It is no secret that IoT Security (or lack thereof) has taken the industry by storm – and with good reason. Thanks to a couple of newsworthy incidents involving the (in)famous Internet of Things, most organizations are rethinking their overall IoT security posture. However, that is a daunting task to master. With such a variety of machines running a multitude of systems, the answer seems far away.
The problem is that innovation opens itself up to serious vulnerabilities. This means that security professionals are in a constant state of catch-up. IoT falls directly into this – the problem is not going away anytime soon. So until we can cure it, we need a band-aid.
The band-aid is isolation. AKA: Zero-Trust.
Until we have a solid plan to achieve IoT Security and secure our devices, we need to get the devices off the corporate network. They have very specific functions, most of the time somewhat basic. However, that is only as long as they have internet access to communicate back to whatever console manages them. Without true visibility and control over IoT, they are one of the most widely accepted wild cards in your environment. The energy savings you have from that “next-gen” lighting system would pale in comparison to what you would lose if someone got in through it and ex-filtrated data.
Now, as aforementioned, this is a temporary solution. As the technology develops, we will have to as well.
What if identity and access could solve this problem in the future?
Think about it – IoT devices at the core are endpoints, which is why the zero-trust model would be an effective solution. How have we traditionally handled endpoints? They establish an identity, and access is based on the needs each user’s profile. Add on some user behavior analytics, and you have a lot more visibility on that machine than port access.
For example, think about an MRI machine that sends patient data to an EMR. Since these devices are high dollar, the doctors have an open use system. This system is typically based on room availability. But what if we gave the actual machine an “identity” instead?
Iot Security through Identity
Imagine that you build the MRI machine into your Active Directory with appropriate yet strict permissions. These permissions would be enough for the MRI to do the intended job, but nothing more. Since a lot of access vendors are going toward agent-less deployments now, theoretically this could help with the IoT security problem. The only caveat is the fact that the solution’s backbone is identity. Create the identity and it could be a step in the right direction.
For example, imagine a doctor sends an invite to the machine and the patient. He blocks out the calendar for the appointment. If the machine is open, it books the meeting. When it comes time for the appointment, the doctor logs into the machine, requests access (an agent-less MFA solution) and if the proper specifications are met, it is able to be used.
Alternatively, if a machine starts trying to login, or worse, send traffic out at 2 AM when there is no meeting scheduled, it gets shut down and investigated. Craft some orchestration/automation around that and you have a solid IoT security remediation plan.
In contrast to a Zero-Trust system, identity based security would not be a small undertaking. A lot of collaboration would need to happen between the industry and manufacturers. Both of the devices themselves as well as the IAM vendors would need to work together. IoT has touched so many industries, so this would not be a quick fix. There definitely is no silver bullet. While a scenario like this could work in this specific instance, the solution would be vastly different for a WiFi enabled thermostat. Unlike Zero Trust, Iot security established through identity may be the long term solution we need.