The zero-trust security model
Zero-trust is a security model and associated set of architectural principles and patterns that, by default, assumes that any connection, endpoint or user is a threat. As a result, the mechanisms and security controls associated with the zero-trust concept don’t rely solely on traditional controls or network boundaries. Instead, a zero-trust security approach requires users and systems to actively prove their trustworthiness. Furthermore, it enforces fine-grained, identity-based rules that govern access to applications, data, and assets.
Transport Layer Security (TLS) is an example of an encryption protocol that is used to establish zero-trust connectivity.
Demand for zero-trust products is growing
The demand for products supporting zero-trust is growing significantly and the zero-trust market is forecast to reach over $50 billion in 2026. The main factors driving the zero-trust market are the rapid growth of the IoT market, the frequency of targeted cyber-attacks, new IoT regulations being implemented in the US, EU, UK and China, and the adoption by organisations of zero-trust network access (ZTNA) during the pandemic.
Zero-trust IoT is not straightforward
However, securing IoT devices in a comprehensive way via a zero-trust approach is not a simple task. It involves layers of complexity due to the incredible diversity of the IoT device ecosystem – hardware design and capabilities, operating systems, varied connectivity bearers, legacy vs new devices, varied deployment locations etc.
In a zero-trust model the device itself forms a critical element of the security regime. This imposes responsibilities on the device that bring technical and operational complexities – in terms of both design and operation. Many IoT devices are themselves quite ‘dumb’ and/or deployed using infrastructure and equipment not initially designed for a connected world. As a result, it can be hard to integrate them into a zero-trust security model.
Security-in-the-network can have a complementary role
Intelligent, software-defined mobile networks provide real-time visibility and control of IoT connectivity - per customer, per SIM or per data session. This involves granular, real-time control of data routing and security policies at the individual IMSI or application level.
In the case of cellular networks, the SIM card itself a component with sophisticated and well-proven security capabilities which have been gradually refined through the evolution to todays’ 4G and 5G networks. Although the security mechanisms they encapsulate were originally designed to secure the attachment to the network (through robust authentication and encryption), they can also be leveraged by IoT applications to bring the same benefits. By using these mechanisms to robustly secure the link between the SIM and the network, zero-trust techniques can then be used between the network and the application without the complexity, burden and risk of doing so from the device itself.
Network level control can determine how individual SIMs connect (and therefore how the devices containing these SIMs can be accessed). Via API, in real-time, access can be limited to a single, trusted IP address, mitigating the risk of a hack or breach.
It is also possible to screen IoT data traffic in real-time, to detect anomalous behaviour.
Such network layer security features complement a zero-trust approach by providing protection across the full spectrum of connected IoT devices, even those which cannot support on-device zero-trust configuration.