INCREASINGLY CONSIDERED a sound strategy for network security in general, zero trust (ZT) is arguably even more critical when it comes to Internet of Things solutions. With 41.6 billion connected IoT devices expected by 2025, according to IDC, the stakes are high.
“Any computing device, including IoT devices, implemented within a digital ecosystem can become a pathway to every other component attached to the network if strong security controls are not implemented,” says Rebecca Herold, CEO of Privacy and Security Brainiacs, an information security, privacy, technology, and compliance services provider, and part of a NIST team developing an IoT cybersecurity framework.
Currently, most network security is based on one-time validation/authorization of an entity (typically a user) logging into an entry point along the network perimeter, which Sean Tufts, IoT/OT practice director at cybersecurity solutions integrator Optiv Security, likens to a “moat” surrounding a walled-in castle. In this “ultimate trust” scenario, he explains, “once someone ‘vaults the moat’ with one central login and makes it over the walls into the castle, they have access to everything within that network environment.”
With ZT security, in contrast, access to network components (i.e., the “rooms” in the castle) must go through additional layers of authorization and approval.
“ZT security is implemented throughout the full scope of the digital ecosystem, within which the ZT architecture has been implemented, to validate component connections, communications, and relationships on an ongoing basis, through established and enforced access policies and workflows,” explains Herold. “The goals of ZT are to prevent unauthorized access to data, objects, and services, as well as to use access control that is as granular as possible to enforce ‘least privileges’ needed by any given component to perform requested actions,” she notes.
ZT focuses not only on data access, but also on securing access to all other types of network components—including IoT devices, according to Herold.
Given the ubiquity and diverse applications of IoT devices, not securing them specifically can have significant consequences. Herold cites a well-publicized incident in 2017 in which a Las Vegas casino was hacked through an internet-connected thermostat in an aquarium. “The cybercriminals used it as a pathway to access the casino’s computer systems and databases, where they exfiltrated 10 gigabytes of sensitive and confidential data that went to a device located in Finland,” she notes.
Had the casino implemented a ZT architecture, it would have ensured, on an ongoing basis, “that not only would specific authorized components alone be able to access the aquarium capabilities, but [also] that the IoT aquarium could only access a limited set of specific components on the casino’s network,” she explains.
Traditional network security has historically been seen as product/technology-led, as in, “here is a technology to solve a problem,” says Tufts. In contrast, ZT entails a more comprehensive look at an organization’s network and operations, he notes, including analysis of the “criticality level” of specific functions and letting that be a determinant of the level of security necessary.