Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Rethinking IoT identity
Products & Solutions

Rethinking IoT Identity

PENG XU, AMEET NAIK
January 07, 2025 - 4 min read

The proliferation of IoT devices in the enterprise environment has been improving the business operation dramatically in the last couple of decades, but at the same time, they also pose tremendous challenges for cybersecurity and networking admins to protect them effectively. So why is that? The simple answer is that they are just different — different from end-users devices which typically run a common OS platform (e.g. Windows, MAC OS). For end-user devices, they can be protected effectively by installing agent software with authentication mechanisms such as credential and MFA. However, this approach simply does not work with IoT devices. It is nearly impossible to install an agent or certificate on all IoT devices due to the variety of different operating systems they run. Not to mention, there will be no humans on these headless devices for any type of credential-based or multi-factor authentication. 

So, how have we tried to solve these challenges in the past two decades?. 

Why Traditional IoT Identity Solutions Fail

Traditional approaches to solving for IoT identity have been less than successful.

Certificate Authentication Method

Given the credential approach does not work for IoT, we tried to tackle the IoT identity issue by giving each IoT device a unique certificate. While this does provide a unique, cryptographically secure identity to each device, it’s based on the assumption that the certificate can be installed on IoT devices in the first place. What if your CCTV camera or thermostat does not accept a certificate? Essentially, we end up with a solution that may only protect 10% of IoT devices, leaving the rest of them vulnerable. On top of that, there is the tremendous administrative overhead to maintain a PKI system for these certificates. 

MAC Authentication Method

Okay, how about MAC address authentication? We can restrict  network access to only the IoT devices with known mac addresses. It is often deemed as a "feel-better" approach to assure admins that we have some levels of authentication in place. But in reality, this method is susceptible to mac address spoofing. In addition, no admins are fans of maintaining a long list of known mac addresses for legitimate IoT devices. So this approach is simply not efficient and effective at all. 

Focus Only on Authentication

So we see the pattern here. We simply extrapolated the authentication approach for users to secure IoT devices. That is why traditional approaches have failed to meaningfully improve IoT security. We think authentication is the end-all and be-all for IoT identity. However, we forget that authentication is just a one-time process and devices can be compromised after connecting to the network. Then we have to leverage a SIEM or XDR solution to monitor the device posture to eliminate this security blindspot. 

 

Introducing IoT Behavioral Identity —Powered by Zscaler AI

That is why Zscaler thinks it is time to revolutionize IoT identity. It is not all about what the device is, it is also about what the device does. Continuous, always-on monitoring of device behavior is necessary to solve this lingering problem. This is where Zscaler IoT Behavioral Identity makes a huge difference. Powered by Zscaler AI/ML technology, IoT Behavioral Identity offers continuous zero trust protection for all your IoT devices, regardless of the platform, OS or type.

Zscaler IoT Behavioral Identity

So how does this all work? First, IoT devices are machines designed to do a specific task. For example, printers are designed to print. Therefore, their behavior is much more well defined compared with human users. The humans  typically connect to a multitude of websites on the Internet, such as social networking, streaming media, business applications etc. But IoT devices will only communicate specific domains to update either telemetry data or stats, e.g. Brother printers often call home to brother.com. 

Secondly, what IoT devices do reveals what they essentially are — in a much more reliable way than just examining MAC addresses. We can feed IoT transaction data into the Zscaler AI engine, which is then able to tell what the devices are based on their communication patterns intelligently and automatically. For example, if an unknown IoT device communicates bevi.co most of time, Zscaler AI can classify it as beverage equipment without human intervention at all. 

Lastly, we need to monitor IoT device behavior continuously, not just one-time. So whenever the device behaves abnormally, we can detect a potential compromise and alert customers to react to the incident more quickly and effectively, thus reducing MTTR. 

 

Conclusion

To summarize,  Zscaler IoT Behavioral Identity, the latest Zscaler's innovation powered by our Zscaler AI engine, solves the IoT identity challenge that has been plagued for decades. It is time to think out of the box of traditional certificate and MAC based authentication, and start embracing this new way to secure all your IoT devices. If you’re interested in learning more, click here to learn more or reach out to your Zscaler representative to ask for a demo

form submtited
Thank you for reading

Was this post useful?

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.