It is becoming increasingly challenging to monitor and control the expanding web of IoT and OT devices on enterprise networks. This is only going to get harder as the numbers are set to soar from 15.9 billion IoT devices used globally today, to a predicted 39.6 billion IoT devices in use by 2033. These IoT devices are also increasingly being targeted by threat actors because they are difficult to secure and often haven’t been updated or had their default password changed.
While these devices provide immense business value with streamlined data sharing and automated processes, many IT teams lack the specific expertise needed to manage them. This is where third parties come in, providing a trusted source to handle these IoT devices. However, to carry out their jobs as efficiently as possible, third parties need access to a network often through their own devices.
Considering nearly half of organisations suffered a cyber incident involving a third party within the last year, a growing challenge is surfacing: how to securely support third-party access to these IoT devices without exposing the network to unnecessary risk. The answer is a clientless zero-trust network access (ZTNA) solution.
The challenges with traditional third-party remote connectivity
In today’s digital landscape, the most traditional method that companies use to provide third party access while protecting their network from external threats is virtual private networks (VPNs). However, despite their popularity, they also come with significant flaws. Although you need a login to access a VPN, once inside there is nothing stopping someone from lateral movement. Therefore, the third party may have access to more than they require when using a VPN client to get into the network to carry out their necessary work. Furthermore, since you don’t ‘manage’ these contractors or third parties, you are unable to predict the security posture of these devices and so may be unwittingly introducing malware into business systems.
The way to picture this is to imagine your company’s network is a hotel. A maintenance engineer needing to reach the fifth floor can use a lift like a VPN, securely getting to where they need to be.
The problem with this approach is that once access is allowed, there is no control. Nothing stops the engineer from venturing outside on the fifth floor and investigating locations that have nothing to do with their assignment. Furthermore, there’s a chance someone meaning to do the hotel harm follows the engineer into the elevator and enters other areas of the building without permission.
This example demonstrates the main security issue with legacy VPNs. Due to the possibility of lateral mobility inside the network – once inside, they may move freely between systems, increasing the likelihood of a successful attack. A threat actor ‘piggybacking’ on a third-party connection poses a serious risk.
Using zero trust to allow access only to specific resources
Using the hotel example, what if the maintenance engineer was assigned to the fifth-floor room and had no access to any other areas of the building? This is the essence of a clientless ZTNA solution. Zero trust is fundamentally based on the idea that all network access should be blocked by default. Only in accordance with certain centrally determined policies that are overseen by the network administrator is access granted. A comprehensive clientless ZTNA approach takes this a step further, protecting company applications by isolating user interaction with permitted applications using air gapped cloud containers. This means that even if a third-party has malware on their device, it can’t infect the company systems.
There are several advantages to this approach. Firstly, lateral movement is no longer a possibility, even for vulnerable IoT devices, as the zero trust least privilege principle prevents default east-west movement. Secondly, contractors can securely access the IoT device they’re managing through the isolated portal. Finally, if the third party unknowingly has malware on their device, company applications are protected because the third party interacts with the application through the isolated portal.
A clientless ZTNA approach isn’t only for third-party contractors. Some organisations may not have the financial resources to provide company-managed laptops to all employees. Instead, they opt for a bring-your-own-device (BYOD) model. With clientless ZTNA, network administrators can secure their environments through policy, allowing BYOD users to access resources set up by policy. Company systems are protected from potential malware on the employees’ personal devices by isolating their interaction with applications in a cloud container.
A clientless ZTNA solutions is a big advantage to the IT team. It creates an avenue through which the enterprise can leverage all the benefits of IoT devices while enabling secure connectivity to these resources by third parties.
Future-proofing IoT and OT connectivity
As the number of IoT deployments continues to skyrocket, companies must turn to clientless ZTNA to enable third parties to securely connect IoT and OT devices through an isolated portal. This approach reduces the risks of malware and lateral movement whilst allowing business network managers to delegate administration of IoT and OT devices. Clientless ZTNA creates the foundation for future device deployment that is secure and successful; whether it is contractors overseeing or controlling IoT devices or staff members utilising their own devices to connect to the network.
Bruce Johnson
Bruce Johnson is Senior Product Marketing Manager at Ericsson Enterprise Wireless Solutions. A seasoned cybersecurity expert with over 20 years in the field and a CISSP certification, Bruce specialises in 5G networking and security solutions for enterprise environments. A passionate speaker on cybersecurity’s role in solving business challenges, Bruce has presented at global industry events.
