The World has more than 13 Billion devices connected on the internet, the number only waiting to get multiplied three times by 2025. In a state of the Internet of Things (IoT), anything capable of connecting to the internet can be controlled by remote hardware to render specific services. Examples of IoT Devices include Connected Appliances and Homes, Security Systems, Autonomous factories, Human-Machine-Interfacing Manufacturing Equipment, and Connected Cars are to name a few. Now, for a malicious player in the Game of IT Security, as of now, there are 13 Billion targets to explore, it's no wonder we have an attack every 39 seconds, and it's a good business to create 300,000 malware in a single day making exploitation of Internet of Things highly lucrative. IoT incorporates embedding internet connectivity to computing devices, objects, people, or animals. Each thing has a unique identifier and can transfer data via a network. With the increasing connectivity of the Internet of Things come serious vulnerabilities as attackers can easily infiltrate the more extensive networks. IoT Security is the aspect of technology that focuses on protecting the assets, data, privacy, and safeguarding connected devices themselves. An IoT Security Market Study conducted by Grand View Research projected the value of the IoT security segment at USD 9,881.2 million by 2025. As the market continues to expand, all stakeholder-the users, the manufacturers, and the institutions must prioritize the security of the Internet of Things.
Try to answer this question. How many people or what resources are required to secure approximately 30 billion IoT Devices by 2025?
Zero Trust can be that answer.
Let us explore.
The Open Web Application Security Project (OWASP) released a list of areas in IoT devices and systems that threat actors can exploit. Here's a synopsis:
The ever-increasing popularity of wireless technologies and now 5G networks has led to growth in cyberattacks. To address this growing issue, the government is implementing regulations relating to privacy and data security. In addition, manufacturers are connecting consumers goods such as lights, toys, and other home appliances. It simply means these devices come with different forms of vulnerabilities. That's the reason for the implementation of regulations to protect confidential data. Several regulations have been implemented to boost the security of connected devices and prevent misuse of data. In September, California passed a law that addressed IoT security. The law mandated manufacturers of IoT devices to build security features into their products. The government also promulgated the IoT Cybersecurity Improvement Act of 2019 to improve IoT security best practices at the federal level. The act also enables the prevention of default passwords for all connected devices sold to the United States government. It also provides a system for patching the devices of known vulnerabilities.
The terms "Zero Trust" and "Zero Trust Architecture" (ZTA) have been buzzing around the IT security industry recently. The term Zero Trust is easy to digest; Zero + Trust = Don't trust anything (or anyone). But what do these terms mean in the World of Cybersecurity? Indeed trying to conceptualize a network where nothing is trusted would make any network administrator or CSO's head spin. So let us magnify the Zero Trust concept and an example use case for its application. The term and concept are not new. Security analyst John Kindervag re-popularized the term, but it was first used decades ago by Stephen Paul Marsh in his Ph.D. on computational security. Before Zero Trust started to pop up endemically in IT-Sec industry literature, the concepts of "Defense In-Depth," "Least Privileges," and "Multi-factor Authentication" (MFA) were already seen as best-practices for high-security network architectures. So, arguably, the concept of Zero Trust already existed as high-security network architecture.
ZTA is a set of security principles capable of micro-segmented access control designed to raise the bar to the next level in response to a blurred network perimeter with ample adoption of cloud resources and remote nodes. Predominantly considered as a Layer-7 Defense using Kipling's Principle. The consensus is that there is no consensus on what Zero Trust technically means [1], but NIST SP 800-207 differentiates Zero Trust in the following way:
Zero-Trust responds to enterprise network trends that include remote users, bring your Device (BYOD), and cloud-based assets not located within an enterprise-owned network boundary. In addition, Zero Trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.
Not only are networks and their applications becoming more complex, but the value and amount of sensitive data they contain are rising, and so is the cyber-crime itself; hence the industry also warrants increased security at its core. Accordingly, ZTA advocates far more granular access controls for better risk management of organizational assets.
The process of building ZTA looks something like this
Another valuable way to look at ZTA is by the elements to which Trust can be applied. These individual elements can all be analyzed and broken down into granular contexts where Trust be granted or not. Each of these elements combined to provide an insight into a comprehensive ultimate decision to authorize.
Let's compare an example of a robust network security architecture vs. a more pervasive Zero Trust model. Let's imagine a remote worker is logging onto a corporate network from home on their laptop. The user plugs in a hardware security key and enters a password into a login prompt. A robust authentication scheme has enforced password security to ensure the users' password contains enough key-space, has been changed periodically, and previous passwords are not being re-used. The user may also be queued to enter an OTP from an MFA app. It's unlikely that a stolen password can get an attacker very far with these authentication security measures in place. The perimeter server control plane checks the system's IP requesting access to make sure it should be granted. Certificates and PKI are used to authenticate the client's identity, and server endpoints establish a VPN tunnel protecting internal network resources from being directly exposed on a public IP.
Although theoretically, the user is now within the network permitter, ZTA does not consider the context secure. Therefore, the connection is subjected to a Policy Engine that operates in the control plane (Figure 1). This zone is commonly described as a Demilitarized Zone (DMZ). To validate a connection as trusted, a set of context-aware input variables examine the user's history, such as geolocation, device identity, correlates with threat intelligence data, and SIEM logs. These are input into a trust algorithm which calculates a final decision to trust the access request or not. Once access has been granted, ZTA demands that the session be continuously monitored, and the user may be asked to re-authenticate if activity times out or other suspicious activity is detected.
Additionally, a ZTA advises that granular access controls for authorization be applied to individual resources, limiting access to resources from particular contexts. For example, the user may be granted access to their company email when connecting from their mobile phone remotely, but RDP access to any internal databases or file-shares is strictly denied.
Given the statistics and context, virtually all aspects of IoT systems can be exploited unless security becomes a top priority when designing and maintaining IoT systems. Therefore, regardless of the environment, Zero Trust Architecture should be fashioned into all aspects, not just as a feature. That way, the entire configuration can function securely. Here are some cybersecurity guidelines to factor into design:
Here are other means of implementing IoT Security:
IoT security should be the responsibility of the consumers, manufacturers, and government. First, manufacturers should build security features into the devices. Second, the users should assume responsibility for their safety and privacy while using these connected devices. Third, the underlying principles of ZTA are not entirely new. Instead, the principles of Defence In-Depth, Least Privileges, Multi-factor Authentication, and Context-Aware Authentication and Authorization are formally bundled into a single concept. Third, evolving corporate work environments require more security due to more complex network configurations and increasing private data value, attracting more cyber-attacks. More outsourced services also mean that more access to external vendors. As a result, less Trust is warranted, and the ZTA is a good ground zero to start building more robust access controls and attain IoT Resilience. Finally, the government should enforce regulations so manufacturers can comply with cybersecurity best practices as far as IoT devices are concerned.