Addressing an auditorium at the 9th annual IoT Security Foundation (IoTSF) Conference on the 7th November, Tyler Gannon, VP of Product Marketing and Strategic Alliances at Device Authority, lead a session that delved into a growing area of concern for IoT: operationalising zero trust in the age of AI. His talk highlighted the shaky definition industry holds, how to begin implementation of the protocol, and the critical role AI plays within a cybersecurity framework in things like IoT device authorisation.
With IoTSF’s conference focusing on ‘Securing IoT in the Era of AI’, Gannon’s talk was well placed to tackle a perennial concern of IoT – security – and a new innovation that could seek to increase the threat and defence of that.
Gannon started at the begin, with the first hurdle being a basic one: what is zero trust? “You ask 100 people for a definition of zero trust, and you get 100 different answers,” Gannon said.
The concept has a variety of interpretations in the industry. For instance, some companies or organisations think hardening the network perimeter in a network-centric approach makes them zero trust; others may think it comes through improving hardware, or using the physical location of the device as a factor (something that falls especially flat when it comes to IoT devices). This is part of the problem, Gannon explains: “I think when you ask people to describe zero trust, they still unfortunately take a very hardware and network centric approach.”
Gannon explained his belief how zero trust is a combination of a number of factors, pointing to the US’ National Institute of Standards and Technology zero trust abstract as being a framework which could be adopted to improve consensus. Setting the stage for a more unified comprehension, he went on to define zero trust not as a mere network security strategy but as a broader paradigm shift, with identity at its core rather than the traditional network perimeter.
Part of the issues with security for IoT networks comes from IoT devices and their identification. Yet, it’s not just the devices that are the weak links. Gannon broke overall identity issues into three contributing factors: human, machine, and IoT device, with the latter demanding automated management due to their sheer number and complexity. But this isn’t just a device or network issue, “Over three quarters of breaches are a direct result of human error,” Gannon revealed, highlighting the critical need for robust identity management in cybersecurity.
Talking on the Zero Trust Maturity Model, Gannon advocated for automation and continuous verification of identities as the pinnacle of security practices. This goes back into a term the industry is increasingly referring to as the IoT device lifecycle. Part of which, talks about how, through things like firmware updates, devices change their function, making it harder to see when a device is acting erratically, and how verification should not be a one and done thing any longer.
This fed into how AI will work within zero trust. AI would not only allow devices to self-authenticate and self-manage, but it could also play a role in the monitoring, maintenance and executive functions on the network; detecting and dealing with compromised devices. Despite AI’s advancements, Gannon however highlight tensions between its application and the principles of zero trust, mainly due to the implicit trust often placed in the data used by AI systems. This, he argued, necessitates a ‘trust chain’, ensuring that data from devices is explicitly trusted by applications that utilise it.
Gannon concluded his talk by urging those in attendance to view zero trust not as a product but as a strategic approach; to align their views on zero trust with the NIST cybersecurity framework, and to leverage the burgeoning AI for proactive measures that help identify and mitigate threats before they manifest into breaches.