The adoption of the Internet of Things (IoT) has quickly become a business enabler, but it’s also introducing new security challenges for network and security teams. As organizations continue to drive their digital transformation efforts through scaling IoT solutions, it quickly becomes clear that the conventional approaches to securing and managing these devices need to be adapted to the cloud-based world. Further, new IoT security approaches based on securing identities and authentication open new opportunities for data and digital revenues. It’s time for CISOs and IT security leaders to move past legacy solutions and consider a complete IoT lifecycle approach, creating an IoT security posture that reliably enables IoT and protects the network from existing and unknown threats. Enter: Zero Trust Security Approach. If you’re concerned about how to implement future-proof security architecture, you’re not alone.
We partnered with Fierce Wireless to bring an expert discussion from Kigen and Murata Technologies exploring the topic of how to implement zero-trust architecture and see examples of best practices with the IoT SAFE standard. Let’s go over a brief recap.
“The adoption of the Internet of Things (IoT) has quickly become a business enabler, but it’s also introducing new security challenges for network and security teams.”-Kigen UK Limited
Zero Trust Approach to Security
The Zero Trust model is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data.
While all devices must have access controls consistently enforced, IoT devices are particularly challenging because they don’t have access controls on the device. They are typically low-power, small form factor devices without memory or CPU to support security processes.
IoT solutions need to be secured end-to-end, from the device to the cloud or hybrid service in which the data is processed. Securing IoT devices presents added complexity because of the incredible diversity in design, hardware, operating systems, deployment types, and more. For example, many are “user-less” and run automated workloads, presenting challenges when integrating into existing identity and access management tools.
Many IoT devices have also been deployed in deployments not originally designed for a connected world or have limited capabilities and connectivity, making them challenging to secure. And, IoT devices are typically deployed in diverse environments.
IoT Endpoints also are manufactured by a much broader set of players: 1000s of ODMs and growing. These are based on 100s of Cellular modules and multiple OS and solutions layers – consistency and standardization are essential.
How Zero Trust Is Different
Traditional security models rely on creating a secure perimeter around an organization’s network with on-premise firewalls and VPNs. Once inside this network perimeter, users are generally trusted and have access to all resources. This type of open access creates major security vulnerabilities within the network, especially when verifying users or endpoints such as devices may not be as straightforward.
In contrast, Zero Trust flips this model on its head, as there is no such thing as a secure perimeter. Instead, all users and devices are treated as potential threats. Access to resources is not automatically granted just because someone is inside the network.
Instead, each access request is evaluated on a “need to know” basis. This means that all traffic must be authenticated, authorized, and encrypted, regardless of its origin. User and device sessions are limited and may require advanced identity verification methods such as Multi-Factor Authentication (MFA).
IoT SAFE Standard & Zero Trust Security Model
Cellular and payments have always relied on the same level of zero trust security based on smart cards for their distributed endpoints. What if we could secure cellular IoT by adapting what has worked for cellular and payment operators for decades?
That’s exactly what the GSMA set out to do with IoT SAFE, a specification that became available to all players in 2019 to leverage the SIM and the features that make it a trusted endpoint. As a smart card, it is inherently based on a zero-trust architecture.
A zero-trust solution based on NIST 800-207 removes implicit trust and continuously validates every digital interaction. It also minimizes impacts in case of breach and can automate context collection and response. Every user, device, and application would be authenticated and authorized for every transaction in a zero-trust IoT environment.
With IoT SAFE, the GSMA opened the door for data transmissions and applications to leverage the security of the SIM. The SIM can be used as a root of trust for the TLS or DTLS handshake, with a key pair loaded during the secure personalization process and used to sign the handshake certificate.
Private keys can also be used to compute signing for application transactions. In other words, IoT SAFE exposes the zero-trust architecture of cellular network management to data transmission and application levels, where IoT applications innovate.
Zero Trust Architecture Meets Zero Touch Provisioning
The SIM can be provisioned independently from the cloud service providers and even from the cellular network providers without user interventions. This makes it easier to manage large fleets of mobile devices with ease.
The innovative Open IoT SAFE combines IoT SAFE with Enrollment over Secure Transport (IETF RFC7030) which enables a new cloud certificate to be issued after the device is deployed with a new key pair generated onboard the SIM itself.
With eSIM, i.e., the ability to receive cellular network profiles remotely, IoT SAFE can also be agnostic to the cellular provider. Together, these technologies enable IoT devices to assemble with a SIM ready for zero-touch provisioning (ztp) from the cloud and associated with available cellular network providers.
Some interesting use cases of the Zero Trust security model using IoT SAFE standard include remote monitoring and control of industrial equipment and processes, secure home automation and access control, connected vehicle diagnostics and maintenance, secure mobile payment systems, smart building, energy management, secure asset tracking, and secure data transfer and storage.