Cybersecurity, like any other area of technology, is in a state of continuous evolution, marked periodically by step jumps to new standards as requirements outpace current systems.
The five generations of mobile networks have used successively larger encryption keys as computing costs have dropped in line with Moore’s Law. Continuation of these trends will now see network security, and cybersecurity practices in general, undergoing fundamental change.
Where previously network security architectures revolved around principles of perimeter defense – easily visualized with the image of a walled castle under siege by an invading army – the new architecture requires more complexity. New principles include ‘ZerotTrust’, ‘Never Trust Always Verify’, ‘Least Privilege’, and ‘Micro-Segmentation’. These form the foundations of the new security architecture.
In a world of growing connectivity, classical network topologies are forced to change. There is a massive increase in the number of connected devices, driven by the IoT and the proliferation of smartphones,and other handheld devices. This is combined with a more modern trend towards remote working schemes, and the move towards cloud-native networking.
Both of these changes have pushed the perimeters of the network outwards and multiplied the number of access points to the network dozen-fold. At the same time, these changes bring with them heightened security risks. Where previously corporate networks were geographically confined to company premises, all protected by the same firewall and accessible only from company premises, now, the network may be accessed by many devices from all around the work.
Not only has the number of endpoints, the devices that access the network, dramatically increased, but also the access to the endpoints themselves has radically changed. IoT devices may find deployments not only on company premises but also in remote locations and those easily accessible to large numbers of people.
Similarly, handheld devices, used increasingly to remotely access networks, are beyond the protections of the company IT specialists, with people just as susceptible to phishing attacks, and just as unequipped to counter or even detect malware running on their phones as before.
The move to the cloud introduces yet another party, and potential vulnerability, to cybersecurity architectures. While one would be forgiven for intuitively assuming the cloud to be above these concerns, data centers too are vulnerable, both from physical tampering within the premises and, through other services hosted on their servers.
The proliferation of cloud-hosted software-as-a-service (SaaS) offerings further introduces threat vectors, for every single SaaS product and application in use by an organization. Keeping in mind that these organizations are subject to the same threats as any other organization, defending the perimeter becomes an impossibility. The sheer number of factors beyond the control of one’s own security experts makes efforts to prevent any and all breaches Sisyphean.
Novel approaches, collectively called Zero-trust architectures (ZTAs), recognize this new reality and even go a step further by assuming outright that a breach has already occurred, and a malicious actor is present in the network. The aim then becomes to both limit the bad actor’s movement within the network, sniff them out, and remove them from the system.
The idea of a ZTA is not recent, and the term was coined in 1994, but only the proliferation of connected devices and trends toward ubiquitous connectivity over the past decade have put it firmly on the map of security experts.
While no particular architecture has emerged as an industry standard, an important 2018 publication by two US agencies, the National Institute of Standards and Technology (NIST) and the National Cybersecurity Centre of Excellence (NCCoE) defines a basic ZTA, called the SP 800-207. In any case, most proposed systems are similar to each other and will share the same key elements and principles:
- Strong identification and authentication of users and devices connected to the network.
- Least-Privilege Access, meaning all devices and users will have access only to systems and resources strictly required for their duties and roles.
- Widespread monitoring of the health of connected devices. Poised to become important for IoT networks, this principle relies on monitoring device activity for signs of malicious actors using access request history, power usage, number of radio transmissions, and communication with other devices, to find deviations from expected device behaviour.
- Continual updates to security policy, protocols, and device and user authentication certificates to flush out infected devices.
- A dynamic access control policy within the network to ensure all devices and users operate on a strict need-to-know basis. This need-to-know basis may change, and it is important to revoke outdated privileges to avoid privilege creep.
Highlighting the need for revamped security systems, and perhaps a symptom of the vulnerabilities of evolving network topologies, is a gradual uptick in the number of cyber-attacks (CAs) and the cost to organizations per CA. The Dell Global Data Protection Index Report, notes both of these trends, adding the average CA results in 19 hours of downtime, $1.06m in clean-up/ recovery costs, and 2TB of data lost.
A separate IBM report on the cost of data breaches paints an even bleaker image, giving a global average for data breach costs of around $4.35m. This contrasts with an average of $9.44m in the United States, and, more worryingly, an average of $10.10m for CAs in the healthcare industry. It also highlights the dangers associated with the move to the cloud, estimating around half of all CAs happen in the cloud.
Costs from ransomware attacks, CAs where an organization is held for ransom, lest critical systems and data are damaged, come in at an average of $4.54m, while destructive attacks have a $5.12m price tag.
A recent example highlighting the extreme seriousness of CAs comes from May 2021, when a ransomware attack on the operators of the Colonial Pipeline took the pipeline out of operation for five days, causing temporary fuel shortages all along the East Coast. Only after a $4.4m ransom payment was service restored.
One of the hardest-hit sectors, as highlighted in the IBM report, is healthcare. Healthcare routinely finds itself at the forefront of technological innovation, with professionals willing to incorporate smart medical devices to improve care and health outcomes. This bears dangers, however, with the mass of new devices creating attack vectors for the network, which are readily exploited by hackers.
Currently, awareness of the dangers IoT devices, such as many medical devices, pose to networks is low. Already devices are not stringently designed with these concerns in mind, especially not devices such as smart thermometers or devices to track vital signs in real-time. When combined with legacy networks, lax security protocols, and, for some, tight operating budgets, all of these factors combine to make hospitals and healthcare provider networks a prime target for CAs.
While healthcare networks are being attacked right now, this is owed to their advanced IoT implementation, the security threats from IoT devices are not industry-specific, and more widespread use in other sectors will see CA numbers and damage rise accordingly. The low complexity inherent in most devices translates to their potential security.
The lack of computing power, memory, on-device access controls, and interfacing options for security tools severely limits cryptographic or security measures available to defend against attack at the device network perimeter. Low complexity further means devices are almost totally dependent on the wider network for their own security. However, this in turn also implies their almost total vulnerability to the network.
Luckily, there is hope for medical IoT networks. This December, Palo Alto Networks released their “Medical IoT Security” offering, comprising an IoT management platform to manage device and user authentication, device monitoring and access control policies. The platform uses machine learning to optimize access privilege allocation, but also to better understand device vulnerabilities allowing one to better design the network accordingly.
Widespread use of IoT networks, by consumers, industry, and the public, if done according to current cybersecurity standards is impossible. The simplicity inherent in IoT devices in many cases is vital, with low power consumption and a minimum of manual labor to charge or replace worn-out devices being key advantages of this technology.
Moving security measures onto the devices would reduce their effectiveness and cost, while not addressing the issue of ready access to devices by bad actors and the practical impossibility to prevent breaches while maintaining the vulnerability of all the devices to a malicious actor already inside the network. Current IoT networks further suffer from the effects of the coexistence of current and legacy equipment from a time of even laxer security standards.
The unsafe nature of the standards currently the standard for many IoT and xIoT devices is highlighted in Phosphorus Labs’ ‘xIoT Threat and Trend Report’ from December 2022. It finds 99% of xIoT devices to have unsafe passwords, and 68% of xIoT devices as being ranked ‘high risk’ on the Common Vulnerability Scoring System (CVSS), with a rating of 8-10 /10.
Older examples of vulnerable IoT systems come from 2018 when severe flaws in multiple internet-connected BMW vehicles allowed the car to be hacked and remotely controlled. Similarly, Tesla vehicles have also been hacked in the past, exploiting vulnerabilities in connectivity modules.
ZTAs must be based on the principles of micro-segmentation and Least Privilege Access, continuous security and access control policy updates, device health and data flow monitoring, and strong forms of authentication and identification for devices. All these are vital to creating secure networks while harnessing the advantages of simple, connected devices.
Implementation of effective ZTAs is complex, however, and the exception rather than the rule. The Phosphorus Labs report notes that while device vulnerabilities can be covered fairly well thanks to cybersecurity solutions vendors such as Armis, Forescat and Nozomi, implementation of the full architecture breaks down in the details.
Management of device identities and authentication, seemingly the simplest task, is highlighted as a major challenge by many of the survey respondents, with 80% of IT experts quizzed admitting they cannot identify the majority of their xIoT devices. This finding is consistent with the views expressed by respondents to a survey conducted by Canadian cybersecurity solutions provider Fortinet, with 59% of the 472 cybersecurity experts stating their inability to authenticate users and devices on an ongoing basis.
More challenges come from the management of access control policies. These policies are, in a sense, the most important piece of the puzzle. With access to parts of the network granted on a need-to-use basis, in an ideal system, good-faith actors would never find their access to parts of the network vital to their tasks restricted. On the other hand, the need to limit a potential bad-faith actor’s lateral and vertical mobility in the network, parts of the network not strictly necessary for optimal operation should not be accessible. This necessitates not only constant tracking and updating of access privileges but also detailed a-priori knowledge of device and user access privilege needs. These needs are difficult to assess when setting up the rules and policies, but also difficult to update.
For a recent case study, athletic footwear company Brooks is one of the first companies to have transitioned to a ZTA architecture. For comparison, according to the Dell Global Data Protection Index Report, only 12% of respondents had fully implemented a ZTA. Brooks spokespeople noted the importance of diligent planning before network deployment, in particular for access privileges.
Device health monitoring is of similar importance, as, despite the basic assumption of successful breaches and bad actor presence, one of the pillars of the defensive strategy is the elimination of these devices or users. Monitoring requires transparency of the data flows of the network to the central policy enforcement and compliance division of the network. This requires frequent en- and decryption of traffic, but also the analysis of historical device behavior data to establish baseline behaviors from which deviation is registered.
The frequent encryption and decryption of data poses a further problem, which might see ZTAs overhauled, if only in the details, further in the future. In current proposed ZTAs, mainly the SP 800-207 architecture, devices are granted access to parts of the network on the basis of their access privileges, which are centrally administered and tracked. Devices need to authenticate themselves to the network before being allowed access. Similarly, inter-device and user communications also function on the basis of such authentication handshakes. Furthermore, the definition of ‘internal’ changes radically when moving from a perimeter-defense architecture to a ZTA, resulting in the encryption of all communications and data flows to public standards using Transport Layer Security (TLS) protocols.
All these authentication processes, which must be repeated for each new interaction or session due to principles of Zero Trust, but especially the frequent encryption and decryption of data place considerable strain on the network, cryptographic processes being computing-intensive by their very nature. Performing these functions using non-dedicated cryptographic devices is even less effective and performance trade-offs have to be made.
One proposed solution by A10 Networks is the establishment of so-called Secure Decrypt Zones, essentially establishing a set perimeter within the network where the encryption and decryption of data is performed by dedicated devices. Communications are routed to and from these Secure Decrypt Zones to facilitate device health monitoring by minimizing the frequency of encryption processes. This solution is implemented in a10’s ThunderSSLi offering.
Current market leaders for ZTA implementation and management solutions, however, still use different methods, largely based on the SP 800-207. Amazon Web Services (AWS), VMWare, IBM, and Microsoft are some of the market leaders. AWS in particular has a host of offerings available, a non-exhaustive list includes AWS Identity, AWS IoT Core and AWS IoT Greengrass. Similarly, Microsoft has also a series of IoT security applications available, most importantly, its Microsoft Defender for IoT. Other notable vendors include Zscale, Device Authority, Moxa and Ivanti.
ZTAs are the future of cybersecurity, especially for IoT networks. While the move towards ZTAs has already begun, implementations are dangerously sparse, with many networks still unacceptably vulnerable to CAs. Luckily, there is a growing awareness of the seriousness of the threat posed by CAs, as well as the impossibility of securing traditional networks, with an overwhelming majority of IT experts and organizations already planning for, or moving towards, ZTAs. The benefits of successful ZTA deployments in a world of increasingly frequent CAs are very tangible, being in the same ballpark as losses due to data breaches and ransomware attacks, $5-10m per CA.