In today’s rapidly expanding digital ecosystem, the explosion of Internet of Things (IoT) devices has broadened network vulnerabilities. Recent statistics reveal that almost one in every five organizations has encountered cyberattacks targeting their IoT devices over the past three years. Regrettably, a majority of these compact computing devices were designed prioritizing convenience over security. While the Industrial Internet of Things (IIoT)—devices specifically fashioned for industrial applications—are relatively more secure, they still pose potential cyberthreats.
The Emergence of the Zero Trust Paradigm
Aiming to counter the vulnerabilities associated with connected devices, the zero trust security approach, also known as Zero Trust Architecture (ZTA), is gaining global momentum. The essence of zero trust is straightforward yet revolutionary: Regardless of one’s location relative to the organization’s network, every user must undergo rigorous authentication, authorization, and ongoing security verification before accessing any data or applications.
This approach recently gained significant endorsement from the U.S. government. A recent White House executive order mandates all federal agencies to adopt a zero trust architecture by 2024, signaling a monumental policy shift that will not only influence domestic organizations, but also potentially set a precedent for global cybersecurity norms.
Understanding Zero Trust: Securing User and Device Access
Securing User Access
Modern network architectures work a lot like airports. You enter through a security check showing your ID and boarding pass, but once inside, you can roam freely and check out all the shops, terminals, and gates. Networks are similar. Once you provide your username and password, you can poke around and explore. Hackers love this, as they’re able to find vulnerable devices, steal information, or escalate their privileges.
In that same airport scenario with zero trust in play, you can access only the terminal, gate, and plane you are authorized to use when you get through security. It’s the key idea behind zero trust—you are allowed to access only those resources you need to go to your destination; nothing else. With zero trust, when you want to use a network resource (email, web server, printer, etc.), you get access to that resource alone.
Beyond mere access restrictions, zero trust stands out due to its rigorous context analysis. When someone tries to access a network resource, context analysis looks at the user permissions, authenticates the user, looks at the device the user is using to access the network, and sees if the device belongs on the network, if the device is updated/patched, if it has antivirus/required software, and makes sure the policies on the device are correct. Zero trust does a deep analysis of the user, device, and resource they are trying to access, making it far more secure than traditional security architectures.
Securing Device Access
Zero trust principles aren’t confined to user access; they extend to devices like security cameras and IIoT gadgets. To illustrate, consider a scenario where a hacker compromises a traditional network computer and discovers a security camera. The likelihood of the camera also being compromised is high.
However, within a zero trust environment, the zero-trust boundary recognizes that the compromised computer has no business communicating with the camera and blocks the request. The network has detected that the context of the request is abnormal, and the attack fails. The unique identifiers of IoT devices, such as MAC addresses, hardware IDs, and operating system version, further facilitate device authentication, minimizing the chances of attackers using IoT devices as attack vectors in the network.
The Challenges of Implementing ZTA
Implementing ZTA can be challenging for IT organizations and manufacturers, but the degree of difficulty varies depending on several factors:
- Organizational Complexity: Larger organizations with diverse and complex IT environments may find it more difficult to shift to a zero trust model than smaller ones with simpler networks.
- Existing Infrastructure: Organizations with legacy systems and outdated hardware or software might face compatibility issues. Retrofitting these systems to be compatible with zero trust principles can be both challenging and costly.
- Cultural Resistance: Zero trust means a change from the traditional perimeter-based security model. Employees and management might resist the change due to misconceptions, a lack of understanding, or simply human nature’s resistance to change.
- Skill and Expertise: Zero trust requires expertise in cybersecurity, network design, and modern identity and access management solutions. Organizations may need to invest in training or hire new personnel with the requisite skills.
- Interoperability and Integration: Integrating different security solutions into a zero trust model can be challenging, especially if the solutions are from various vendors with different standards.
- Continuous Monitoring and Adjustment: ZTA demands continuous monitoring and adjustments. Organizations must be prepared to invest in monitoring tools and dedicate resources to analyze data and fine-tune policies regularly.
- Time: Transitioning to a zero trust model is not an overnight task. It’s a journey that can take months to years, depending on the organization’s size and complexity.
- Vendor Support: Relying on third-party vendors for certain services or products requires these vendors to be on board with zero trust principles. If vendors don’t support or understand these principles, it can pose integration and security challenges.
- Stakeholder Buy-in: Convincing stakeholders, especially those without a technical background, about the necessity and benefits of ZTA can be challenging. It requires clear communication about the business benefits and risks associated with not transitioning.
While security professionals are highly aware of the risks posed by vulnerable devices, the continued push to secure networks by IT professionals and network vendors will create even more cybersecurity awareness. ZTA as a network security model has gained momentum, and we anticipate continued adoption around the world for the need to validate every transaction between devices and people.
“NIST Special Publication 800-207, Zero Trust Architecture,” published by the National Institute of Standards and Technology, defines further cyber protection standards that support this movement. The federal adoption of zero trust underscores its significance in contemporary cybersecurity. Though this may appear U.S.-centric now, global industries, given past trends, are likely to follow suit. For those yet to explore zero trust, the clock is ticking. Soon, it won’t just be an option but a cybersecurity necessity.
Will Knehr is senior manager of information assurance and data privacy at i-PRO Americas.