With 13.8 billion active IoT device connections this year and exponentially more expected in the near future, IoT network security is of paramount importance.
Interconnectedness and convenience are two things that many now consider essential to everyday life. While so much of the world expects the convenience of the Internet of Things (IoT), they generally give little thought to the security of the transmission networks underlying the IoT. But with 13.8 billion active IoT device connections this year and exponentially more expected in the near future, IoT network security is of paramount importance.
According to the GSM Association (GSMA), an organization representing mobile network operators worldwide, IoT device manufacturers still fail to adequately design and build with security in mind.
Worse yet, GSMA suggests that most device manufacturers don’t have a sufficient understanding of how to secure their devices. Unsecure devices offer hackers easy access to telecommunications networks, creating significant risks for cyberattacks. And as the IoT shifts towards use of 5G as that network expands, unsecure devices threaten the security of the 5G network.
Lack of security at the edges of the IoT places significant security burdens on communications service providers (CSP) including telecommunications network providers, cable services and cloud communications providers. As more and more players beyond traditional telcos participate in the IoT and engage with IoT devices through the 5G network, the attack surface is significantly expanding. So CSPs must take additional measures to ensure the security of their systems.
Evolving security concerns for CSPs
In its yearly review of the security landscape, GSMA identified eight primary threat and vulnerability areas for the mobile communications industry:
Device and IoT security have been ongoing concerns for GSMA, particularly as the number of connected devices continues to far exceed the world’s population, with 25 billion connected IoT devices expected by 2025. The complexity of technology stacks for devices subsequently increases.
GSMA identifies the connections between corporate networks and telecom networks as a significant potential attack vector, particularly as companies take advantage of the 5G rollout. Industry professionals and academics have investigated the security risks of 5G for several years now, as has the U.S. government. But concerns remain about the expansion of the attack surface as 5G becomes more prevalent. GSMA suggests a range of security protocols 5G CSPs should implement.
Among the recommended measures for securing CSPs is privileged access management. Properly-implemented PAM reduces the attack surface by limiting the number of privileges and permissions hackers can attempt to exploit. And PAM will have minimal impact on CSP operations because the intent is to remove permissions and rights that are not necessary for people and processes to do their jobs.
PAM vs. IAM
Many readers may be familiar with IAM (identity and access management), but less so with PAM. And while they share common goals, they are different in scope and application.
Consider a pyramid where a limited number of administrative users sit at the apex and general users make up the base. In its various iterations, IAM covers the entire pyramid. However, many IAM applications focus on the permissions for the users at the base, those who frequently access the system but have few or no administrative permissions. On the other hand, PAM focuses on the top, that is, on those who make the most desirable targets because of their organizational roles.
Note that when we refer to users here, it is not the same thing as saying humans. IAM and PAM controls also apply to non-human identities within a system, for example, processes that may have their own identification.
Provisioning permissions and access rights
When assigning rights and permissions to an organization’s users, there are several approaches IT personnel can take. First, and worst, is generalized, broad access to company systems and data stores – effectively no control at all. It should go without saying that this approach is high-risk and creates significant exposure for the organization. But many organizations do allow users far more access than they need to avoid unintentionally disrupting daily activities, expanding the company’s attack surface.
Prudent companies apply the principle of least privilege, need-to-know access, or a combination of the two. Least privilege deals with how users work in the system; need-to-know addresses what they can access in the system.
Under the principle of least privilege, users receive only those rights and permissions necessary for their job—nothing more and nothing less. By preventing users from having permissions for areas they never use, organizations remove an unnecessary vulnerability without negatively impacting the user’s performance.
Need-to-know applies to the organization’s data, with restrictions limiting access to the data directly related to and necessary for the user to perform their job functions.
Lack of least privilege or need-to-know controls are only some of the identity-related vulnerabilities common in many organizations. Many organizations still have shared accounts or passwords, which diminishes the ability to audit activity and ensure compliance with corporate security policies. Companies also frequently have old, unused accounts, often with substantial privileges, that ideally would have been purged long before. And many companies still rely on manual or decentralized provisioning and maintenance of user credentials.
Why (and how) CSPs should use PAM
Every privilege and access a user has creates a unique opportunity for a cybercriminal to exploit. So it is in every CSP’s best interest to limit those privileges and access rights. Doing so restricts potential attack vectors and minimizes possible damage when a hacker successfully appropriates a particular user’s identity. The fewer permissions a user has, the less a successful attacker has to work with.
Limiting privileges can also restrict the types of attacks that can damage an organization’s systems. For example, some types of malware need higher privileges to install and run effectively. If a hacker attempts to insert malware through a non-privileged user account, they run into a wall.
Here are some of the best practices CSPs should follow.
Secure CSPs are the backbone of a secure IoT
Without secure CSP networks, the IoT is a cybercriminal’s playground. Before worrying about the millions of edge devices, CSP security experts should look inwards and secure their internal systems as best as possible. Applying least privilege principles and privileged access management systems is a useful first step.
This article was originally published on Embedded.
Ludovic Rembert is a security analyst, researcher, and the founder of PrivacyCanada.net. He spent his career as a network security engineer before taking up freelance writing on a variety of technical and cybersecurity subjects.