The IoT Landscape and Threats
Considering the inherent insecurity of connected devices, the threats facing organizations today often involve weakly-defended IoT equipment as the first line of attack. This is especially alarming as 94% of CIOs acknowledge someserious threat to their environment within the next year.
A snapshot of those concerns reveal:
- Nearly half of CIOs see breaches as their biggest organizational risk
- 39% see malware and ransomware as their biggest risk
- 27% say resilience is a top three priority
- 68% of IT and security professionals plan to use zero trust for device security; 42% actually do
Some risks specifically affecting IoT include:
- Built-in vulnerabilities: IoT devices are often shipped specifically for consumer use, without enterprise-grade encryption or security controls
- AI-based attacks: Bot-based attacks are getting better at mimicking user activity, more easily breaching the low-security defenses of many IoT devices
- Deepfakes in access controls: There are now ways to brute-force even the fingerprint biometrics on your phone
- More sophisticated attack methods: Attacks on IoT will become more advanced and harder to defend against as attackers begin to specialize in certain areas (reconnaissance, social engineering, graphic design)
- Hidden nation-state attacks: As poorly defended IoT devices yield successful attack returns, nation-states will increasingly hire cybergangs to leverage easy device infiltration and access bigger payloads
Considering there will be over 64 billion IoT devices in use by the end of 2025, it will be impossible to secure your organization and achieve a Zero Trust environment without securing all connected devices that make up your IoT.
Why Zero Trust for Devices is Important
Gartner predicts that by 2025, 99% of cloud security failures will be the customer’s fault. This means it falls squarely on the shoulders of the enterprise to protect the devices that connect to it.
To do this, organizations can establish an identity-based Zero Trust strategy. The National Institute of Standards and Technology (NIST) defines Zero Trust as “a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”
In an identity-centric approach, human and machine identities are at the core of security policy creation, with access controls and policies based on assigned attributes. In this scenario, “the primary requirement to access corporate data and resources is based on the access privileges granted to the requesting user or machine.” So, Zero Trust is established based on cryptographic controls verifying the identity of the requesting machine.
Securing your devices is key to securing cloud access
“If a cybercriminal compromises a device and gains access to the [corporate cloud] environment, they can steal data, engage in a ransomware attack or carry out a malware campaign,” explains data and privacy expert Ambler Jackson. To prevent this, “organizations must have visibility into all connected devices and the ability to verify their identity before allowing access to cloud resources.”
As Venafi expert Ivan Wallis states that “in an on-demand environment, such as the cloud, Zero Trust bootstrapping systems require an identity right out of the gate. And in this type of machine-centric world, human nature doesn’t make sense as a checkpoint—we can no longer make gross assumptions on which external systems should be trusted.” Says Wallis, “In this sense, Zero Trust automatically assumes that a given activity is not allowed on a machine unless it falls within the acceptable security parameters for the user and function.”
For this reason, basing trust on secure digital identities (not general external systems) becomes key to establishing true Zero Trust in the cloud, and across your ecosystem.
Machine-IAM for your Devices
“To implement a Zero Trust strategy, organizations with mature cybersecurity programs use machine identity management. Verifying the identity of a device or a machine is the foundation of securing access to company resources, to include workloads that process data in the cloud,” states Jackson. In today’s threat economy, it is impossible to achieve zero trust without machine identity management.
Within each IoT device are thousands of machine identities or factors that establish the identity of the device and whether or not it can be trusted. As security expert David Bisson stated, “Machine identity management helps organizations gauge how much trust they can place in the identity of their machines,” which includes “credentials, such as secrets, cryptographic keys, X.509 and code signing certificates, and SSH keys.” According to Wallis, “Cryptographic keys and digital certificates are used to identify a machine and determine specific levels of trust. But this only works if you have a way of ensuring the integrity of those machine identities.”
A comprehensive machine identity management policy allows security teams to:
- Achieve visibility of all deployed machine identities
- Ensure ownership and governance
- Protect associated cryptographic keys
- Automate distribution and rotation of keys