For many, 2020 was a year of survival as they rapidly transformed their businesses in response to a new normal. From enabling new remote and hybrid project simulates to implementing new technology to help optimize procedures, the last year has understood a significant uptick in the proliferation and role of IoT devices. Many organizations have suddenly determined themselves facing an expanded attack surface area with new security challenges they were not fully prepared for.

IoT solutions need to be secured end-to-end, all the way from the device to the cloud or hybrid service that the data is processed in. Securing IoT machines presents a couple of additional layers of intricacy because of the incredible diversity in designing, hardware, operating system, deployment locatings, and more. For instance, many are “user-less” and operate automated workloads, presenting challenges when integrating into existing identity and access management tools. Many IoT devices have been previously been deployed using infrastructure and equipment not originally designed for a connected world or have restriction capabilities and connectivity, making them challenging to secure. And because IoT devices are typically deployed in diverse environments–ranging from inside factories or office buildings to remote worksites or critical infrastructure–they’re exposed in unique ways and can offer high-value targets to attackers.

Graphic depicting the technical characteristics of IoT and their unique challenges. Characteristics include running automated workloads, aging infrastructure, and limited connectivity.

Figure 1: Technical characteristics of IoT and their challenges.

Embracing Zero Trust for your IoT answers

As organisations continue to drive their digital metamorphosi exertions, especially through the increased deployment of IoT solutions, it quickly becomes clear that the current approach to procuring and managing these devices needs to be adapted to the reality of their environment. Enter Zero Trust, the security model that presumes breach and treats every access attempt as if it is coming from an open network.

In October 2019, we published a whitepaper with our official guidance on implementing a Zero Trust security framework, which breaks down Zero Trust requirements across identities, endpoints, apps, networks, infrastructure, and data. This paper furnishes a strong starting point to assess your current Zero Trust maturity, prioritize security efforts to maximize impact, and get a foundational understanding of overall capabilities and requirements. If you haven’t read it, we highly recommend starting there as everything we discuss from here on will build on the requirements in that model.

A practical approach for implementing Zero Trust for IoT

Securing IoT solutions with a Zero Trust security framework starts with non-IoT specific requirements–specifically ensuring you have implemented the basics to fastening identities, their machines, and limit their access. These include explicitly verifying customers, having visibility into the devices they’re bringing on to the network, and being able to make dynamic access decisions using real-time risk detections. This helps limit the potential blast radius of users gaining unauthorized access to IoT services and data in the cloud or on-premises, which can lead to both mass information disclosure( like leaked production data of a factory) and potential elevation of privilege for command and control of cyber-physical systems( like quit a factory production line ).

Once those requirements are met, we can shift our focus to the specific Zero Trust requirements for IoT answers 😛 TAGEND

Strong identity to authenticate devices. Register machines, issue renewable credentials, employ passwordless authentication, and use a hardware root of trust to ensure you can trust its identity before making decisions. Least privileged access to mitigate blast radius. Implement device and workload access control to limit any potential blast radius from authenticated identities that may have been compromised or running unapproved workloads. Device health to gate access or flag machines for remediation. Check security configuration, assess for vulnerabilities and insecure passwords, and monitor for active menaces and anomalous behavioral alerts to build ongoing risk profiles. Continual updates to keep machines healthy. Utilize a centralized configuration and conformity handling answer and a robust update mechanism to ensure devices are up to date and in a healthy nation. Security monitoring and response to detect and respond to emerging menaces. Employ proactive monitoring to rapidly identify unauthorized or compromised machines.

Cover preview of the new Zero Trust Cybersecurity for the Internet of Things whitepaper. Includes faded image of a factory worker walking across factory floor. Today, we’re publishing a new whitepaper on how to apply a Zero Trust approach to your IoT solutions based on our experience helping other customers and securing our own environment. In this whitepaper, we break down the requirements above in more detail as well as provide guidance on applying Zero Trust to your existing IoT infrastructure. Finally, we’ve also included criteria to help select IoT devices and servicing of a Zero Trust environment.

Read the Zero Trust Cybersecurity for the Internet of Things whitepaper for full details.

Additional resources 😛 TAGEND

Watch The IoT Show: Zero Trust for IoT for a Channel9 interview where I explain the key capabilities of Zero Trust for IoT and how Microsoft answers enable your journey.

Watch the playback of this week’s Azure IoT Security Summit for an overview of our IoT Security solutions and counseling on how to prevent security transgresses, address weak spots, and monitor the health of your IoT devices in near real-time to find and eliminate menaces.

For detailed information about Microsoft Zero Trust please visit our website. Check out our deployment guides for step-by-step technical guidance.

To learn more about Microsoft Security solutions visit our website . Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How to apply a Zero Trust approach to your IoT solutions appeared first on Microsoft Security .

Read more: