Get access to Protocol
Jim Richberg is the Public Sector Field CISO at Fortinet.
As federal agencies increasingly push for improved performance and agility through their networks and devices, they must also consider the lack of visibility that comes with deploying cutting-edge technology. Centralized visibility and unified controls are sometimes being sacrificed in favor of performance and agility through smart devices collecting and processing data at the edge.
A recent FortiGuard Labs report showed that threat actors are shifting significant resources to strategically target and exploit these emerging network-edge capabilities. The SolarWinds breach and other attacks are proof that this continues.
There's promise in the pipeline under the IoT Cybersecurity Improvement Act, which became law in early December 2020. The directive tasks the National Institute of Standards and Technology with developing binding recommendations for the government on securing new edge environments. Its impact will likely be felt outside of the government as well, since the private sector commonly adopts NIST recommendations, and many of them become default international standards.
It should be noted, though, that agencies should look at the actions set out by the IoT Act and the subsequent NIST standards as a minimum baseline for defending the edge. There is more that could and should be done to bolster cyber defenses beyond the minimum requirements.
Much of this work can be done now, even as NIST continues to develop its standards recommendations. But to do this work effectively, agencies must look at security in tandem with networking. The convergence of these two worlds means you cannot have a conversation about one without also addressing the effects on the other. Faster networks might mean a more efficient work environment, but agencies also have to think about the impact network upgrades will have on security. For example, upgrading to a platform that allows federal workers in the field to process massive amounts of data at the edge would certainly make things more efficient and effective because those researchers would no longer have to send the information back to the data center for analysis. But doing that also opens up agencies to new risks. Federal IT managers and security analysts need to weigh the risk and reward of each upgrade or improvement to minimize new risk.
This kind of approach enables agencies to provide true security-driven networking, not just networking with security layered on top.
Don't trust by default
The bill's focus on IoT security and standardization lends itself to a zero-trust architecture approach. At its core, zero trust is a network security philosophy that states that no one inside or outside the network should be trusted unless their identification has been thoroughly checked. And trust should be conditional, bestowing the least amount of privilege necessary to accomplish the authorized task. For instance, if reading a file but not modifying it is needed, don't grant the "excess" privilege of writing to or deleting data.
That means that even if a device is already on the network, security measures are put in place to constantly make sure it's still supposed to be there and only doing what is authorized. Implementing zero trust compels network administrators to design stringent, trustless security measures.
For example, if 99% of edge devices connecting to a network are compliant with NIST's zero-trust standards, it will be easy to spot those that aren't. Having this information means agency cyber teams can focus more resources on those noncompliant devices preemptively, limiting their access and closely monitoring their behavior.
Automate in real time
Beyond its synergy with zero-trust operating principles, the IoT Act signals that AI-driven security will play a big role in protecting critical devices at the edge. Deploying AI in security operations has gone beyond just automating repetitive and mundane tasks. By integrating AI deep into the security fabric, agencies can significantly enhance their ability to detect anomalies, respond to threats and adapt security policies and protocols to changing network and connectivity conditions.
AI enables cyber analysts to correlate and process threat intelligence in real time. That kind of immediate action is crucial for the government, especially when the devices living at the edge access mission-critical information and functions. Securing the IoT edge requires a flexible and integrated security fabric that can bring together security elements that span networks into a single, interconnected and responsive system. This enables effective monitoring and the quick detection and response to unauthorized behavior.
This approach not only falls in line with the IoT Act provisions, it also increases resilience, which is often recognized as a key component in a more effective U.S. national cyber strategy.