{"id":27447,"date":"2020-09-22T19:39:02","date_gmt":"2020-09-22T14:09:02","guid":{"rendered":"https:\/\/www.technologyforyou.org\/?p=27447"},"modified":"2020-09-22T19:39:02","modified_gmt":"2020-09-22T14:09:02","slug":"4-best-practices-for-zero-trust-for-iot","status":"publish","type":"post","link":"https:\/\/www.technologyforyou.org\/4-best-practices-for-zero-trust-for-iot\/","title":{"rendered":"4 Best Practices for Zero Trust for IoT"},"content":{"rendered":"

By\u00a0John Kindervag<\/a> | Source: Palo Alto Networks<\/span><\/p>\n

The Zero Trust security model is designed to encompass the expanding boundaries of an organization\u2019s network. Rooted in the principle of \u201cnever trust, always verify,\u201d it grants controlled access to authorized users and devices only on the basis of whether each can strictly authenticate their identity in order to be granted the privilege.<\/span><\/p>\n

Above that,\u00a0Zero Trust<\/a> requires that user and device access privilege be continuously verified even after authentication. Privileged access to the organization\u2019s resources is limited to only those resources that the user and device absolutely need to perform their function. A user is not entitled to unrestricted access privileges, and the same goes for the device.<\/span><\/p>\n

For these reasons, the identity awareness and application layer (Layer 7<\/a>) control of every user and device becomes one of many critical factors in perpetuating the Zero Trust security model.<\/span><\/p>\n

The Challenge Behind Implementing Zero Trust for IoT Devices<\/span><\/h2>\n

I\u2019ve alluded to users and their IT devices in relation to Zero Trust. Now let\u2019s talk about IoT devices in a similar yet somewhat divergent context. When it comes to unmanaged IoT devices tethered to an organization\u2019s network, most enterprises find it difficult to adhere to standard\u00a0Zero Trust principles<\/a>. Why is this?<\/span><\/p>\n

This is because, unlike users and their standard IT devices, IoT devices create a massive visibility challenge. As IoT picks up steam, for most enterprises undertaking IoT deployments, obtaining identity awareness of every such device connecting itself to the network is a problem. One of the main reasons for this is that\u00a0most IoT devices don\u2019t support traditional enterprise authentication and authorization processes such as 802.1X or Single-Sign-On.\u00a0<\/span><\/p>\n

Approaches based on device fingerprinting don\u2019t work for IoT devices because of the sheer variety in operating protocols and standards. Besides, IoT devices\u00a0are rarely assigned a unique hardware identifier (unlike IT devices) as a result of being manufactured in batches.\u00a0Given this, most of these devices remain undiscovered and unaccounted for in an IT team\u2019s device inventory.\u00a0<\/span><\/p>\n

Since IoT devices are ultimately designed to connect to the wireless network, once connected, they roam and remain interspersed alongside IT devices, freely enjoying unfettered network access while remaining out of sight of vulnerability scans. As a result, these devices reduce risk levels to the lowest common denominator and greatly widen the threat surface, making the network gravely susceptible to lateral exploits.<\/span><\/p>\n

Implementing Zero Trust for IoT Environments With Palo Alto Networks IoT Security<\/span><\/h2>\n

Palo Alto Networks IoT Security<\/a> brings IoT devices into the fold of a Zero Trust security model by implementing four best practices that\u00a0minimize IoT security risks and keep your network safe from cyber attacks.\u00a0The cloud-delivered security service can be enabled on any of our Next-Generation Firewalls for current customers, or delivered as a complete solution for non-Palo Alto Networks customers.<\/span><\/p>\n

1. Our IoT Security makes enhanced visibility the foundation of your Zero Trust strategy for IoT security.<\/span><\/strong><\/span><\/h6>\n

You can\u2019t secure what you can\u2019t see. To extend the principles of Zero Trust, it is important to first go beyond users and standard IT devices to include all unmanaged IoT devices in the network. Our agentless IoT security solution bypasses standard signature-based approaches to discover every connected IoT device in the network, including the never-seen-before ones that IT teams are unaware of.<\/span><\/p>\n

Our\u00a0IoT Security<\/a>\u00a0accurately matches each device\u2019s IP address with its type, vendor and model to\u00a0surface a bundle of additional essential device attributes that completely profile the device.\u00a0Accurate and granular device classification is a necessary prerequisite to\u00a0differentiating unmanaged IoT devices from managed IT assets. Doing that enables\u00a0enforcement of Zero Trust-driven security policies that only allow approved traffic in your IoT environment.<\/span><\/p>\n

2. Our IoT Security continuously audits and validates devices against behavior anomalies and risk scores.<\/span><\/strong><\/span><\/h6>\n

A core principle behind\u00a0Zero Trust is that no devices \u2013 whether identified inside or outside the network \u2013 should be granted access to\u00a0other devices and applications\u00a0until assessed for risk and approved within the set parameters of normal behavior.<\/span><\/p>\n

This principle applies perfectly to IoT devices since they have limited, stable and predictable behaviors by nature.\u00a0Once identified, every IoT device should be verified against baselined behaviors before being granted access to other devices and applications in the network.<\/span><\/p>\n

Our ML-based IoT Security\u00a0automatically ascertains the device\u2019s identity and verifies \u201cnormal behaviors.\u201d Once \u201cnormal behaviors\u201d are determined, the solution kicks in anomaly detection to uncover and prioritize any potential deviation from the baseline.<\/span><\/p>\n

3. Our IoT Security microsegments IoT devices from IT devices to reduce the attack surface and risk radius of lateral exploits.<\/span><\/strong><\/span><\/h6>\n

A Next-Generation Firewall enables micro-segmentation of network perimeters and acts as border control within your organization. Our IoT Security takes a device profile-based micro-segmentation approach that considers a number of factors (including device type, function, mission criticality and threat level) to enable sequestration. This significantly reduces the potential impact of cross-infection between IT and IoT devices. Seamlessly implemented on your Next-Generation Firewall, this approach restricts lateral movement between IT and IoT devices.<\/p>\n

Partitioning away IoT devices ensures they have least-privileged access and connect to only required applications. It keeps them\u00a0quarantined from guest and business networks, and minimizes operational downtime in\u00a0critical IoT infrastructures\u00a0by mitigating incompatibility issues cropping up between systems.<\/span><\/p>\n

4. Our IoT Security automates Zero Trust policy enforcement using machine learning and Device-ID on the Next-Generation Firewall.<\/span><\/strong><\/span><\/h6>\n

Zero Trust begins with \u201cdeny all.\u201d Zero Trust policies are then built and defined at Layer 7, based only on what is allowed. Next-Generation Firewalls utilize the concept of positive enablement, which makes Zero Trust-driven security policies easier to write.<\/span><\/p>\n

Instead of manually translating normal versus suspicious device behavior into policies for enforcement, our IoT Security automatically generates and enforces Zero Trust policies using machine learning on your firewall. Our machine learning establishes a baseline of Layer 7 IoT device behaviors \u2013 for instance, application and network topology behaviors \u2013 discerning what is normal for a single device in order to make recommendations for device-level policies consistent with Zero Trust architecture.<\/span><\/p>\n

The new Device-ID policy construct then tracks an individual device across your network, providing detailed information as context within the\u00a0ML-Powered NGFW<\/a>\u00a0for any alert or incident that may occur \u2013 regardless of changes to the device\u2019s IP address or location. Policy rules and Layer 7 controls are automatically updated as the location and identified risks change.<\/span><\/p>\n

Zero Trust Throughout Your Infrastructure<\/span><\/strong><\/span><\/p>\n

In the past, securing users, applications and devices identifiable inside the network perimeter was the obvious thing to do. The explosion of unmanaged IoT devices in enterprises with their ever-expanding network security perimeter sets a new paradigm. It is imperative for enterprises to now embrace a new approach to IoT security modeled steadfastly on Zero Trust best practices.<\/span><\/p>\n

IoT security is one component of an enterprise Zero Trust strategy. Be sure to check out the rest of the blogs in our\u00a0Zero Trust Throughout Your Infrastructure<\/a>\u00a0series. Or you can watch as Palo Alto Networks Founder and CTO Nir Zuk explains how it all fits together in this video.<\/span><\/p>\n

VIDEO | 4 Best Practices for Zero Trust for IoT<\/strong><\/span><\/p>\n