Including IoT in a Zero Trust Model

While the zero trust security model is not new, it has certainly cemented itself as cybersecurity’s hottest buzzword. Following a National Institute of Standards and Technology (NIST) and National Cyber Security Center of Excellence (NCCoE) report in 2018 that identifies the key principles behind zero trust architectures, it has become the gold standard for protecting the network. 

Security leaders are increasingly implementing zero trust as sophisticated cyberattacks are on the rise and the pressure to protect enterprise systems and data increases.

What is zero trust?

Zero trust is a security concept based on the belief that devices should not be trusted by default, even if they have been previously verified. In this approach, IT systems are designed to require all users inside and outside the organization be authenticated and continually validated for security posture before accessing applications and data.

To do this, the framework uses advanced technologies such as multifactor authentication, identity and access management (IAM), analytics, encryption, and more.

Ultimately, in a zero trust model once validated users are NOT given the keys to the castle, they are only given the access they need to accomplish their specific task.

Don’t forget IoT devices

The increasingly dispersed nature of enterprise networks today led to the need for new security protocols. Since companies no longer have one corporate data center that houses a contained network of systems and instead rely on on-prem and cloud applications with users accessing those applications from a range of devices and locations, the threat landscape has become much more complicated.

Further complicating things are the existence and proliferation of IoT devices in the enterprise. It’s estimated that there are 10 billion active IoT devices currently, and that number is expected to surpass 25 billion in 2030.

Each of these is another endpoint that needs to be cared for and included in the security architecture. However, IoT devices are often overlooked or vastly underestimated. Security leaders often estimate that 1 percent of their network is made up of IoT, but in reality, it’s more like 20 percent or higher. And, this number of connected devices is constantly increasing, oftentimes with devices being deployed as shadow IoT unbeknownst to security teams.

With reports of new attacks often involving the misuse of credentials, like in the case of Verkada earlier this year, ensuring that basic hygiene measures are met for IoT devices is of the utmost importance. However, basic security measures for IoT devices often go overlooked as part of a broader cybersecurity posture, often leaving patching and credential management untouched for an average of seven years.

Conducting basic, scalable security hygiene measures to protect IoT devices, such as inventory, patching and credential management is essential, as is automating remediation against IoT’s most critical vulnerabilities. It is only through automation that organizations can keep pace with the proliferation of IoT technologies without overtaxing IT teams.

Zero Trust is one of the most successful ways for organizations to control access to their networks, applications, and data. However, in order for it to be effective, it must take into account all access points or endpoints on the network, including IoT devices.

For more information on how to make sure IoT devices are included in your zero trust architecture, please join us for a demo of Phosphorus Enterprise.