The internet of things (IoT) is driving companies to rethink how they secure their networks. When you introduce unmanaged, internet-connected smart devices to your network, you’re also introducing many new potential access points for malicious actors to breach your security.
- For example, hackers frequently target IoT smart devices like security cameras, printers, or even smart coffee machines that are forgotten about or left unsecured, then use those devices as a gateway to the rest of your network. That’s where zero trust security for IoT can help.
Zero trust is a relatively new security model based on the principle of “never trust, always verify.” Unlike a traditional castle-and-moat security architecture, in which the users and devices within a network’s perimeter are automatically trusted, zero trust requires the verification of all users and devices every single time they connect, even from inside the “moat.”
Some enterprises have already adopted zero trust security for their users, but it can also apply to IoT devices. Here are the best practices and considerations for implementing zero trust security for IoT.
Best practices of implementing Zero Trust Security for IoT
There are essential practices, challenges, and considerations you need to be aware of before implementing zero trust security for IoT, including:
Starting with the basics
Before you apply zero trust to IoT smart devices, you need a solid foundation in the basics of zero trust security for users. These are the fundamental requirements for managing zero trust security for users:
- First, implementing a zero trust methodology requires a culture shift within your organization, which can be a gradual process. You will need to create and apply robust administrative policies governing network access and permissions and train your IT teams and end-users on following those policies.
- Second, you need to implement the tools and technologies required to verify user identities, obtain visibility on any devices those users connect to the network and make automatic access decisions using real-time risk analysis.
Expanding Zero Trust Security to IoT
After establishing zero trust security for your users and their devices, you need to expand it to include unmanaged, non-user devices. To do so, you need zero trust identity management tools to register devices and issue credentials automatically and to provide passwordless authentication.
To successfully employ zero trust security for IoT, you need complete visibility into all your devices. First, you need to discover and inventory all your IoT devices, including those at remote branch locations. You should track device information such as serial numbers, software and firmware versions, and operating system configurations. You also need to assess and log the security risk profile of each IoT device that connects to your network, so you know which security controls to apply.
When performance issues or bugs start to occur frequently, it could be a sign of malware or a security breach; additionally, a device that’s not functioning properly could be more vulnerable to attack. To establish and maintain zero trust security for IoT, you need device health monitoring that can automatically detect issues and flag them for remediation. Some advanced solutions can also automatically block an affected device from further connection attempts or automatically execute remediation tasks without human intervention.
Many IoT device management platforms offer device visibility functionality – for example, Azure, Google, and AWS all include discovery and monitoring features as part of their IoT offerings. Some endpoint security solutions,, include IoT device monitoring and security features, so you may want to evaluate your current security platform to see if you can add or activate this functionality. Or, since you’re implementing an entirely new security methodology to your IoT environment, you may want to look into a zero trust security and monitoring solution that’s designed specifically for IoT, such as Palo Alto Networks IoT Security.
Principle of least privilege (PoLP)
Zero trust security is used frequently in conjunction with the principle of least privilege (PoLP), which states that any user or device should only receive the bare minimum access privileges required to complete their job functions. To implement PoLP for IoT, you must determine the minimum amount of network access needed for each device to perform its functions and then limit its potential privileges accordingly. One way to achieve this is by implementing identity and access management (IAM) tools and policies that support zero trust and PoLP for devices.
In addition to PoLP, zero trust security frequently uses device segmentation. Essentially, you fence IoT devices into zones, only allowing them to request access to network resources within their assigned zone. Additionally, segmenting your IoT devices will enable you to create micro-perimeters, another cornerstone of zero trust security.
Essentially, each network segment gets a specific set of security controls and policies designed around the individual needs and risk profile of the IoT devices in that zone. Those controls and policies create a micro-perimeter that protects your IoT devices and limits their network access. This means you’re also limiting the amount of damage that hackers can cause to your network if one of those devices is compromised. One popular tool for creating network segments, establishing micro-perimeters, and monitoring and controlling access requests and network traffic is a next-generation firewall.
Last but certainly not least, you need security monitoring for all of your IoT devices. With unmanaged smart devices, you need to ensure that security issues can be detected and remediated automatically. It might be days or weeks before a human comes into contact with one of those devices. For example, several years ago, attackers could breach a casino’s network security by hacking a smart sensor in a fish tank – the kind of device that employees don’t usually think about or work with regularly.
There are various zero trust security monitoring solutions designed specifically for IoT, like Palo Alto Networks’ IoT Security mentioned earlier. You can also use devices such as intrusion detection and prevention systems (IDS/IPS) or next-generation firewalls to monitor devices and network traffic. In addition to monitoring, your zero trust security solution for IoT needs to incorporate as much automation as possible so threats can be detected, isolated, and remediated even if nobody’s around to push a button or unplug a device manually.
The challenge of implementing Zero Trust Security for IoT
One of the biggest reasons zero trust security initiatives eventually fail is that adherence tends to drop off as soon as it becomes inconvenient. This is especially true for zero trust security with IoT. Maintaining zero trust for remote, unmanaged devices can be logistically challenging.
That’s why so many of the best practices involve using specialized tools to automate and simplify the management of zero trust security for IoT. In conclusion, the simpler it is to manage, the more likely you are to maintain it.