July 29, 2022

A requirement for Zero Trust of Things and continuous authorization & assurance!

IoT Use cases span a wide range of applications and verticals, anything from Automotive, Industrial, Medical, Retail, Government/Federal and more. Businesses that operate across these sectors are all embracing “IoT” and the value this can bring to their businesses. This growth in IoT and use cases is clearly going to continue but not without significant adverse impacts. One of which is the effect of helping to fuel the increase in cyberattacks, which seem to increase day after day, and are becoming more disruptive and, unfortunately, more destructive for businesses and society.

There are many solutions out there which can help mitigate cyber security attacks, all of which fall into segments specified in the NIST cyber security framework – Identify, Protect, Detect, Respond and Recover (https://www.nist.gov/cyberframework). It’s critical that organizations keep IoT Devices safe and secure, and put the right solutions in place to prevent cyber attacks.

When you look at the initial focus of a would-be attacker, it is to identify a weak entry point to an Enterprise network. IoT devices are a prime target here, simply because they don’t typically operate inside an Enterprise network perimeter and, in fact, most IoT devices through their sheer nature operate way beyond the bounds of this perimeter. Having a robust hardened IoT device is a must along with having a strong device identity as this essentially becomes the new network perimeter!

In the cybersecurity world, many measures are needed to ensure devices are kept safe and secure. A lot of focus is spent on device security, where secure by design approaches have been adopted. Clearly this is a good point to start at, but the device is one element and a holistic “end to end” approach needs to be considered. Also, nothing is static in IoT, vulnerabilities will be found, devices will be compromised, it’s how you manage all of this. Which really drives a concept of “Resilience by design” incorporating continuous assurance & authorisation, to meet the needs of IoT use cases today and tomorrow, this means we must:


  • Harden IoT devices – Ensure devices have provision to securely store cryptographic material, make sure devices don’t have weak default credentials, close open ports on devices, make sure you can patch/update devices etc.


  • Establishing strong trust between devices and IoT applications – Identity Lifecycle Management is a key part here and has to be managed through a device’s lifetime (Provisioning, Renewal, Revocation) – This is only reinforced through my statement earlier i.e. Identity IS the new perimeter, as devices no longer sit within an Enterprise perimeter.


  • Adopt Zero Trust “things” methodology – Always verify “things” and never trust, so enforcing a model which demands devices to authenticate and prove their trustworthiness, not once but on an ongoing continuous basis. This drives a requirement for Automating Zero Trust for IoT, considering the scale challenges with IoT Deployment.


  • Embrace Software Bill Of Materials (SBOM) which has an important part to play in continuous device verification and attestation – EO14028 calls for the use of SBOMs to help improve critical supply chains in the US. This is a must, to ensure the right software is running, what vulnerabilities are associated with the software and to help manage zero day vulnerabilities.


  • Continuous authorization & assurance will become the norm – device security is not a ‘one-time’ event, ongoing validation and integrity verification of devices is critical to provide a proactive approach ensuring that devices are compliant and validated throughout the entire device lifecycle.


As you can see from the diagram above, continuous authorization & assurance doesn’t come from one thing, it’s a combination of many things, device attestation/identity, SBOM validation, device state & context validation, policy enforcement, integrate with 3rd party MDR (Managed Detect Respond) vendors to improve device visibility and monitoring. Employing this type of framework can only help improved the cybersecurity posture of any IoT use case, protect Enterprise networks and help reduce risk.

Robert Dobson