Embracing zero trust for IoT and OT
Remote work has been a reality for years, but COVID-19 has ushered in a new era, with implications for businesses and their cyber security protocols.
Employees are accessing their work’s network via personal devices, using their home internet or public Wi-Fi. Traditional VPN (virtual private network) solutions, says a press release from Forescout, can grant too much access and expose services to the internet to remote workers, increasing the surface for a cyberattack.
The Internet of Things (IoT), operational technology (OT) and network-enabled smart devices all introduce areas of potential compromise for networks and enterprises. As a result, security architects are being forced to reexamine the concept of identity, with many turning to a zero trust security model.
By applying the concept of ‘never trust; always verify’, a zero trust model addresses modern security challenges that come with a mobile workforce and cloud migration. Companies reduce their attack surface by assuming that anything with access to their data is a potential threat, including users, devices, virtual infrastructure and cloud assets.
Forescout recommends that businesses must consider the following four things to embrace zero trust across their enterprise networks:
- Expand zero trust beyond users to include non-user devices, including IoT devices.
- Use agentless device visibility and continuous network monitoring for IoT and OT devices. Agent-based securities cannot be used for such devices.
- Understand the identity of every device that touches the network, including business context, traffic flows and resource dependencies.
- Use segmentation to address critical zero trust principles and risk-management use cases.
Segmentation, says Forescout’s media release, is important because it separates IoT and OT devices into appropriate zones so that an attack on one is less likely to affect the rest of the network. Segmentation can enforce privileged access to critical IT and OT infrastructure and contain vulnerable devices and legacy applications and operating systems that can’t be patched or taken offline. Keeping them in separate zones reduces the potential attack surface. Segmentation also lets organisations control and continuously monitor user and device access to protect critical business applications.
“IoT and OT device security is one of the hardest problems to solve within an enterprise,” says Steve Hunter, senior director of systems engineering APAC and Japan at Forescout. “As evidenced in some widespread distributed denial-of-service (DDoS) attacks, botnets such as Mirai can control unmanaged IoT devices with weak credentials, potentially by directing millions of them to disrupt critical services. As unmanaged devices become commonplace on networks, security and risk professionals must rethink the concept of identity and expand their zero trust initiatives to include all devices to provide maximum visibility, leading to improved operational control and security.”