Zero Trust Architecture: What it is and Why it Matters for IoT Security

As the number of IoT devices continues to grow exponentially, so does the potential attack surface and the risk of unauthorized access or compromise. At their core, zero trust architectures rely on the fundamental principle of limiting user and devices access to sensitive resources. However, implementing a zero trust architecture (ZTA) with IoT devices presents unique challenges. Organizations should carefully consider these differences so they can adapt their strategies to accommodate the specific requirements and limitations of IoT devices. 

When trying to apply zero trust architecture principles to IoT devices, organizations should consider the limitations of macro- and micro-segmentation strategies and understand how targeted segmentation can enhance security.

What is Zero Trust?

Zero trust is a cybersecurity strategy that requires users and devices to continuously authenticate to networks. Historically, organizations assumed that once a user or device gained authorized access to a network, the person or device should be granted implicit trust. However, as organizations adopted cloud-based technologies that rely on the public internet, they needed to consider every user, device, and network as potentially compromised. 

A zero trust strategy emphasizes continuously validating and verifying:

• User identity
• Access privileges
• Device security posture

What are the primary pillars of zero trust architectures?

Many people discuss zero trust as a monolith; a problem a single tool can solve. However, a zero trust architecture (ZTA) requires an organization to address different potential attack and risk vectors.  

Identities

Identity and access management (IAM) acts as a foundation for the other pillars of zero trust architecture. 

Validating user login credentials and employing robust authentication is the first step. As malicious actors seek to use stolen credentials or deploy credential-based attacks, multi-factor authentication (MFA) becomes increasingly important. Before granting a user access to systems and networks, MFA requires a user to provide something people:

• Know (a password)
• Have (a smartphone or token)
• Are (Biometric like a fingerprint or face ID)

After authenticating users, organizations should implement and enforce the principle of least privilege, limiting a user’s access to resources to only the ones necessary to complete their job function. 

Endpoints

An endpoint is any device or that accesses a network, like:

• Laptops
• Smartphones
• Servers
• Internet of Things (IoT) devices

As part of implementing ZTA, an organization needs to verify devices before granting network access, including reviewing their security posture. Typically, this process includes technologies like:

• Unified Endpoint Management (UEM): setting security policies for devices, including configuration, patching, and monitoring
• Endpoint Detection and Response (EDR): monitoring, detecting, and responding to malicious device activity that may indicate a potential malware infection

Networks

Within the context of ZTA, network security focuses on limiting, managing, and monitoring internal and external traffic. Some key network security controls include:

• Network segmentation: establishing different networks based on risk and applying the principle of least privilege at the network level to reduce lateral movement risks
• Encryption: obfuscating data-in-transit, making it unusable to anyone who does not have the decryption key
• Traffic management: establishing network rules and configurations that map to applications so the organization can limit network connectivity to critical applications and sensitive data
• Vulnerability scanning: scanning networks for security weaknesses, including common vulnerabilities and exposures (CVEs) devices

Applications and Workloads

In a ZTA, protecting applications and workloads typically focuses on controlling user access as precisely as possible, integrating threat intelligence for situational awareness, and implementing a DevSecOps approach for internal application development. 

Some key controls for protecting applications and workloads include:

• Attribute-Based Access Controls (ABAC): providing context around users when defining access, including attributes like device compliance or geographic location
• Secure configurations: limiting application connectivity by removing unnecessary functions or connections to the public internet
• Secure software development lifecycle (SSDLC): testing application security earlier in the development process to reduce software supply chain risks

Data

Sensitive data is the primary resource that a ZTA seeks to protect. When building the architecture, organizations should implement processes and controls for:

• Identification and categorization: labeling sensitive data like personally identifiable information (PII), protected health information (PHI), cardholder data, corporate intellectual property, or corporate financial information
• Encryption: making data-at-rest and in-transit unusable to anyone without the decryption key
• Access: limiting user and entity permissions, including read, write, edit, and sharing privileges 

Challenges implementing zero trust architectures with IoT Devices

As an organization incorporates more IoT devices, it expands the attack surface and complicates how to enforce the ZTA objectives. 

Identifying and inventorying devices

Before an organization can place controls on an IoT device, it needs to identify it and incorporate it into the overarching IT asset inventory. As the IoT fleet expands, the organization may face challenges like:

• Traditional IT inventory and asset management tools take IoT devices offline
• IoT devices may move across an organization’s campus, making it difficult to keep track of physical location
• IoT device ownership and responsibility is unclear, creating blindspots. 

Lack of authentication/authorization

IoT devices lack the robust authentication and authorization mechanisms necessary to a ZTA. Many IoT devices, like security cameras, only require a password and have no ability to implement MFA. Malicious actors can use these devices as an attack point then move laterally to gain access to other resources. 

IoT devices do not integrate with endpoint security tools

Many endpoint security technologies – like UEM and EDR – monitor devices after the organization installs software on them. However, IoT devices are unable to install these types of management software. This means that organizations often struggle to identify vulnerabilities embedded in the device’s firmware. Even more difficult, the rise of software supply chain attacks creates a greater risk as IoT devices often incorporate third-party software components, yet organizations have no visibility into these risks. 

Lack of encryption

Many IoT devices lack the processing power necessary to encrypt data-at-rest, placing any data that these devices store or process at risk. 

Implementing Targeted Segmentation as part of Zero Trust Architecture

At the network layer, segmentation is a critical security control. Typically, organizations implement:

• Macro-segmentation: using physical or logical means to limit communications between different functional areas of a broader network, like preventing a guest network from communicating with critical applications
• Micro-segmentation: using flexible security policies that define asset isolation by identity or attribute instead of IP-address, like creating segments for all financial applications or all healthcare applications

When managing IoT devices, micro-segmentation creates unique challenges, including:

• Configurations: IoT devices use different ports and protocols than traditional devices so each network segment containing them needs to be configured correctly.
• Up-front investment: Fully implementing a Network Access Control (NAC) tool’s configurations for micro-segmentation can take an average of 8-12 hours per IoT device 
• High maintenance: Maintaining micro-segments while adding new devices and moving devices across an organization’s campus is a lot of work. 

Targeted segmentation differs from micro-segmentation because it starts by focusing on devices with similar exploit vectors. For example, an organization may have more than 3000 IoT devices to manage, but those devices can be grouped into 45 attack vectors. By organizing the network segmentation around common risk profiles, a company can create network access controls based on these shared security concerns. By focusing on shared security risk profiles, organizations can implement variety of IoT-specific mitigation techniques, including 

• Security governance 
• Patching 
• Device configuration management 
• Upgrading or replacing insecure devices

The fundamental steps necessary for implementing targeted segmentation for IoT devices include:

• Identifying IoT devices and creating an asset inventory: Using a passive scanning solution can enables organizations to obtain and categorize each device’s model, OS version, configuration, connectivity, neighbors, and other capabilities
• Review attack vectors: Devices may be vulnerable to multiple attack vectors, so identifying all potential vectors is crucial. 
• Find the simplest remediation option: Remediation options may be as simple as blocking ports or applying a firmware update. 

Asimily: Automation for Targeted Segmentation

Asimily provides a comprehensive, targeted approach that improves organizations’ IoT security. 

Asimily is designed with IoT devices in mind, monitoring network traffic to and from IoT devices, continuously scanning your network to automatically detect any IoT devices, and ensuring your inventory remains current. When it locates a device, it surfaces the model, firmware version, MAC address, other data or applications, and any possible vulnerabilities.

Asimily customers are 10x more efficient because the engine can pinpoint and prioritize the top 2% of problem devices that are High Risk (having both a High Likelihood of exploitation and High Impact if compromised). As part of a targeted approach to segmentation, organizations can use Asimily’s recommendations that are built for easy deployment. When the recommendation involves a change to networks, there is a seamless integration with NACs, firewalls, or other network enforcement solutions.

Asimily’s inventory and vulnerability detection capabilities ensure you can identify unknown assets and apply mitigations. In the event of a cyberattack, our platform, with its rapid response features, quickly captures packets to aid incident responders. With Asimily, security teams can keep a handle on their IoT attack surface and ensure they are as safe as possible, providing a sense of reassurance and security.

To learn more about Asimily, download our whitepaper, IoT Device Security in 2024: The High Cost of Doing Nothing, or contact us today.