Think Zero Trust and SASE are not about IoT? Think again. NIST NCCoE and Wi-Fi Alliance weigh in.
When organizations implement Zero Trust and SASE cybersecurity frameworks, their first priority is making sure the people connecting to the network are authenticated and have appropriate access privileges. After all, users can be phished, go rogue and generally represent an expansive attack surface.
But what about “things” (as in the Internet of Things)? While a building temperature control or a professor’s raspberry pi-based science experiment won’t open a malicious email, if there was any doubt about the need to uniquely and directly address the security implications of billions of IoT devices flooding on to the network, they have been dispelled by recent communications from NIST National Cybersecurity Center of Excellence (NCCoE) and the Wi-Fi Alliance.
IoT Cybersecurity Now Front and Center
Taken together, the message to network and security teams is loud and clear: safely and securely onboarding IoT devices onto the network and monitoring them for optimal performance and protection is as complex, if not more so, than dealing with users. As NIST points out in their project description, there are several reasons for this:
- At best manufacturers can provide a single set of logon credentials for the millions of devices they produce. But, while using the same pre-shared network credential for every device is the simplest approach, it does not identify each device, nor does it give devices a way to verify they are connecting to the correct network.
- Manually provisioning a unique network credential for each device often makes the onboarding process complex, resource intensive, error-prone, and insecure.
- Having manufacturers assign a unique network credential to each device during the manufacturing process is expensive and inefficient.
In addition, even if each device provides unique credentials, they often connect to the network outside the purview of IT which means there are blind spots that leave security gaps.
NIST NCCoE has initiated a new project, called “trusted network-layer onboarding and lifecycle management”, that seeks to take a different approach to network-layer onboarding — one that is automated with the following characteristics:
- Provides each device with unique network credentials
- Provides the device and the network an opportunity to mutually authenticate
- Is performed over an encrypted channel (to protect credential confidentiality)
- Does not provide anyone with access to the credentials
- Can be performed repeatedly throughout the device lifecycle
As a leader in wired, wireless, and WAN networking, Aruba has focused on the thorny issues of IoT connectivity and security and is proud to be a technology collaborator on this project. The NIST approach will fit seamlessly into our built-in cloud-native Zero Trust and SASE frameworks that include automated AI-powered device discovery and profiling, authentication, access policy development, identity-based access control, continuous monitoring, and attack response.
Wi-Fi Provides IoT Security and Much More
The Wi-Fi Alliance announcement builds on the theme of IoT connectivity and security. Including built-in security, they highlight eight areas of IoT Wi-Fi competency that a network vendor should exhibit:
- Standards-based, interoperable technology
- Pervasive connectivity
- Proven WPA3™ security
- Cost effective, simple deployment
- Backward compatibility
- Location awareness
- Reliable, sophisticated connectivity
- Flexible network topology
Based on these criteria, Wi-Fi Alliance certifications in the areas of Wi-Fi 6, Easy Connect (the foundation technology for IoT onboarding), and QoS means that device manufacturers and end user customers can be confident that their IoT devices will not only reach the level of performance the business needs, but that the appropriate security controls will also be firmly in place.
Aruba is a proud member of the Wi-Fi Alliance. We contribute open-source solutions such as WPA3 and Easy Connect to the community at large and, unlike some vendors who do their best to avoid these certifications, Aruba focuses on understanding the intended outcomes for these standards and invests in delivering the depth and breadth of results and the reliability that these certifications promise.
IoT devices are not just about tracking space utilization or changing HVAC settings. “Things” are everywhere, and as organizations strive for data modernization, IoT delivers vital information about the health of the organization and insights that enable new business outcomes. By adhering to the NIST and Wi-Fi Alliance recommendations, IT teams will deliver a modernized network that provides not only the connectivity, but the performance, scale, automation, and security that their business needs — especially as the data that IoT provides drives new customer engagement models, optimizes hybrid work, and reduces the manual effort required to set up and manage IT infrastructure.