How Zero Trust can build trust for global IoT deployments

Traditionally, IoT security was set up to assume that any connection within its network perimeter was safe. It assumed that if a connection was inside the perimeter, they must have already been authenticated and authorized. However, assumption and security seldom sit well together. The old approach meant that if a bad actor breached the network perimeter, they had broad access – and were notoriously hard to locate.
 

The Zero Trust approach on the other hand, as its name suggests, trusts no one. It doesn’t assume any user, asset, or resource to be safe. Instead, it requires verification and authentication for every session or data transaction. This means implementing strict access controls, strong authentication, and continuous monitoring of all network traffic. 

This is fine in an enclosed network, however, most global IoT projects rely on cellular connectivity. This means working with mobile network operators (MNOs) who each have different security perimeters. The more MNOs you work with, the more potential security vulnerabilities you could face - and the less control you will have.

“Every network operator has their own APIs and security processes,” said Rachit Saksena, Head of IoT Product Architecture at Telia “That variance creates a bigger attack surface because you could go wrong in so many places.”  So how do you implement Zero Trust security in networks you don’t control? The answer is simple, says Saksena. Rather than trusting the APIs and security protocols of many MNOs in many markets, global IoT providers should work with a single global connectivity partner that makes sure that other operators have implemented the required security to reduce the attack surface.  

Implementing Zero Trust for global IoT
The Zero Trust approach comprises a comprehensive framework for continuous verification and authentication of all assets, users, and resources within the network. These are 5 key considerations for securing global IoT solutions.  

1. Secure SIM provisioning
Ensuring Zero Trust security for IoT SIM connections is the first challenge when it comes to global IoT deployments. That’s because remote provisioning of eSIMs requires identifications and credentials to be sent over the air (OTA). Lots of sensitive data and protection keys must be shared during provisioning.  “Even a single compromised SIM card can compromise the entire network,” Saksena said. 

However, the GSMA and 3GPP offer standards that provide a strong degree of protection for remote SIM provisioning. Best practice for MNOs is to follow the latest SGP specification to ensure compliant, secure SIM provisioning.   

2. Secure SMS & data connectivity
Another challenge is to keep your SMS and data connectivity secure. These connections use network technologies such as 2G, 3G, or LTE, to link your device to your system’s backend and vice versa.  

To solve this challenge, look for a connectivity partner that offers careful integrations of MNO data APNs and SMS connections, and creates their own APN and SMS hub gateways across the world. These gateways enforce Zero Trust security policies at an enterprise level.  

“We ensure that the pre-integrated MNO is verified for all security measures for SMS and data-bearer connections,” Saksena said. “We also provide our support teams and enterprise users with tools to continuously verify security and create alerts for any unusual activities.”  

“With just a single click, enterprises have visibility and control over all the MNOs they work with, ensuring that data remains secure while in transit.”  

By enabling enterprises to define and control the source and destination of data transit endpoints, they gain full control over their security and routing policies across all underlying mobile networks. 

3. Secure Connectivity Management Platforms 
Deploying IoT globally involves multiple MNO integrations with a Connectivity Management Platform (CMP). This allows the enterprise to control the lifecycle of subscriptions and connectivity through an API and GUI. However, each MNO has its own API and GUI. Without a global connectivity partner, you would need to learn new security protocols for every platform and implement governance to make sure appropriate security is in place and up to date at all times. 

“We provide a single pane of glass and a single API integration end point, which means that our platform is integrated with underlying MNO CMPs. We also make sure the integrations are secured and robust” Saksena said. “It’s easier for enterprises to work with a single supplier, as the enterprise now has to integrate with only one CMP instead of several MNO CMPs. This ensures process and integration security.”  

4. Automate security on a global scale
Another security benefit of working with a single connectivity partner is that you have fewer opportunities to make mistakes. You set your security policies once, and the connectivity platform automates their implementation across all MNOs. 

 “Enterprise onboarding is automated,” Saksena said. “SIM ordering is automated. All data security policies and VPN creations are self-service. You do this only once, and the platform cascades the configuration toward all underlying MNOs, thus minimizing human error.”  

In other words, you just have to get your policies right once.
 
5. Become cloud and MNO agnostic
As well as protecting data at rest and during transit, global IoT systems need to be highly reliable. If you rely on a single cloud provider or data center to manage all your connectivity, you might have a business continuity risk. A single natural disaster or national security event can bring your whole IoT deployment down. Instead, look for connectivity partners that offer redundancy through layered network agreements.  

 “If a customer has a single MNO subscription in the IoT device and the MNO infrastructure goes down, IoT devices get disconnected” Saksena explained. The way around this is to provide multiple subscriptions for key markets that will ensure fallback, in case one of the MNO networks is unavailable. 

Implementing Zero Trust for global IoT deployments
Perimeter-based security controls can miss advanced threats, leaving your IoT deployment exposed to risk. A Zero Trust approach limits your exposure to these hazards. This leaves you free to focus on scalability, automation, and the broader benefits of a global IoT deployment.  

To ensure a secure global IoT deployment, you need the right partner. One who can remove the complexity of multiple operators and integrations – and implement Zero Trust in your global IoT deployments. Talk to us about how we have helped others to do this – and how we can help you to do it too.

Learn more about Telia Global IoT Connectivity