To secure any network, you need to understand the fundamentals of user and device requirements, available resources, and the intersect of the access levels each user and endpoint requires for each resource; this is common to all security frameworks inside and outside of technology.
One of the security frameworks gathering steam over the past few years has been ‘Zero Trust’. This approach conceptually starts by stopping all traffic unless explicitly allowed in a centralised policy. As a de facto measure, anything inside the moat – the corporate network perimeter – must be friendly, else it wouldn’t be there, so whether a server, user laptop, network appliance, printer, etc it is allowed by default. With the growing volume of connected devices inside most organisations, particularly government and large enterprise, from IoT adoptions makes asset management and security exponentially more difficult. These IoT devices are, afterall, ostensibly independent ‘users’ that require connection to a plethora of resources that, by default, are restricted. This is impacting not only support and administration teams, but also demanding a recalibration by the engineering and architecture functions responsible for deployment and design, meaning a suitable security framework must be ‘baked in’ from the first moment.
IoT Rate of Change
As we see the uptake of IoT across industries, from critical infrastructure (utilities), healthcare, primary industry, manufacturing, retail, through to government defence, so too does our capacity to stay secure need to keep pace. It’s one thing for your home smart doorbell to malfunction, quite another for a building management system to experience a compromise. The first step in Zero Trust IoT is to remove all access and supply only the access to the resources that are fundamentally required – obviously a smart decision when looking to secure critical functions.
We can see from the above that there are essentially four elements that must be considered when examining the security of IoT-rich organisations;
- The agentless nature of IoT devices,
- Lack of formally defined network behaviour
- The sheer volume of these heterogeneous devices,
- And the potential consequence of their malfunction or compromise.
The complications with these four points start to become obvious when brought to the fore. As these devices often can – and often need to – fit in incredibly small places, (lightbulbs, thermal regulators, CCTV cameras, pacemakers, ad nauseum) the resources required for security are limited, if even possible. As we exceed 50 billion devices online within the next few years, the number of these devices and our reliance upon for so much of what we do, both in business and privately, becomes further exaggerated. IoT technology could become a common point of failure if we aren’t taking careful steps now during its ‘formative years’ to keep it from falling.
Lastly, when we look at the criticality of function, our transport, healthcare, energy & water, telecommunications, banking & finance… and on and on, are all reliant upon connected devices in one way or another. This makes things like BotNets incredibly scary and an ever-present threat to poorly managed (relative to OT) IoT networks.
Machine to Machine is a Misnomer
When talking about IoT, it’s easy to lean on reductionism; ‘This connection is a Device Type X, with a 303 Model Number, and this is its IP.’. While this information is vital when securing IoT and OT devices, relying solely on these values ignores the nuances these devices have in terms of their functional importance. A thermometer might be monitoring an HVAC cold facility for medical supplies, or it could be just for a readout on the side of a building. Same device-type, very different risk profile. IoT devices must be given more than just a cursory look and basic universal policies when considering a Zero Trust IoT strategy so as to not miss out on this context.
“Same devices, different use cases, different risks. We have made asset discovery and management as simple as possible without losing fidelity to their individual context.”
– Adam de Jong, CEO of CyAmast
An Ally in Reaching Zero Trust with IoT
There are several solid solutions in the market for IoT/OT security at the moment, but many are ultimately hamstrung by their inability to provide the insights required to effectively implement Zero Trust. Current approaches aren’t able to understand the meta-view and the individual device-level intelligence into device behavioural context upon which Zero Trust ultimately depends.
The limitations of most solutions:
- Asset Discovery – Gaining device information across ever-changing networks in (something approaching) real-time is incredibly difficult, let alone cataloguing and managing its profile
- Context – Ability to understand not only the network nuts and bolts of the device, but also its dynamics as part of the overall network
- Use Case – Current solutions don’t account for criticality in function from one device to another of the same type
- Encryption – Most solutions with Deep Packet Inspection (DPI) still don’t handle encryption well. They need to break it and then re-add it; a process fraught with potential complications
Our method of Network Traffic Analysis (NTA) surveys the patterns in network traffic from a metaview, down to the individual device. And while there are some NTA solutions on the market already, our proprietary method has the distinct advantage of a more sophisticated method using Machine Learning (ML/AI) rather than simple pattern-matching or signature-based solutions. By developing a profile based on the intended behaviour of each connected asset, CyAmast systematically and automatically develops Zero Trust policies on a per-asset basis. Moreover, our solution maps traffic flows over the entire network to create or append to Trust policies of assets while monitoring the runtime behaviour of each asset against these policies.
Talk with us today to find out how you can get to your Zero Trust end-goal faster and without the headaches.