close
close

Securing IoT devices requires zero trust principles

Posted on by darion

Two recently discovered sets of vulnerabilities in medical Internet of Things devices, one in lab testing equipment and the other in a temperature sensor (the latter brings to mind the infamous Las Vegas aquarium sensor hack), underscore the need to deploy Zero trust principles of IoT device implementation.

When we think about Zero Trust in the context of securing IoT devices, network segmentation comes to mind as the easiest way to control access to those devices and, if a device is compromised, restrict access to other applications and data to prevent access to patient data or enable attacks on other devices on the network.

The challenge is that these devices may need this access because these smaller devices are often part of larger solutions that run blood tests or monitor the temperature of samples or pharmaceutical products. So simply implementing these segmentation rules will still allow access to the applications, data, and other devices that these components communicate with.

Access control needs to be more granular, and you need to define exactly what devices these devices will have access to on other devices, application servers, and web hosts.

IoT device deployments, like many modern networks, have tended to grow organically and not always according to plan. Devices were slowly added to the network to meet needs like printing, video monitoring, or tracking packages, and before enterprises realized what was happening, thousands of devices were part of the corporate network, with no plans for how to manage them, control access, or monitor them.

This means that as problems are discovered, teams change direction to solve the problem without thinking or having the ability to redesign the implementation to properly address these requirements. Because the proliferation of these devices shows no sign of slowing down, problems like this continue to pop up, which means the time to act is now.

IoT security has been named one of the top 10 emerging technologies for 2024, reflecting growing concerns about securing these devices. In response to these concerns, a variety of solutions have emerged that address IoT devices, device inventory, vulnerability management, identity and access management, network control and security, and endpoint security. These solutions can only help if security leaders establish that they intend to implement Zero Trust principles into IoT device deployments. This means:

  • Recognizing what is wrong now.
  • Analysis of the required level of access to IoT devices.
  • Understanding the data your devices need access to.
  • Determining how to monitor these devices.

Forrester clients interested in evaluating these requirements and getting guidance on their IoT security plans should submit an inquiry or request for a consulting session to me. If you don’t know how you plan to use the technology, it will be on the shelf.

First published Forrest