#HowTo: Implement Zero-Trust into IoT Security

Written by

It’s been about a year since most office workers in the US and much of the rest of the world began working from home due to the pandemic. Not surprisingly, the work-from-home trend is having a profound effect on the way organizations secure their networks, data and devices.

It now seems quaint, but not so long ago there were significant security concerns about employees bringing their smartphones to work and connecting to the Wi-Fi. Of course, there were legitimate security concerns about that. But those pale in comparison to the issues related to employees working from home who need to access networks, systems and proprietary information to do their jobs.

The combination of those employees and the various technologies they connect to at home—personal computers, mobile devices, cable boxes, gaming systems, wearable technologies—contributes to an ever-expanding attack surface that keeps cybersecurity professionals up at night. That’s why the two most important words in cybersecurity are “zero” and “trust.”

Trust No One

Defending a huge attack surface puts tremendous pressure on enterprise cybersecurity teams. I was on a webinar panel recently with Chris Bates, CISO for SentinelOne. He shared insights about his company’s zero-trust network access policy. SentinelOne no longer has traditional corporate networks. Instead, employees in the office, working from home or on the road connect to Wi-Fi and use their trust client for admission to a virtual corporate network with highly restricted access based upon job requirements. This is a great approach for organizations concerned about who is connecting to what, from where, especially when you compare it to traditional VPNs, which enable much wider access and create security risks.

It’s All About the Cloud

The once-standard practice of having a corporate LAN (and in some cases a WAN) is fading fast. Everything is shifting to the cloud, including how people and devices connect to the resources they need to do their work. If it hasn’t happened already, most organizations’ authentication, business operations, cybersecurity stacks—everything—soon will be cloud-based.

No matter what person or device attempts to connect to any network, the result will be a zero-trust connection to the organization’s cloud-based assets. Employees will only be able to connect to computers, databases, applications, etc., for which they have been pre-authorized. The same holds true for the fast-growing army of sensors and other devices that comprise the Internet of Things (IoT) in a typical workplace.

Full Visibility is Vital

With all the diverse devices used today by people and organizations, how can security teams keep pace? The key is to make sure security operations can see everything happening in the environment. That means full visibility into every device, including all the connected devices used by employees as they work in our outside of the office.

Whenever a person or device attempts to connect to an organization’s network, that attempt must be seen and logged—in real time. And every time a connection is made, robust authentication and zero-trust enforcement must occur instantly. Whether it’s an employee, a visitor, or someone’s phone or watch that attempts to connect via a wireless access point, it’s critical that rules and procedures are in place to only allow access that has been explicitly authorized. Zero trust is the high-tech version of “guilty until proven innocent.”

The KISS Method

With the exponential growth of internet-connected devices, as well as employees who can work from anywhere, the burden on an organization’s security technology and staff is relentless. And with so many critical business applications delivered as cloud-based SaaS offerings, the job of securing the organization and its information can be overwhelming.

That’s where KISS comes in. I’m not talking about Keep It Simple Stupid. In 2021, it stands for Keep It Simply Secure. The beauty of zero-trust security is it dramatically simplifies the job of securing even the most complex organizations. Whether Jennifer is working in the office, from home, or another location, her access to connect to the network is the same. Securing an employee or device one way when it’s on premises and another way when it’s remote makes a simple process unnecessarily complex. And when there’s complexity, there usually are security holes that can be exploited.

The IoT is a huge boon to organizations for everything from keeping vaccines at the right temperature prior to injection to ensuring a sales rep can connect to his company’s product demo environment. That’s why it’s so vital to Keep It Simply Secure by enforcing rules and trusting no one, or the device in their pocket.

What’s hot on Infosecurity Magazine?