Why zero trust needs to live on the edge

Why zero trust needs to live on the edgeSkip to main content

Edge computing’s diverse platforms defy easy consolidation into a single security stack. This leaves networks vulnerable to endpoint attacks they never see coming. Yet, edge and IoT platform providers have only recently moved away from the “trust but verify” philosophy and begun instead “designing in” technology that treats every endpoint and identity as a new security perimeter.

The truth is, most edge and IoT platforms used today weren’t designed with enough security to withstand endpoint attacks. CISOs struggle to integrate these platforms into a single security stack because legacy edge, and IoT platforms are designed to lean on server and operating system security. Interdomain trust relationships that don’t enforce least privileged access by account or resource leave wide swaths of endpoints vulnerable to intrusion and breach attempts. 

To avert devastating breaches, CISOs need to secure edge computing and IoT platforms across the full stack they rely on. Hardware, operating system, app platform, data, network security — enterprises need to look at how zero trust can meet the challenge of securing complete tech stacks for edge computing and IoT networks.

Hyperscalers are competing to secure edge and IoT computing  

Amazon Web Services (AWS) for the Edge, Microsoft Azure Stack Edge and Google Cloud Platform (GCP) Distributed Cloud are each focusing R&D on helping enterprises solve edge computing, IoT and cybersecurity challenges. Of the three, AWS leads the market in defining how IoT can contribute to a zero-trust network access (ZTNA) framework by prioritizing machine identities as a core part of any organization’s zero-trust security strategy. 

At AWS re:Invent 2022 last year, AWS launched IoT ExpressLink. AWS designed this noteworthy cloud service to fast-track new IoT devices through devops cycles, then release them with AWS IoT Device Defender integrated. AWS also continues to make improvements to AWS IoT Greengrass, adding features asked for by customers who want to automate patch management at scale across fleets of IoT and network devices. AWS contends that standardizing its cloud platform for edge and IoT device management and security gets CISOs and security teams closer to their single-stack goal of securing all devices.

AWS is the most advanced hyperscaler in securing edge and IoT devices across networks while providing apps and tools that can audit configurations, authenticate devices, detect anomalies and receive alerts to help secure IoT device fleets. Source: AWS IoT Device Defender overview, Amazon Web Services, 2022

One of the main reasons AWS has such a strong leadership position securing edge and IoT devices is how complementary Amazon’s zero-trust vision is to the NIST 800-207 architecture standard. As a result, AWS customers who use ExpressLink and Greengrass as part of their ZTNA framework can secure machine identities of each edge, IoT and IIoT sensor to the operating system and, if needed, the kernel level.

Getting started designing zero trust into edge and IoT networks  

“Zero trust is being considered or deployed by most enterprises, so the debate on the need for zero trust is over; however, well over half will fail to see the benefits,” Kapil Raina, vice president of zero trust, identity and data security marketing at CrowdStrike told VentureBeat in a recent interview. “To overcome these challenges, enterprises must operationalize and make zero trust frictionless with a single platform and single sensor architecture — and that means endpoints, workloads and other technology areas.” 

Gartner’s 2022 Market Guide for Zero-Trust Network Access is a valuable reference for learning about zero-trust security and what considerations go into creating a ZTNA framework. 

Hyperscalers have the advantage of providing an integrated platform that includes edge, IoT and zero-trust security apps and tools. However, many organizations still face the challenge of securing edge and IoT endpoints on legacy tech stacks. The following are areas where organizations grappling with multiple diverse edge and IoT tech stacks can start.

Make IAM and PAM priorities on the ZTNA roadmap

Most, if not all, legacy edge and IoT platforms were not designed to support identity access management (IAM) and privileged access management (PAM) systems, including securing credentials and administrative passwords. As a result, there was a 34% increase in security vulnerabilities for IoT in the second half of last year alone. With cyberattackers focusing on how to take control of IAM and PAM servers, securing these two systems needs to be a priority.  

Edge and IoT sensor identities: Moving targets to protect

As edge, IoT and IIoT sensors and their supporting networks grow more complex, it’s increasingly challenging to have a unified IAM strategy across all human and machine identities. 25% of security leaders say the number of identities they’re managing has increased by a factor of 10 or more in the last year. Furthermore, 84% of security leaders say the scope of identities they’re managing has doubled in the last year. Forrester’s estimation is that machine identities (including bots, robots and IoT) grow twice as fast as human identities on organizational networks. 

Design zero-trust frameworks to authenticate mobile edge, IoT and IIoT devices

Mobile endpoints that are essential in logistics, supply chains, warehouse management and strategic sourcing are one of the fastest-growing threat vectors. Gaining visibility and control across mobile devices needs to start with a Unified Endpoint Management (UEM) platform capable of delivering device management capabilities that can support location-agnostic requirements. These requirements include cloud-first OS delivery, peer-to-peer patch management and remote support.

CISOs are looking at how a UEM platform can help solve their tech stack challenges while improving users’ experiences with endpoint detection and response (EDR). Gartner’s latest Magic Quadrant for Unified Endpoint Management Tools defines IBM, Ivanti and VMWare as market leaders. Gartner observed, “Ivanti Neurons for Unified Endpoint Management is the only solution in this research that provides active and passive discovery of all devices on the network, using multiple advanced techniques to uncover and inventory unmanaged devices. It also applies machine learning (ML) to the collected data and produces actionable insights that can inform or be used to automate the remediation of anomalies.” 

‘Designing in” zero trust needs to be continuous to succeed

Amazon continues to set a quick pace of innovation in extending its AWS platform into edge and IoT management, zero-trust security and device monitoring. For enterprises looking to migrate workloads to the cloud and launch edge- and IoT-based strategies, hyperscalers are making convincing cases that their approaches provide the necessary visibility and control.

For enterprises that are not ready to move to an entirely cloud-based platform, or are deeply invested in their current tech stacks, pursuing a zero-trust strategy needs to start with IAM and PAM securing endpoints. Getting IAM and PAM right early when creating a ZTNA framework is key to enforcing least privileged access at the device and resource levels.

One more point to note: Edge and IoT networks are becoming self-healing, further extending their ability to enforce least privileged access.

Srinivas Mukkamala, chief product officer of Ivanti, told VentureBeat that “automation and self-healing improve employee productivity, simplify device management and improve security posture by providing complete visibility into an organization’s entire asset estate and delivering automation across a broad range of devices.”