The foundations of a sustainable IoT zero trust strategy
– ACT 1. SCENE 4 –
Zero trust? Ah no, young man! That is somewhat too short. You might have said many and many a thing! By varying the tone, as for example these:
“In this era of communication and data, the choice is confounding,
How to exchange and interact with diverse, complex surroundings?”
“To trust or not to trust — that isn’t the question.”
“ZT isn’t the end of Trust, as its name might suggest.
It aims at zero trust by default, for each access request.”
“To describe it precisely, there’s no need for a pamphlet.
Just apply it quite wisely and better trust you shall get.”
While I sincerely apologize to Rostand and Shakespeare for these poorly worded phrases and for the coming analogy, you may be wondering about the connection between Cyrano and zero trust (ZT) applied to IoT, machines and other non-human entities. Well, in the theatre of cybersecurity operations and identity management, zero trust is progressively becoming as important and central as the nose on Cyrano’s face.
First, however, let’s go back to when it all started — when objects started to communicate.
On one hand, it is tempting to think that the zero trust concept should have naturally been deployed as a countermeasure against the lack of security caused by the constant increase of IoT, but nothing came of it. Market pressures and the drive to be the first to deliver innovative new services led public and private organizations to deploy solutions that:
- Were not secure and not securable,
- Failed to ensure authenticity, and lacked integration capabilities in trustful identification models,
- Were based on unsuitable underlying architectures, despite the significant weakening and extension of their attack surfaces.
Although practices are slowly changing, IoT deployment still runs faster than cybersecurity integration, which aggravates the cybersecurity debt. The more you add new protocols, technologies and systems, the more unresolved security risks and vulnerabilities accumulate over time. Just like a bank should systematically check and cross-check key information to determine the solvency of clients requesting credit, so should every organization conduct a security check for every new machine, device, connection, code, application or service. On the other hand, OT ecosystems tend to face this lack of maturity with the opposite method: remain strictly partitioned to avoid any risk of danger to the process and apparatus for producing.
Another way is possible though.
The convergence of well-known best practices and solutions can quickly contribute to a broader and more efficient zero trust strategy that includes tangible and digital things.
Organizations need a four-pillar foundation on which to build a future-proof ZT strategy if they are to ensure only authorized assets will have access to the correct resources, in the right conditions and for the right purpose. Let’s examine these four pillars:
Strong, transversal security governance
With a clear vision of the organization’s assets, their level of sensitivity and their potential interactions, security governance is responsible for defining coherent perimeters, rules and roles. As the ZT strategy can hardly be deployed at once across the entire organization, priorities will be defined to generate the maximum impact in the shortest time possible. Segmentation will be crucial. Nobody wants the sensors of a critical nuclear reactor to be hackable through the connected aquarium at the nuclear plant reception desk. For pure machine-to-machine communications, this task should be easier than for human-based ones, because the behavior of autonomous machines is much more predictable.
Security governance will need the support of a robust yet flexible identity and access management system. It must constantly verify how, when, and who is trying to access your physical and digital resources. After an authentication is successfully validated and its underlying user obtains access, it should be designed to recheck the different parameters of this communication, just as if the organization were under an imminent attack. The frequency and scope of such verifications will be based on the risk analysis and adapted to the sensitivity of the concerned assets. Indeed, special attention will be placed on systemic risks at IP protection, technical, financial and market image levels.
Identity and access management system (IAM)
Trusted digital identities
This pillar is the DNA upon which the IAM system will intrinsically depend to perform well. To generate trust, the digital ID system must be based on security roles, policies, hardware, software and proven procedures. Depending on the power, calculation, and communication capacities of the object, the technology used to create its digital identity will vary (asymmetric, symmetric cryptography, others). Such technologies should be understood and mastered to avoid generating biased trust — for example, ensuring that it is impossible to deliver the same ID to two different things. When possible, public key infrastructure and digital certificates should be preferred. The digital IDs should be adapted to the needs (authentication, signature, etc.) and the purpose of what they are securing. Limited in time, their renewal should be anticipated, if not automated. Revocation and traceability capabilities are non-negotiable; trust integrity directly depends on your ability to withdraw trust when needed, and trace all actions performed on the PKI or alternative ID management solution. Finally, scanning capacities are a must, especially in case of cybersecurity debt, as described earlier.
The final pillar is the ability to secure cryptographic secrets and ensure that nobody can spoof your objects’ identities. During their creation process, digital IDs should be created in a safe environment secured with Hardware Security Modules. Hard-coded keys should be banned at a machine and object level. Depending on security, risk level and business or operational needs, they should always be protected at the highest security level. Secure Element chips are preferable, but TPM and processor’s trust/secure zones could be interesting alternatives.
Establishing a secure, end-to-end zero trust strategy requires securing the creation and storage of digital identities for your tangible and virtual things, controlled by a digital ID management solution that feeds a robust, flexible IAM system with strong, transversal security governance. Nevertheless, it is not an end in itself.
Zero trust is not a monolithic concept that can remain untouched in the years to come. As practices, behaviors and communication capacities constantly change, this will be the best basis on which the organizations will be able to make their zero trust strategy evolve over time. The vital importance of communication and data exchange also means that zero trust won’t spell the end of interactions with their internal and external environments; it will simply pave the way to better trust.
In the end, one thing is sure:
No matter how sweet the words, don’t be like Roxane the lovely,
In awe, listening to the wrong suitor in the darkness of her own balcony.
There won’t be room for identity theft and security breach rust
If your machines and your digital assets are ruled by zero trust.
About the author
Security and digital identities of IoT and C-ITS, V2X Product & Business Manager, Atos
Axel Sandot is a Product & Business Manager in charge of security and digital identities of Internet of Things (IoT) and Cooperative Intelligent Transport Systems (C-ITS, V2X). Member of the Atos Expert Community and lead of its IoT standardization taskforce, he has performed his duty inside the Digital ID entity of the Group for four years.
Beforehand, Axel Sandot managed during more than 10 years the business development and technological projects of European companies in Latin America around identity, biometrics, digital trust, dematerialization, and deployment of main infrastructure projects.