Skip to main content

Why zero trust is vital – and achievable – for endpoint and IoT security

security
(Image credit: Shutterstock / Khakimullin Aleksandr)

Spring 2021 marked one-year since the beginning of what has been called the most widespread remote working experiment in history.  The pandemic has undoubtedly taught organizations to rethink their perspective on many things – from business continuity to employee wellbeing – but one thing is certain: the cyber security threat landscape has changed immeasurably over the last year.  

From an endpoint security perspective, the pandemic and resulting shift to remote working both exacerbated and highlighted a challenge already facing most organizations.  Enterprise-deployed Internet of things (IoT) devices were already predicted to reach 5.8 billion devices in 2020 and, according to research from F-Secure, already both a top concern and a top driver of internet attack traffic.  With employees now working from home, the corporate network extends far beyond the four walls of the office – to people’s homes, personal networks and consumer IoT devices.

Organizations are only as strong as their weakest link.  In the current remote working environment, how many can say with confidence they know exactly what devices are connected to their corporate data repositories and networks?  For organizations not already versed in home working, laptop shortages at the start of the pandemic forced many IT teams to take a more lenient approach to the devices employees were using to connect to the corporate network from home.  And, while personal laptops and tablets present a significant risk on their own, the wider threat stems from consumer IoT devices connected to the home network.  As the pandemic began to materialise in January 2020, Aviva estimated the average UK home had 10.3 – or a total of more than 286 million – internet-enabled devices connected to their home network.  

Modern authentication frameworks, such as Security Assertion Markup Language (SAML), 0Auth, and OpenID Connect make it very easy for a home worker to enrol, connect and potentially leak data out of corporate cloud services through an IoT device without the IT organization ever knowing about it.  Equally, these types of authentication are often ‘one time’ occurrences, so it is not immediately obvious to the user that anything has happened.  A crude example might be connecting a digital assistant to a corporate Office365 account to gain a central view of a calendar or appointments.  This may seem harmless, but the reality is it creates both the risk of leaking corporate data and yet another entry point into the corporate network for bad actors to gain access and move laterally.  For a lot of organizations, this simple event would go completely unnoticed by the IT department.

Assessing the risk 

The increased endpoint / IoT security risk is a clear and present danger for organizations in 2021.  Indeed, SonicWall’s 2021 Cyber Threat Report reported a 66 percent increase in IoT malware detections last year, with attackers targeting remote workers’ home networks, as well as a 74 percent increase in previously undetected malware variants and a 67 percent increase in malicious Office files.  A recent Bitdefender report revealed a shocking 715 percent increase in year-on-year ransomware attacks.  Taken together, these threats are further compounded by the risks associated with insecure network access and compromised credentials.

The 2020 Zero Trust Endpoint and IoT Security Report from Cybersecurity Insiders and Pulse Secure surveyed IT decision-makers ranging from technical execs to practitioners to understand how organizations are advancing Zero Trust endpoint and IoT security capabilities.  When asked about the key drivers for invoking greater Zero Trust endpoint detection & response (EDR) capabilities, 42 percent said they were unable to efficiently identify, classify and monitor endpoint and IoT devices, with 39 percent experiencing endpoint security issues despite using protection tools.  

What’s more, over half (56 percent) anticipate a moderate to extreme likelihood of being compromised by a successful cyberattack originating from endpoints or IoT devices.  It may come as no surprise then to learn that – given the continued challenges associated with home working – a majority of organizations (61 percent) expect to increase or significantly increase both capabilities and investment to secure remote worker access and endpoint security.

During times of uncertainty, trust no one 

It may seem like a cliché from a classic spy thriller, but in times of uncertainty and significant threat, organizations should trust no one – Zero Trust, in fact.  While not a new concept, Zero Trust frameworks have made serious headway in the cybersecurity community in recent years.  In the current business environment, it is a concept few organizations can afford to ignore.  

Zero Trust allows an organization to defend itself against identity-based attacks.  In its simplest form, it acts as a secondary security control that assumes an attacker will breach the corporate network.  Instead of prevention, a Zero Trust architecture acts as a guardian against lateral movement once an attacker is inside the corporate network.  It does so with three key steps: validation – of both users and devices; control, using granular policy enforcement to grant access, and protecting and encrypting data transactions.    

With devices, network connections and employee locations all in a constant state of flux, security policies must also remain mobile, under constant review and continuous adjustment to ensure the corporate network is protected at any given time.  Just as endpoint security products secure and collect data on the activity that occurs on endpoints, network security products do the same for networks.  To effectively combat advanced threats, both need to work together in an integrated approach that combines endpoint and network security, ensures visibility into connected devices, and provides the ability to contain any single user or device if a threat is identified.

A final word 

Despite what many IT teams may have thought in the past, a Zero Trust architecture is an achievable goal.  Fundamentally, it’s about achieving a state of continuous verification and authentication throughout the network, with centralized policy enforcement.  This ensures any device – whether that’s a company-issued laptop, an employee’s personal tablet or a stray IoT device – can only connect to authorized applications on the corporate network in a compliant manner.  In today’s perimeterless, ever-changing and increasingly hostile IT environment, it is abundantly clear that organizations should consider Zero Trust as a foundation of their security strategy moving forwards. 

David Henderson, co-founder, BlueFort Security

As co-founder of BlueFort Security since 2007, David Henderson has helped many of the world’s leading enterprises defend their digital assets.