Zero trust architecture is not a static creation, especially when the number of devices accessing the network expands daily, inside and out. Static rules based on data link-level protocol rules or network topology-based segmentation such as access control lists, whitelists, and simple user authentication are all dated items in network security defense and can be easily overcome by a persistent threat actor with or without an internal assist from a careless employee.
As smart devices, tablets, and phones enter a network, a dynamic control of the network and resource access granted to these devices and their users is required to limit risk of breaches. As devices move about, both physically and virtually, control decisions need to be made based on complex real-time threat assessments like context and device or user behavior. Even best practices in audio visual (AV) defense can be insufficient.
As a common example found in many organizations, consider how AV conferencing devices are most often assigned a static IP and segmented into a specific subnet, divided by building or floor – or even department. It would be trivial for a malicious insider or outsider gain entrance through social engineering to plug in a laptop in the same subnet, where they could sniff and snoop on the session initiation protocol (SIP) communications. It would also be a simple mistake to plug a compromised AV or conferencing device into other subnets where they are not known.
A dynamic approach to address this security scenario is a learning engine and policy engine that, combined, offer device fingerprinting. A check of this fingerprint (made up of multiple factors from user and device type to open sensing interfaces and protocols and more) identifies the unknown new device to be AV, and automatically routes it to right VLAN with the correct access permissions. If the fingerprint of the smart device plugged into a new subnet does not match the profile of a conferencing device, has unexpected security postures like O/S or patch discrepancies, or demonstrates anomalous behavior, it can be quarantined from the other devices in that VLAN.
With this dynamic control approach devices and users are now fully mobile, and zero trust architecture with dynamic controls enabled can adapt not just to different locations, but also to micro location within a specific location. As a device moves between floors or between buildings, it can be provided with the right security and access permissions – this is central to thinking about truly defensible networks. Defending a network requires networks to be monitored, inventoried, controlled, assessed, and kept up to date.
In an organization with BYOD and smart buildings, the perimeter, access control and quarantining of devices should be software defined and they should be dynamic, not just static architecture design. Security automation should continuously monitor and adapt to the current state of every device which connects to it; network, threat exposure, and risk management can no longer be defined as static rules.
We’d also love to provide a smart device survey for your group or organization.