The principle of Zero Trust has long been a core tenet of corporate cybersecurity. It does what it says on the tin – it is centred on the concept that organisations should not automatically trust any application, device or user attempting to gain access to their network. Even once they are within their network perimeter, trust should not be assumed as that application, device or user moves from area to area. ‘Never trust, always verify’ is the mantra – and that verification must continue even after initial authentication.
However, the Internet of Things (IoT) has disrupted this straightforward picture, because it has dramatically increased the volume of connected devices within the typical corporate infrastructure. An organisation which has introduced connected sensors to monitor its environmental conditions, for example, or a business which has implemented IoT connectivity into the products it sells, may have thousands or even hundreds of thousands of connected ‘things’ to manage, compared with just a few years previously. In turn, this means that ‘never trust, always verify’ has become a much more complicated and resource-intensive concept to put into practice.
Yet at the same time, the IoT also makes security via Zero Trust an even more business-critical concept. This is for several key reasons, including:
- Scope and scale: The IoT is proliferating to touch more and more of our lives whether at work or at play. It is fuelling the development not merely of smart organisations and buildings, but smart ecosystems and cities. The IoT is both pervasive and enormous, which means that securing it – via a Zero Trust approach – is becoming an increasingly pervasive and enormous challenge.
- Sensor size: Typical IoT devices are relatively small and simple – indeed, this is precisely why the IoT is proliferating so fast. This small footprint brings myriad advantages in terms of functionality, flexibility and scalability – but myriad challenges in terms of the limited physical and virtual space available for traditional cybersecurity tools.
- Business criticality: As the IoT grows to touch more aspects of more organisations, so it is becoming an increasingly business-critical facet of infrastructure. Which means, in turn, securing the IoT is becoming an increasingly business-critical challenge. Failure points in IoT ecosystems are not just frustrations – they can be organisation-destroying events.
- Automation: Many IoT devices operate without human assistance to gather, access, share and harness information. This is both hugely powerful – unlocking new efficiencies and insights seamlessly – and a point of vulnerability – because security must operate without human oversight too.
Making Zero Trust work in an IoT world
How, then, can organisations create Zero Trust architectures to suit this new IoT-enabled world?
Such architectures require, of course, in-depth visibility and understanding of all the IoT systems on the network – because that can then enable context-based segmentation decisions, keeping specific devices, applications and traffic flows separate from each other, even within a vast and complex infrastructure.
And all this must be underpinned by an understanding and verification of the identity of every single IoT-enabled device on the network – including its business context, its resource dependencies and relevant traffic flows. Identity and access management (IAM) and data security are two core areas for any organisation looking to build a Zero Trust architecture for the IoT – look for advanced features like adaptive authentication and integration with other products too.