IoT is booming with 75 billion devices predicted to be connected to the internet globally by 2025, according to a Statista report. But such devices have the potential to present as much risk as opportunity if they aren’t secure, and entire national infrastructures could be compromised with devastating results.
In fact, reports of IoT security failures abound: video doorbells streaming unencrypted data, smart plugs allowing remote execution of arbitrary code, smart home devices storing unencrypted home Wi-Fi network passwords, industrial control systems allowing attackers to remotely control machinery and the list goes on.
Governments across the world are aware of potential risks and are taking action to mitigate conflict. For example, the Australian government introduced a draft voluntary code of practice for security in the IoT industry earlier this year. The code of practice contains 13 draft principles, including ensuring software integrity, implementing a vulnerability disclosure policy and minimizing exposed attack surfaces. It is aimed at protecting data and ensuring resilience in the industry.
The traditional approach to network security has been to strictly control access, but to implicitly assume that the interior of the network is a safe place. Time and time again, this has proved to be a bad assumption. In contrast, the zero-trust approach replaces blind trust with verification and strong cryptographic guarantees. The goal is to maintain security, integrity and privacy even in the event that the underlying infrastructure is compromised. Zero trust affords no special status to the network and treats it the same as if it were the public internet.