Not All Buzzwords are Created Equal: Real Applications of Zero Trust Security for IoT
Zero Trust security. Some would say it’s the latest and greatest buzzword and this disposition is understandable given the amount of jargon introduced into the Information Technology market each year. With vernacular being used interchangeably like “AI,” “Machine Learning,” and “Deep Learning,” these words get stripped of their real significance. Over-used, colorful phrases like “Next-Generation” and “Anomaly Detection” miss the mark when it comes to concise discussions on IT challenges and actual solutions and strategies that can alleviate these challenges.
Where does zero trust security fit in and can we move past the buzzword into a more meaningful conversation?
We all know that corporate perimeters today aren’t what they once were. Endpoints have expanded into cloud-based services, remote environments, and Internet of Things (IoT) devices. Almost anything can connect to a network, so why should these services and devices be trusted by default, even if previously verified? The answer is they shouldn’t.
Real Applications of Zero Trust Security
It’s a simple concept that has become overcomplicated. Let’s look at real applications of zero trust security. We’ll start with the weak security points that are shared by all IoT applications. OWASP published an infographic that itemized the top 10 vulnerabilities back in 2018, but below is my adaptation that applies the zero-trust security framework to all the IoT applications.
- No automated network-discovery mechanisms, which lead to the lack of endpoint insights and visibility of all assets, including data stores, configuration changes and drifts, and the connection of rogue devices. Ivanti Neurons for Discovery, Ivanti Neurons for Healthcare, Neurons for Edge Intelligence, and Ivanti Neurons Workspace are tools to help solve this security dilemma.
- The lack of application-security processes like implementing secure software development lifecycle (SDLC) and/or DevSecOps for Agile development and CI/CD practices. MobileIron’s incapptic Connect helps in streamlining application-development security and publishing. MobileIron Unified Endpoint Management (UEM) securely distributes and manages the entire application lifecycle from installation, updates, and removal.
- Weak or easily brute-forced credentials. MobileIron (UEM) can generate and deploy identity certificates for certificate-based authentication (CBA), and MobileIron Zero Sign-On authentication applies a passwordless solution.
- Where applicable, the lack of stronger authentication methods like multifactor authentication (MFA). Using a robust inherence factor, specifically biometrics, is recommended, and adaptive authentication can be enabled for the user for additional authentication challenges using context and user role as verification factors. Again, MobileIron Zero Sign-On Authentication can enable MFA and adaptive authentication mechanisms.
- The lack of device management used to deploy sanctioned applications and apply security controls for automated self-healing and self-securing against device, application, network, or phishing threats. The Ivanti Wavelink solution can be used to deploy and provision productivity apps and tools for Industrial and Commercial IoT supply chain and frontline worker devices for retail stores, production, manufacturing, and public-sector applications. Ivanti Neurons for Healing and MobileIron Threat Defense solve this problem by supplying automated extended detection and response (XDR) to remediate today’s sophisticated IoT threats.
- Outdated security update patching of the operating systems, apps, and hardware or firmware. Ivanti Neurons for Patch Intelligence and MobileIron Unified Endpoint Management can enforce intelligent security patch management and validation.
- The lack of strong encryption algorithms for data storage at-rest and in-process on the endpoint, and data-in-transit over the insecure internet. Both MobileIron UEM and Pulse Connect Secure or Pulse Zero Trust Access can enable native OS encryption mechanism using AES-256 GCM on the managed edge devices, as well as employing protocol TLS version 1.2 cipher suites to protect data-in-transit to the data center or cloud platform destinations.
- The use of insecure integration ecosystem application programming interfaces (API) or insecure legacy protocols like SCADA, and messaging protocols like MQTT and CoAP that have basic authentication requirements and depend on secure transport mechanisms like TLS and DTLS, respectively. Again, MobileIron UEM and Pulse Connect Secure or Pulse Zero Trust Access provide the privacy controls to maintain confidentiality, integrity, and availability of critical data and services. Ivanti Neurons for Edge Intelligence provides the ability to query all edge endpoints with real-time operational awareness.
- Non-secure default settings that can lead to lack of privacy or data loss. Ivanti Neurons for Edge Intelligence and MobileIron UEM can enable strong security and privacy-control policies that solves this problem.
- And lastly, the lack of physical hardening and self-protection mechanisms. Ivanti Neurons for Edge Intelligence and MobileIron Unified Endpoint Management can provide compliance remediation actions by monitoring, alerting the user and administrator, blocking access to provisioned applications and the Bluetooth and Wi-Fi networks, quarantining the device by removing or hiding provisioned applications and configurations, and/or selectively wiping UEM provisioned settings from the device. One added capability is that a designated configuration can be pushed to the IoT endpoint to hide or obscure critical personal and work data when a physical or virtual threat is detected without the disruptive compliance action of retiring a managed device completely from UEM. This allows the endpoint to return to operational mode much quicker once the threat is remediated.
Not all buzzwords are created equal. Sometimes it just takes moving past the hype and stripping these concepts down to their simpler form. Is zero trust security a real IT concept that can and should be applied as one part of a larger security strategy? What do you think?