The proliferation of IoT devices in the enterprise environment has been improving the business operation dramatically in the last couple of decades, but at the same time, they also pose tremendous challenges for cybersecurity and networking admins to protect them effectively. So why is that? The simple answer is that they are just different — different from end-users devices which typically run a common OS platform (e.g. Windows, MAC OS). For end-user devices, they can be protected effectively by installing agent software with authentication mechanisms such as credential and MFA. However, this approach simply does not work with IoT devices. It is nearly impossible to install an agent or certificate on all IoT devices due to the variety of different operating systems they run. Not to mention, there will be no humans on these headless devices for any type of credential-based or multi-factor authentication.
So, how have we tried to solve these challenges in the past two decades?.
Why Traditional IoT Identity Solutions FailTraditional approaches to solving for IoT identity have been less than successful.
Certificate Authentication MethodGiven the credential approach does not work for IoT, we tried to tackle the IoT identity issue by giving each IoT device a unique certificate. While this does provide a unique, cryptographically secure identity to each device, it’s based on the assumption that the certificate can be installed on IoT devices in the first place. What if your CCTV camera or thermostat does not accept a certificate? Essentially, we end up with a solution that may only protect 10% of IoT devices, leaving the rest of them vulnerable. On top of that, there is the tremendous administrative overhead to maintain a PKI system for these certificates.
MAC Authentication MethodOkay, how about MAC address authentication? We can restrict network access to only the IoT devices with known mac addresses. It is often deemed as a "feel-better" approach to assure admins that we have some levels of authentication in place. But in reality, this method is susceptible to mac address spoofing. In addition, no admins are fans of maintaining a long list of known mac addresses for legitimate IoT devices. So this approach is simply not efficient and effective at all.
Focus Only on AuthenticationSo we see the pattern here. We simply extrapolated the authentication approach for users to secure IoT devices. That is why traditional approaches have failed to meaningfully improve IoT security. We think authentication is the end-all and be-all for IoT identity. However, we forget that authentication is just a one-time process and devices can be compromised after connecting to the network. Then we have to leverage a SIEM or XDR solution to monitor the device posture to eliminate this security blindspot.
Introducing IoT Behavioral Identity —Powered by Zscaler AIThat is why Zscaler thinks it is time to revolutionize IoT identity. It is not all about what the device is, it is also about what the device does. Continuous, always-on monitoring of device behavior is necessary to solve this lingering problem. This is where Zscaler IoT Behavioral Identity makes a huge difference. Powered by Zscaler AI/ML technology, IoT Behavioral Identity offers continuous zero trust protection for all your IoT devices, regardless of the platform, OS or type.
So how does this all work? First, IoT devices are machines designed to do a specific task. For example, printers are designed to print. Therefore, their behavior is much more well defined compared with human users. The humans typically connect to a multitude of websites on the Internet, such as social networking, streaming media, business applications etc. But IoT devices will only communicate specific domains to update either telemetry data or stats, e.g. Brother printers often call home to brother.com.
Secondly, what IoT devices do reveals what they essentially are — in a much more reliable way than just examining MAC addresses. We can feed IoT transaction data into the Zscaler AI engine, which is then able to tell what the devices are based on their communication patterns intelligently and automatically. For example, if an unknown IoT device communicates bevi.co most of time, Zscaler AI can classify it as beverage equipment without human intervention at all.
Lastly, we need to monitor IoT device behavior continuously, not just one-time. So whenever the device behaves abnormally, we can detect a potential compromise and alert customers to react to the incident more quickly and effectively, thus reducing MTTR.
ConclusionTo summarize, Zscaler IoT Behavioral Identity, the latest Zscaler's innovation powered by our Zscaler AI engine, solves the IoT identity challenge that has been plagued for decades. It is time to think out of the box of traditional certificate and MAC based authentication, and start embracing this new way to secure all your IoT devices. If you’re interested in learning more, click here to learn more or reach out to your Zscaler representative to ask for a demo.
↧