As the IoT continues to mature, we’re seeing a flood of new connections and use cases, on more devices than ever. In many cases, enterprises manage hundreds of thousands of users, systems, applications and devices. Srinivas Kumar, vice president of IoT security, DigiCert, stresses the need for Zero Trust in a landscape as vulnerable to threats as ours.
The soaring volume of devices and use cases has heightened the pressure on cybersecurity teams. According to a recent Extreme Networks surveyOpens a new window of 540 global IT professionals, 84% of organizations have IoT devices on their corporate networks, 70% of which were aware of successful or attempted hacks. The stakes are high, and even a single breach can compromise an entire network. That’s why so many organizations are increasingly adopting a Zero Trust approach to protect networks from threats.
An Explicit Trust Model
The concept of Zero Trust has existed for decades. It is an “explicit†trust model rather than an “implicit†trust model. Like the old Cold War expression, “trust, but verify,†we cannot assume trustworthiness for connected things. To be sure that a device is trusted, we need to know that it delivers operational integrity.Â
With a Zero Trust approach, trust begins with trusted identities and must persist throughout the lifecycle of connected things, including:
Onboarding devices: With an implicit trust approach, adding a device to a network implies that it is trusted before it’s plugged in. Explicit trust requires a more in-depth approach to trust. It requires establishing a chain of trust from a local root of trust, then generating, storing, and protecting a local cryptographic key. Next, it requires issuing birth and operational certificates from a certificate authority. Together, they establish multi-factor authentication for a headless device.
Provisioning devices: The next step in incorporating trust into the device lifecycle focuses on enabling various device functions, configurations, and installing applications. Provisioning also requires security controls for device management systems (DMS), security operations center (SOC), and network operations center (NOC) operators to manage the device.
Device operations: Cryptography can help protect communication between connected devices on the Internet. However, it requires the secure storage of private keys and the secure exchange of session keys. The transfer of trust between connected peers requires establishing two-way trust and authentication. However, cybercriminals are looking for vulnerabilities. With best practices like rotating private keys, rekeying session keys, and regularly renewing certificates, organizations can help minimize risks.Â
Device offboarding: Cybersecurity risks remain even when it’s time to retire a device. To fully minimize risk, organizations must wipe keys and certificates from the device as part of the decommissioning process.
See More: How To Upgrade Your VPN with Zero Trust
Verifying Identity with PKI
Under its explicit trust model, a Zero Trust network is configured to verify every access request. Robust digital identities play a critical role in enabling a Zero Trust environment. But before putting a Zero Trust approach in place, organizations need a solid foundation of security technologies that can support these identities. Â
Public Key Infrastructure (PKI) has long been a proven solution for supporting digital identity across many industries and use cases. Although PKI does not cover every consideration for a Zero Trust environment, it can deliver a solid foundation for trust and authentication. According to a recent survey by Keyfactor of IT security leadersOpens a new window , 96% of participants believe that PKI is a critical foundation for Zero Trust. PKI provides:
- Authentication capabilities, which confirm the identity of all users and their devices that are accessing the network infrastructure
- Encryption functionality to help protect the integrity of communicationsÂ
- An automated approach for issuing, replacing, and revoking certificates—at scaleÂ
As enterprises grapple with increasing certificates, managing a PKI infrastructure becomes increasingly challenging. Automated PKI is a flexible, efficient approach to managing PKI certificates that support Zero Trust initiatives. Automation can also assist organizations with associated tasks, such as regularly updating applications, onboarding and offboarding employees, and changing access privileges. Automation can help organizations minimize the slow, complex manual management tasks that can introduce vulnerabilities by increasing the chance of human error.
Zero Trust Is a Shared Responsibility
It’s clear that the threat landscape is evolving just as quickly as new IoT use cases are emerging. Securing today’s increasingly connected devices is a shared responsibility between device manufacturers, owners, and users. As new technologies open the doors to unprecedented innovation, efficiency, and cost savings, it’s up to multiple stakeholders to work together to ensure the high trust that is the foundation of IoT.Â