The Big Zero: How to Protect the Cybersecurity Chain of Trust
The cybersecurity industry is buzzing with the four pillars of zero initiatives – from zero-trust architecture to zero passwords, zero perimeter (perimeter-less) and zero-touch provisioning. Amid all this, information technology (IT) and operational technology (OT) budgets and service cycles are spinning with policies and audits on the strength of user passwords, subscriptions to harvested zero-day threat intelligence for perimeter-based defenses, and device discovery.
How does one provision a device that IT is yet to discover, and how does one harden an IoT/OT device for protection once it is discovered? The status quo is still a “hard edge and soft core” mindset, with managed security service providers and outsourced IT providing network traffic introspection based monitoring and forensic analysis. Isn’t it time for a “software-defined edge and hardened core” paradigm shift?
Trust but verify
The zero-trust architecture is fundamentally a two-dimensional high assurance trust chain. The entities in a service transaction must provide authoritative and immutable identity and proof of zero-compromise, i.e., the dimension of horizontal trust. The metric for trustworthiness is the measure of verifiable runtime integrity and attested state. This will require a trust anchor to serve as the root-of-trust from where the deviation from trusted state and operation may be assessed. You cannot measure trust until each actor in the sequence is trusted, i.e., the dimension of vertical trust.
The zero-passwords model substitutes user passwords and passcodes with biometric identifiers (e.g., fingerprint, face recognition) for faster identification. Online service providers and hosted applications (SaaS) will require security assertions (tokens) from identity providers for pass-through authentication and authorization. While biometric identification and two-factor authentication are possible with interactive users, headless non-real-life devices require immutable identities issued by the manufacturer and the device owner to establish device identity to overcome the bane of factory default passwords.
Perpetual attack staging surface
This form of device authentication will require cryptographic artifacts such as a protected key and an associated certificate from a trusted certificate authority without the cost and complexity of public key infrastructure (PKI) buildout. In addition, proximity or inactivity-based automatic locking that is effective with interactive users is ineffective with always-on and connected autonomous devices. This offers a perpetual attack staging surface for malware and cybercriminals without persistence of life cycle trust in the device.
The purpose of zero-touch provisioning is to onboard greenfield devices at scale into a device management system for continuous monitoring and timely intervention by security operations center operators. This reduces the installation service costs and complexity of interactions between field technicians and data center security administrators to manually identify and onboard field devices at scale. Redemption for brownfield and in-field devices will necessitate one-touch provisioning to harden the devices for resilience and tamper-resistance.
The zero-perimeter (or perimeter-less network) concept has been around for decades with endpoint firewalls and virtual private network (VPN) policies on user laptops and workstations to permit remote access and roaming privileges. However, the notion of perimeter-less in the context of millions of distributed and untrusted IoT/OT devices warrants serious reconsideration. Headless devices require lockdown with a data diode mode of network access privileges, air-tight pinholes based on device function, and authorized outreach to connected services for data sharing. The device is the edge in a device-to-cloud ecosystem.
Built-in protection and software retrofits
Achieving these broad and noble zero-tolerance objectives will require adoption of field device interoperability standards and reengineering of devices by device vendors to incorporate secure elements on the device during manufacture. For in-field and brownfield devices, the secure element function will have to be retrofitted with a software-based physically unclonable function (PUF) to emulate data protection. To avoid reengineering their line of business applications and achieve compliance, device vendors will require purpose-built plug-n-play clients (or agents) for greenfield and brownfield devices.
Any big-zero initiative in digital transformation will require digital security officers and product security architects to embark on device transformation to buildout the four pillars for zero-compromise. For digital transformation to thrive and survive, beyond zero-trust networking, zero-trust data will be required that complements data integrity and confidentiality to provide high assurance of data provenance.
The data driven AI/ML engines will require trustworthy devices in IoT and OT at a scale far beyond what IT operators can fathom or service today. In a nutshell, trusted devices are the genesis of trusted data for trusted analytics – without which the outcome will be a net zero-sum gain in trust.