The Zscaler ThreatLabZ team released new research today (IoT in the Enterprise 2020: Shadow IoT Emerges as a Security Threat) that finds shadow IoT devices and traffic are quickly growing in organizations and posing many new threats and questions about how to best architect security to protect the enterprise. So, what can we do about it? How can we think differently? How should you prepare?
The IoT threat landscape is continuously expanding and changing as manufacturers bring devices to market for consumers and businesses alike. With the space completely unregulated and devices being pumped out like candy, organizations are scrambling to gain an understanding of what is actually transpiring on the corporate network, what types of devices are communicating and transporting data, and how to secure the IoT ecosystem as a whole.
From their inception, IoT devices were meant to be disposable, short-term investments due to low acquisition cost, inherent flaws, and the speed with which the device software becomes irrelevant/end-of-life. There is no protocol for continuous testing, updating software, or patching, and yet these devices are all connected to the internet and to many corporate networks.
Alors, que faisons-nous? Interdisons-nous à l'entreprise tous les dispositifs IoT? Ouais, ça (ne) se passerait (pas) très bien.
All is not lost. Folks can keep their smart watches, smart closets, and whatever else they think is making them smart. Banning devices is not going to be the answer here. The answer is changing up the narrative on how we think about IoT devices from a security and risk standpoint, and what expectations we put on manufacturers to increase the security posture of these devices.
The first thing you absolutely must grapple with is visibility. You cannot protect what you don’t know exists. How do you gain visibility into the types of devices that are present and the amount of activity they are conducting on the corporate network? Companies around the world are adopting different techniques to manage this process. Obviously, there’s a range of approaches here. The more legacy version is keeping everything on an old-school corporate network, collecting all data into a data lake(s), implementing a miles-long firewall policy, and using costly analytics platforms to pummel you with alerts until you’re numb to them.
Complicating the visibility issue is the reality that your users are now connecting everywhere and your applications, at least some of them, are in the cloud. Sticking with a legacy approach will not get you visibility that spans all your users, devices, and applications. It also won’t get you the security controls and policy enforcement you need for risk reduction and compliance. But at least it’s great for users, right? Of course not! People expect a fast, consumer-like experience with their apps, and routing internet-bound traffic through a secure gateway that’s a couple of time zones away provides a frustrating experience and a sure way to get users to bypass security.
The more modern cloud approach is to use the internet as your ally—your new corporate network that transports all your business traffic—with every connection secured in the cloud by Zscaler. The Zscaler platform processes every internet transaction, no matter where users connect or where their applications are hosted, so you have complete visibility into all your traffic flows, with security services that prevent intruders from getting in while preventing sensitive data from getting out. And, because it pushes security close to the endpoint, it’s fast.
Une partie de la visibilité dans un monde mobile et axé sur le cloud consiste à adopter une mentalité zero trust. Je sais que certains appellent cela un mot à la mode mais, en termes simples, il s'agit de spécialistes de la sécurité qui ne font confiance à personne ni à aucun appareil lorsqu'il s'agit de toucher au réseau — et ce, jusqu'à ce que vous sachiez qui est l'utilisateur, quel est l'appareil, et si cet utilisateur et cet appareil sont autorisés à accéder aux applications qu'ils essaient d'atteindre.
I cannot tell you how many organizations I’ve met with had something as simple as a phishing link clicked by one person that led to one piece of malware downloaded that then moved across the entire organization. This cannot happen if the malware is never actually on the network.
How do you keep it off in that instance of a user opening a malicious attachment? One way is through zero trust network access (ZTNA), also known as a software-defined perimeter (SDP). ZTNA uses identity access management and thoughtful policy put in place by the business to put a boundary around enterprise applications. Gartner wrote a Market Guide for ZTNA you can download here if you want to learn more.
It’s also worth mentioning that you must train your employees on how to conduct themselves at work. Part of that is mandatory cybersecurity best practices training to the staff, but part of it also is having thoughtful business policy baked into your Zero Trust design. After all, if you implement a policy that doesn’t let your staff use corporate networks to engage with certain personal devices then it’s not a security risk to your organization.
Finally, disparate governmental policies and suggested regulations are coming up around the world in an attempt to provide guidance for the development and security of IoT devices. With extensive supply chain processes and manufacturing touchpoints, these individual laws and regulations across various countries to mandate security and process will inevitably fall short. Technology giants that operate across global entities need to insist on and drive a meeting of the minds to create global policy and expectations of IoT manufacturers.
En tant que plus gros consommateur de dispositifs IoT, les États-Unis sont en première ligne pour mener cette initiative. Pendant des années, divers groupes ont fait des suggestions sur la sécurité de l'IoT. Cela se manifeste par des projets de loi comme la Loi de 2017 sur les conseils aux consommateurs de l'IoT et la SMART IoT Act, mais peu de progrès ont été réalisés jusqu'en 2018. L'année dernière, la Californie est devenue le premier État américain à adopter une loi sur la cybersécurité couvrant les dispositifs IoT: SB-327, laquelle est entrée en vigueur le 1er janvier 2020.
La loi SB-327 exige que tous les dispositifs IoT vendus dans l'État soient équipés de mesures de sécurité raisonnables, notamment une large couverture des produits, des obligations de sécurité souples et des exigences initiales en matière de gestion des mots de passe. Ce n'est pas la perfection, mais au moins c'est un début.
By creating visibility into your IoT devices, implementing sound zero trust network access policy, and helping to enact change in the way the world creates and regulates IoT devices, you can shine a light on shadow IoT to protect your organization and customers. You can read more about our findings in the report, IoT in the Enterprise 2020: Shadow IoT Emerges as a Security Threat.
Deepen Desai, vice-président de la recherche sur la sécurité chez Zscaler et directeur de ThreatLabZ, souhaite remercier l'équipe de recherche sur les mobiles et l'IoT pour son travail sur cette analyse.