For many, 2020 was a year of survival as they rapidly transformed their businesses in response to a new normal. From enabling new remote and hybrid work models to implementing new technology to help optimize operations, the last year has seen a significant uptick in the proliferation and role of IoT devices. Many organizations have suddenly found themselves facing an expanded attack surface area with new security challenges they were not fully prepared for.
IoT solutions need to be secured end-to-end, all the way from the device to the cloud or hybrid service that the data is processed in. Securing IoT devices presents a couple of additional layers of complexity because of the incredible diversity in design, hardware, operating systems, deployment locations, and more. For example, many are “user-less” and run automated workloads, presenting challenges when integrating into existing identity and access management tools. Many IoT devices have also been deployed using infrastructure and equipment not originally designed for a connected world or have limited capabilities and connectivity, making them challenging to secure. And because IoT devices are typically deployed in diverse environments—ranging from inside factories or office buildings to remote worksites or critical infrastructure—they’re exposed in unique ways and can offer high-value targets to attackers.
Figure 1: Technical characteristics of IoT and their challenges.
Embracing Zero Trust for your IoT solutions
As organizations continue to drive their digital transformation efforts, especially through the increased deployment of IoT solutions, it quickly becomes clear that the current approach to securing and managing these devices needs to be adapted to the reality of their environment. Enter Zero Trust, the security model that assumes breach and treats every access attempt as if it originates from an open network.
In October 2019, we published a whitepaper with our official guidance on implementing a Zero Trust security model, which breaks down Zero Trust requirements across identities, endpoints, apps, networks, infrastructure, and data. This paper provides a strong starting point to assess your current Zero Trust maturity, prioritize security efforts to maximize impact, and get a foundational understanding of overall capabilities and requirements. If you haven’t read it, we highly recommend starting there as everything we discuss from here on will build on the requirements in that model.
A practical approach for implementing Zero Trust for IoT
Securing IoT solutions with a Zero Trust security model starts with non-IoT specific requirements—specifically ensuring you have implemented the basics to securing identities, their devices, and limit their access. These include explicitly verifying users, having visibility into the devices they’re bringing on to the network, and being able to make dynamic access decisions using real-time risk detections. This helps limit the potential blast radius of users gaining unauthorized access to IoT services and data in the cloud or on-premises, which can lead to both mass information disclosure (like leaked production data of a factory) and potential elevation of privilege for command and control of cyber-physical systems (like stopping a factory production line).
Once those requirements are met, we can shift our focus to the specific Zero Trust requirements for IoT solutions:
- Strong identity to authenticate devices. Register devices, issue renewable credentials, employ passwordless authentication, and use a hardware root of trust to ensure you can trust its identity before making decisions.
- Least privileged access to mitigate blast radius. Implement device and workload access control to limit any potential blast radius from authenticated identities that may have been compromised or running unapproved workloads.
- Device health to gate access or flag devices for remediation. Check security configuration, assess for vulnerabilities and insecure passwords, and monitor for active threats and anomalous behavioral alerts to build ongoing risk profiles.
- Continual updates to keep devices healthy. Utilize a centralized configuration and compliance management solution and a robust update mechanism to ensure devices are up to date and in a healthy state.
- Security monitoring and response to detect and respond to emerging threats. Employ proactive monitoring to rapidly identify unauthorized or compromised devices.
Today, we’re publishing a new whitepaper on how to apply a Zero Trust approach to your IoT solutions based on our experience helping other customers and securing our own environment. In this whitepaper, we break down the requirements above in more detail as well as provide guidance on applying Zero Trust to your existing IoT infrastructure. Finally, we’ve also included criteria to help select IoT devices and services for a Zero Trust environment.
Read the Zero Trust Cybersecurity for the Internet of Things whitepaper for full details.
Additional resources:
Watch The IoT Show: Zero Trust for IoT for a Channel9 interview where I explain the key capabilities of Zero Trust for IoT and how Microsoft solutions enable your journey.
Watch the playback of this week’s Azure IoT Security Summit for an overview of our IoT Security solutions and guidance on how to prevent security breaches, address weak spots, and monitor the health of your IoT devices in near real-time to find and eliminate threats.
For more information about Microsoft Zero Trust please visit our website. Check out our deployment guides for step-by-step technical guidance.
To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
