{"id":93430,"date":"2021-05-05T06:00:33","date_gmt":"2021-05-05T13:00:33","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=93430"},"modified":"2023-08-07T16:14:30","modified_gmt":"2023-08-07T23:14:30","slug":"how-to-apply-a-zero-trust-approach-to-your-iot-solutions","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/05\/05\/how-to-apply-a-zero-trust-approach-to-your-iot-solutions\/","title":{"rendered":"How to apply a Zero Trust approach to your IoT solutions"},"content":{"rendered":"

For many, 2020 was a year of survival as they rapidly transformed their businesses in response to a new normal. From enabling new remote and hybrid work models to implementing new technology to help optimize operations, the last year has seen a significant uptick in the proliferation and role of IoT devices. Many organizations have suddenly found themselves facing an expanded attack surface area with new security challenges they were not fully prepared for.<\/p>\n

IoT solutions need to be secured end-to-end, all the way from the device to the cloud or hybrid service that the data is processed in. Securing IoT devices presents a couple of additional layers of complexity because of the incredible diversity in design, hardware, operating systems, deployment locations, and more. For example, many are \u201cuser-less\u201d and run automated workloads, presenting challenges when integrating into existing identity and access management tools. Many IoT devices have also been deployed using infrastructure and equipment not originally designed for a connected world or have limited capabilities and connectivity, making them challenging to secure. And because IoT devices are typically deployed in diverse environments\u2014ranging from inside factories or office buildings to remote worksites or critical infrastructure\u2014they\u2019re exposed in unique ways and can offer high-value targets to attackers.<\/p>\n

\"Graphic<\/p>\n

Figure 1: Technical characteristics of IoT and their challenges.<\/em><\/p>\n

Embracing Zero Trust for your IoT solutions<\/h2>\n

As organizations continue to drive their digital transformation efforts, especially through the increased deployment of IoT solutions, it quickly becomes clear that the current approach to securing and managing these devices needs to be adapted to the reality of their environment. Enter Zero Trust, the security model that assumes breach and treats every access attempt as if it originates from an open network.<\/p>\n

In October 2019, we published a whitepaper<\/a> with our official guidance on implementing a Zero Trust security model, which breaks down Zero Trust requirements across identities, endpoints, apps, networks, infrastructure, and data. This paper provides a strong starting point to assess your current Zero Trust maturity, prioritize security efforts to maximize impact, and get a foundational understanding of overall capabilities and requirements. If you haven\u2019t read it, we highly recommend starting there as everything we discuss from here on will build on the requirements in that model.<\/p>\n

A practical approach for implementing Zero Trust for IoT<\/h2>\n

Securing IoT solutions with a Zero Trust security model<\/a> starts with non-IoT specific requirements\u2014specifically ensuring you have implemented the basics to securing identities, their devices, and limit their access. These include explicitly verifying users, having visibility into the devices they\u2019re bringing on to the network, and being able to make dynamic access decisions using real-time risk detections. This helps limit the potential blast radius of users gaining unauthorized access to IoT services and data in the cloud or on-premises, which can lead to both mass information disclosure (like leaked production data of a factory) and potential elevation of privilege for command and control of cyber-physical systems (like stopping a factory production line).<\/p>\n

Once those requirements are met, we can shift our focus to the specific Zero Trust requirements for IoT solutions:<\/p>\n