Zero Trust network architectures are going mainstream, but enterprises may find the Internet of Things (IoT) will present some unique challenges to Zero Trust initiatives.
Zero Trust access policies often rely on user identity as the core variable for policy design. Certainty, there are plenty of other variables, like device state, location, time of day, and behavior, but identity is an excellent starting point for policy design.
IoT devices are usually unmanaged, with no associated user. Thus, enterprises have to come up with other ways to build an access policy. In the early days of IoT, enterprises took a simple approach, provisioning an IoT VLAN that isolated IoT traffic on the network. But IoT has matured. Some IoT devices might require access to sensitive data, where a flat VLAN isn’t sufficient.
IoT Access Policies Must Account for Role and Function
Enterprises should adopt granular Zero Trust access policies that are tailored to the functions and roles of individual IoT devices. This requires an understanding of the heterogeneous IoT environment. Zero Trust policy engines need to know why an IoT device is installed, not just the make and model of the device.
Unfortunately, the majority of enterprises aren’t doing this today. Only 36% of enterprises are building Zero Trust IoT access policies that are tailored to role and function, according to Enterprise Management Associates’ (EMA) newly published research, Enterprise Zero Trust Networking Strategies: Secure Remote Access and Network Segmentation. The report is based on an August 2020 survey of 252 North American and European IT professionals.
Instead, 28% go less granular by creating generic, minimum levels of access privileges, like an IoT VLAN. This kind of segmentation won’t allow for different risk levels in policy design. For instance, a policy engine won’t distinguish between IoT sensors that push data into the cloud and sensors that need to pull sensitive data from the cloud. This could lead to heightened security risk.
Another 23% of enterprises treat IoT devices as untrusted and severely limit their network access. This means that an IoT device will have no access to sensitive assets at all, which limits the types of applications an enterprise can implement with IoT.
Finally, 12% of enterprises treat IoT as completely untrusted and bans it entirely from the corporate network. In this case, they might have to use a mobile network service like LoraWAN or LTE to connect to the cloud, bypassing the corporate network entirely.
Plenty of IoT Visibility but Too Much Complexity
Why are so many enterprises failing to impose a granular access policy on IoT devices? It isn't for lack of visibility. Eighty-four percent of enterprises say they have enough visibility into unmanaged devices like IoT sensors to determine network access privileges.
Instead, complexity may be the issue. Very large enterprises (10,000 or more employees) are the least likely to tailor IoT access privileges (23%). These larger companies may simply have too many types of devices to classify. It’s simpler to build a coarse access policy.
Do Zero Trust IoT Right: IT Leadership Must Step Up
IT organizations that have strong support for Zero Trust strategies from IT leadership are better positioned to create tailored IoT access policies. For instance, organizations that have a formal Zero Trust networking initiative with new budget allocated specifically for implementation are the most likely to implement access policies that are tailored to the functions and roles of an IoT device.
In contrast, enterprises that take an ad hoc Zero Trust approach, where they lack dedicated budget and only apply Zero Trust principles when time and resources allow, are more likely to treat all IoT devices as untrusted and give them only access to low-risk network assets. In these latter organizations, the operational technology team will be barred from deploying IoT devices that require access to compliance zones.
How to Create Tailored IoT Zero Trust Access Policies
Enterprises will need flexible Zero Trust access and segmentation solutions that can support granular IoT policies. These solutions should be able to discover and classify IoT, monitor device behavior, and apply custom access policies.
EMA’s research found that the security status of an IoT device is the most important variable when creating a policy. The Zero Trust network should be able to check things like antivirus and anti-malware status before granting access.
Device vulnerability and risk, device owner (e.g., business unit), observed network behavior, and operating system status are all secondarily important variables for IoT Zero Trust access policies. Device make and model, and associated applications, are the least important parameters for policy design, used only by a small minority of organizations.
Policies that include device vulnerability and risk assessments are a best practice. EMA’s research found that tailored access policies tended to be more successful when they incorporate this variable. EMA also found that collaboration between network infrastructure teams and information security teams can help with these IoT access policies. For instance, enterprises that have adopted effective tools for collaboration between these two teams are more likely to be successful with these tailored IoT policies.
EMA believes that granular IoT access policies that are tailored to the role and function of individual IoT devices will grow more important over time. Our research has found that 75% of enterprise network management teams are supporting IoT connectivity on corporate networks today. This number will continue to go up, and the devices will become more diverse, with varying access requirements.
Shamus McGillicuddy is a VP of Research, Network Management, at Enterprise Management Associates (EMA).