Five Principles in a Zero-Trust Security Approach to IoT
Zero-trust policies help prevent successful data breaches by eliminating unauthorized access to networks. A zero-trust security policy thus requires that devices and users wanting access to the network must always verify their identity. This principle of “Never trust; always verify” enables security administrators to constantly verify the nature of an IoT device before it accesses a network.
(Take part in IoT Security Summit this December.)
In this conversation with Bill Kleyman of Switch, we discuss how a zero-trust security approach to IoT devices and the following five principles to a zero-trust approach:
- Identify and protect the service used. Connected devices are different from laptops, servers, or traditional IP-based machines, so don’t stereotype devices. Internet of Things (IoT) devices use different types of services and communicate differently on a network. Know what kinds what information these devices process, which services they use, what requires outside access, and protect both those services and the flow of the data.
- Map the data transaction flow. IoT traffic should be segmented from an active or primary network. Virtual local area networks or VLANs, create isolation for IoT traffic. The next step is to understand the flow of this data. Understand, down to the port level, of where this information originates from and where it goes. Include network monitoring solutions that actively watch for anomalous behavior. For example, strange traffic flow requests, traffic requests at unusual times, or improper packet sizes.
- Build a zero-trust architecture. When it comes to IoT, building a zero-trust architecture is key. Underlying this zero-trust architecture is the “Never trust; always verify” principle. Even if a device has access, it must be constantly verified to ensure it hasn’t been breached, that it’s not leaking data and that it’s persistently patched. Zero trust is a persistent and on-going process.
- Create zero-trust policies for business users and devices. A zero-trust strategy architecture must also be a user and business-driven structure. This includes training users, locking down ports and machines, and preventing rogue devices from accessing a network. From a business perspective, zero-trust means ensuring the organization has the right policies in place to secure data and preventing data from leaking. Keeping track of sensitive devices via Bluetooth beacons, for example, or geofencing specific bits of data from leaving a building are all a part of a zero-trust policy.
- Monitor, maintain, rinse and repeat. A major component of a zero-trust security approach is persistent verification of data and devices on the network. The “Never trust; always verify” aspect of zero-trust security dictates that we must constantly challenge the devices and services on a network to ensure they operate properly. Monitoring devices ensures you don’t confront an IoT sprawl issue, while good maintenance helps monitor how data flows and who interacts with it. Finally, always test your own systems. The malicious actors are never short of an opportunity to get into an ecosystem, don’t let an IoT platform create that hole.
For more coverage on IoT Security, take part in IoT Security Summit this December.