding to the IoT environment. This whitepaper also has a nice list of what should be included in an RFP for an IoT solution.