Shining a Light on Shadow IoT to Protect Your Organization

The Zscaler ThreatLabZ team released new research today (IoT in the Enterprise 2020: Shadow IoT Emerges as a Security Threat) that finds shadow IoT devices and traffic are quickly growing in organizations and posing many new threats and questions about how to best architect security to protect the enterprise. So, what can we do about it? How can we think differently? How should you prepare?

The IoT threat landscape is continuously expanding and changing as manufacturers bring devices to market for consumers and businesses alike. With the space completely unregulated and devices being pumped out like candy, organizations are scrambling to gain an understanding of what is actually transpiring on the corporate network, what types of devices are communicating and transporting data, and how to secure the IoT ecosystem as a whole.

From their inception, IoT devices were meant to be disposable, short-term investments due to low acquisition cost, inherent flaws, and the speed with which the device software becomes irrelevant/end-of-life. There is no protocol for continuous testing, updating software, or patching, and yet these devices are all connected to the internet and to many corporate networks.

So, what do we do? Do we ban all IoT devices from the enterprise? Yeah, that would (not) go over really well.

All is not lost. Folks can keep their smart watches, smart closets, and whatever else they think is making them smart. Banning devices is not going to be the answer here. The answer is changing up the narrative on how we think about IoT devices from a security and risk standpoint, and what expectations we put on manufacturers to increase the security posture of these devices.
 

Shadow IoT: Shine a light on the shadows

The first thing you absolutely must grapple with is visibility. You cannot protect what you don’t know exists. How do you gain visibility into the types of devices that are present and the amount of activity they are conducting on the corporate network? Companies around the world are adopting different techniques to manage this process. Obviously, there’s a range of approaches here. The more legacy version is keeping everything on an old-school corporate network, collecting all data into a data lake(s), implementing a miles-long firewall policy, and using costly analytics platforms to pummel you with alerts until you’re numb to them. 

Complicating the visibility issue is the reality that your users are now connecting everywhere and your applications, at least some of them, are in the cloud. Sticking with a legacy approach will not get you visibility that spans all your users, devices, and applications. It also won’t get you the security controls and policy enforcement you need for risk reduction and compliance. But at least it’s great for users, right? Of course not! People expect a fast, consumer-like experience with their apps, and routing internet-bound traffic through a secure gateway that’s a couple of time zones away provides a frustrating experience and a sure way to get users to bypass security. 

The more modern cloud approach is to use the internet as your ally—your new corporate network that transports all your business traffic—with every connection secured in the cloud by Zscaler. The Zscaler platform processes every internet transaction, no matter where users connect or where their applications are hosted, so you have complete visibility into all your traffic flows, with security services that prevent intruders from getting in while preventing sensitive data from getting out. And, because it pushes security close to the endpoint, it’s fast. 
 

Zero trust applies to IoT devices, too

Part of visibility in a mobile and cloud-first world is taking a zero trust mentality. I know some call it a buzzword but, simply put, it’s about security people not trusting any person or device to touch the network—that is, until you know who the user is, what the device is, and whether that user and device are allowed to access the applications they’re trying to reach. 

I cannot tell you how many organizations I’ve met with had something as simple as a phishing link clicked by one person that led to one piece of malware downloaded that then moved across the entire organization. This cannot happen if the malware is never actually on the network. 

How do you keep it off in that instance of a user opening a malicious attachment? One way is through zero trust network access (ZTNA), also known as a software-defined perimeter (SDP). ZTNA uses identity access management and thoughtful policy put in place by the business to put a boundary around enterprise applications. Gartner wrote a Market Guide for ZTNA you can download here if you want to learn more.

It’s also worth mentioning that you must train your employees on how to conduct themselves at work. Part of that is mandatory cybersecurity best practices training to the staff, but part of it also is having thoughtful business policy baked into your Zero Trust design. After all, if you implement a policy that doesn’t let your staff use corporate networks to engage with certain personal devices then it’s not a security risk to your organization. 
 

Time for an IoT Geneva Convention 

Finally, disparate governmental policies and suggested regulations are coming up around the world in an attempt to provide guidance for the development and security of IoT devices. With extensive supply chain processes and manufacturing touchpoints, these individual laws and regulations across various countries to mandate security and process will inevitably fall short. Technology giants that operate across global entities need to insist on and drive a meeting of the minds to create global policy and expectations of IoT manufacturers.

As the biggest consumer of IoT devices, the U.S. is in a prime position to lead this initiative. For years, there have been suggestions stemming from various groups on IoT security. This is manifested through bills like the IoT Consumer TIPS Act of 2017 and the SMART IoT Act, but not much traction was gained until 2018. Last year, California became the first state in the U.S. to pass a cybersecurity law covering IoT devices: SB-327, which took effect on January 1, 2020. 

SB-327 requires all IoT devices sold in the state to be equipped with reasonable security measures, including broad product coverage, flexible security obligations, and initial password management requirements. It’s not perfect, but at least it’s a start.
 

Protecting against shadow IoT

By creating visibility into your IoT devices, implementing sound zero trust network access policy, and helping to enact change in the way the world creates and regulates IoT devices, you can shine a light on shadow IoT to protect your organization and customers. You can read more about our findings in the report, IoT in the Enterprise 2020: Shadow IoT Emerges as a Security Threat.

Deepen Desai, the Zscaler VP of Security Research and Director of ThreatLabZ, wishes to thank the mobile and IoT research team for its work on this analysis.