4 Best Practices for Zero Trust for IoT

Sep 02, 2020
7 minutes

This post is also available in: 日本語 (Japanese)

The Zero Trust security model is designed to encompass the expanding boundaries of an organization’s network. Rooted in the principle of “never trust, always verify,” it grants controlled access to authorized users and devices only on the basis of whether each can strictly authenticate their identity in order to be granted the privilege.

Above that, Zero Trust requires that user and device access privilege be continuously verified even after authentication. Privileged access to the organization’s resources is limited to only those resources that the user and device absolutely need to perform their function. A user is not entitled to unrestricted access privileges, and the same goes for the device.  

For these reasons, the identity awareness and application layer (Layer 7) control of every user and device becomes one of many critical factors in perpetuating the Zero Trust security model.


The Challenge Behind Implementing Zero Trust for IoT Devices

I’ve alluded to users and their IT devices in relation to Zero Trust. Now let’s talk about IoT devices in a similar yet somewhat divergent context. When it comes to unmanaged IoT devices tethered to an organization’s network, most enterprises find it difficult to adhere to standard Zero Trust principles. Why is this?

This is because, unlike users and their standard IT devices, IoT devices create a massive visibility challenge. As IoT picks up steam, for most enterprises undertaking IoT deployments, obtaining identity awareness of every such device connecting itself to the network is a problem. One of the main reasons for this is that most IoT devices don't support traditional enterprise authentication and authorization processes such as 802.1X or Single-Sign-On. 

Approaches based on device fingerprinting don’t work for IoT devices because of the sheer variety in operating protocols and standards. Besides, IoT devices are rarely assigned a unique hardware identifier (unlike IT devices) as a result of being manufactured in batches. Given this, most of these devices remain undiscovered and unaccounted for in an IT team’s device inventory. 

Since IoT devices are ultimately designed to connect to the wireless network, once connected, they roam and remain interspersed alongside IT devices, freely enjoying unfettered network access while remaining out of sight of vulnerability scans. As a result, these devices reduce risk levels to the lowest common denominator and greatly widen the threat surface, making the network gravely susceptible to lateral exploits.


Implementing Zero Trust for IoT Environments With Palo Alto Networks IoT Security

Palo Alto Networks IoT Security brings IoT devices into the fold of a Zero Trust security model by implementing four best practices that minimize IoT security risks and keep your network safe from cyber attacks. The cloud-delivered security service can be enabled on any of our Next Generation Firewalls for current customers, or delivered as a complete solution for non-Palo Alto Networks customers.


1. Our IoT Security makes enhanced visibility the foundation of your Zero Trust strategy for IoT security.

You can’t secure what you can’t see.To extend the principles of Zero Trust, it is important to first go beyond users and standard IT devices to include all unmanaged IoT devices in the network. Our agentless IoT security solution bypasses standard signature-based approaches to discover every connected IoT device in the network, including the never-seen-before ones that IT teams are unaware of.

Our IoT Security accurately matches each device’s IP address with its type, vendor and model to surface a bundle of additional essential device attributes that completely profile the device. Accurate and granular device classification is a necessary prerequisite to differentiating unmanaged IoT devices from managed IT assets. Doing that enables enforcement of Zero Trust-driven security policies that only allow approved traffic in your IoT environment.


2. Our IoT Security continuously audits and validates devices against behavior anomalies and risk scores.

A core principle behind Zero Trust is that no devices – whether identified inside or outside the network – should be granted access to other devices and applications until assessed for risk and approved within the set parameters of normal behavior.

This principle applies perfectly to IoT devices since they have limited, stable and predictable behaviors by nature. Once identified, every IoT device should be verified against baselined behaviors before being granted access to other devices and applications in the network.

Our ML-based IoT Security automatically ascertains the device's identity and verifies "normal behaviors." Once "normal behaviors" are determined, the solution kicks in anomaly detection to uncover and prioritize any potential deviation from the baseline.


3. Our IoT Security microsegments IoT devices from IT devices to reduce the attack surface and risk radius of lateral exploits.

A Next-Generation Firewall enables microsegmentation of network perimeters and acts as border control within your organization. Our IoT Security takes a device profile-based microsegmentation approach that considers a number of factors (including device type, function, mission criticality and threat level) to enable sequestration. This significantly reduces the potential impact of cross-infection between IT and IoT devices. Seamlessly implemented on your Next-Generation Firewall, this approach restricts lateral movement between IT and IoT devices.

Partitioning away IoT devices ensures they have least-privileged access and connect to only required applications. It keeps them quarantined from guest and business networks, and minimizes operational downtime in critical IoT infrastructures by mitigating incompatibility issues cropping up between systems.


4. Our IoT Security automates Zero Trust policy enforcement using machine learning and Device-ID on the Next-Generation Firewall.

Zero Trust begins with “deny all.” Zero Trust policies are then built and defined at Layer 7, based only on what is allowed. Next-Generation Firewalls utilize the concept of positive enablement, which makes Zero Trust-driven security policies easier to write.

Instead of manually translating normal versus suspicious device behavior into policies for enforcement, our IoT Security automatically generates and enforces Zero Trust policies using machine learning on your firewall. Our machine learning establishes a baseline of Layer 7 IoT device behaviors – for instance, application and network topology behaviors – discerning what is normal for a single device in order to make recommendations for device-level policies consistent with Zero Trust architecture.

The new Device-ID policy construct then tracks an individual device across your network, providing detailed information as context within the ML-Powered NGFW for any alert or incident that may occur – regardless of changes to the device’s IP address or location. Policy rules and Layer 7 controls are automatically updated as the location and identified risks change.


Zero Trust Throughout Your Infrastructure

In the past, securing users, applications and devices identifiable inside the network perimeter was the obvious thing to do. The explosion of unmanaged IoT devices in enterprises with their ever-expanding network security perimeter sets a new paradigm. It is imperative for enterprises to now embrace a new approach to IoT security modeled steadfastly on Zero Trust best practices.

IoT security is one component of an enterprise Zero Trust strategy. Be sure to check out the rest of the blogs in our Zero Trust Throughout Your Infrastructure series. Or you can watch as Palo Alto Networks Founder and CTO Nir Zuk explains how it all fits together in this video.

To learn more on how you can put an IoT security lifecycle approach into action to secure your IoT investments, reference our buyer's guide on IoT Security or request a demo to see first hand how the solution delivers visibility and protection in the IoT security lifecycle.

This post is part of a series covering “Zero Trust Throughout Your Infrastructure.”

Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.