Interconnectedness and convenience are two things that many now consider essential to everyday life. While so much of the world expects the convenience of the Internet of Things (IoT), they generally give little thought to the security of the transmission networks underlying the IoT. But with 13.8 billion active IoT device connections this year and exponentially more expected in the near future, IoT network security is of paramount importance.
With over 25 billion IoT devices expected by 2025 companies would be prudent to apply the principle of least privilege to their IT personnel. (Source: freepik)
According to the GSM Association (GSMA), an organization representing mobile network operators worldwide, IoT device manufacturers still fail to adequately design and build with security in mind.
Worse yet, GSMA suggests that most device manufacturers don’t have a sufficient understanding of how to secure their devices. Unsecure devices offer hackers easy access to telecommunications networks, creating significant risks for cyberattacks. And as the IoT shifts towards use of 5G as that network expands, unsecure devices threaten the security of the 5G network.
Lack of security at the edges of the IoT places significant security burdens on communications service providers (CSP) including telecommunications network providers, cable services and cloud communications providers. As more and more players beyond traditional telcos participate in the IoT and engage with IoT devices through the 5G network, the attack surface is significantly expanding. So CSPs must take additional measures to ensure the security of their systems.
Evolving security concerns for CSPs
In its yearly review of the security landscape, GSMA identified eight primary threat and vulnerability areas for the mobile communications industry:
- Device & IoT
- Cloud security
- Securing 5G
- Signaling and interconnect
- Supply chain
- Software & virtualization
- Cyber & operational security
- Security skills shortage
Device and IoT security have been ongoing concerns for GSMA, particularly as the number of connected devices continues to far exceed the world’s population, with 25 billion connected IoT devices expected by 2025. The complexity of technology stacks for devices subsequently increases.
GSMA identifies the connections between corporate networks and telecom networks as a significant potential attack vector, particularly as companies take advantage of the 5G rollout. Industry professionals and academics have investigated the security risks of 5G for several years now, as has the U.S. government. But concerns remain about the expansion of the attack surface as 5G becomes more prevalent. GSMA suggests a range of security protocols 5G CSPs should implement.
Among the recommended measures for securing CSPs is privileged access management. Properly-implemented PAM reduces the attack surface by limiting the number of privileges and permissions hackers can attempt to exploit. And PAM will have minimal impact on CSP operations because the intent is to remove permissions and rights that are not necessary for people and processes to do their jobs.
PAM vs. IAM
Many readers may be familiar with IAM (identity and access management), but less so with PAM. And while they share common goals, they are different in scope and application.
Consider a pyramid where a limited number of administrative users sit at the apex and general users make up the base. In its various iterations, IAM covers the entire pyramid. However, many IAM applications focus on the permissions for the users at the base, those who frequently access the system but have few or no administrative permissions. On the other hand, PAM focuses on the top, that is, on those who make the most desirable targets because of their organizational roles.
Note that when we refer to users here, it is not the same thing as saying humans. IAM and PAM controls also apply to non-human identities within a system, for example, processes that may have their own identification.
Provisioning permissions and access rights
When assigning rights and permissions to an organization’s users, there are several approaches IT personnel can take. First, and worst, is generalized, broad access to company systems and data stores – effectively no control at all. It should go without saying that this approach is high-risk and creates significant exposure for the organization. But many organizations do allow users far more access than they need to avoid unintentionally disrupting daily activities, expanding the company’s attack surface.
Prudent companies apply the principle of least privilege, need-to-know access, or a combination of the two. Least privilege deals with how users work in the system; need-to-know addresses what they can access in the system.
Under the principle of least privilege, users receive only those rights and permissions necessary for their job—nothing more and nothing less. By preventing users from having permissions for areas they never use, organizations remove an unnecessary vulnerability without negatively impacting the user’s performance.
Need-to-know applies to the organization’s data, with restrictions limiting access to the data directly related to and necessary for the user to perform their job functions.
Lack of least privilege or need-to-know controls are only some of the identity-related vulnerabilities common in many organizations. Many organizations still have shared accounts or passwords, which diminishes the ability to audit activity and ensure compliance with corporate security policies. Companies also frequently have old, unused accounts, often with substantial privileges, that ideally would have been purged long before. And many companies still rely on manual or decentralized provisioning and maintenance of user credentials.
Why (and how) CSPs should use PAM
Every privilege and access a user has creates a unique opportunity for a cybercriminal to exploit. So it is in every CSP’s best interest to limit those privileges and access rights. Doing so restricts potential attack vectors and minimizes possible damage when a hacker successfully appropriates a particular user’s identity. The fewer permissions a user has, the less a successful attacker has to work with.
Limiting privileges can also restrict the types of attacks that can damage an organization’s systems. For example, some types of malware need higher privileges to install and run effectively. If a hacker attempts to insert malware through a non-privileged user account, they run into a wall.
Here are some of the best practices CSPs should follow.
- Implement a privilege management policy: Given that there is no single, universally applicable IoT security standard, CSPS need rigorously defined and monitored policies that ensure compliance by removing any opportunity for deviation. Policies should define who controls provisioning and management of permissions and rights, how provisioning occurs, and schedules for re-provisioning or de-provisioning as necessary. In addition, policies should address password security, including password strength, use of multi-factor authentication and expiration of passwords.
- Centralize PAM and IAM: CSPs should have a centralized system for the provisioning, maintenance and de-provisioning of permissions and access rights. Building an inventory of accounts with high permissions prevents organizations from having unused accounts slip through the cracks.
- Make sure least privilege means least privilege: While users can become frustrated if they have to contact the help desk to perform certain tasks, that is no reason to provide them with more permissions than they need. Most company edge or endpoint users do not need to have administrative rights or access to root directories. Even privileged users do not require broad-based access rights. Restrict access to that absolutely necessary to perform the job.
- Add security through segmentation: Segmenting systems and networks helps prevent hackers from making lateral attacks when they successfully enter a company network. Reinforce segmentation with zero trust policies between segments where possible.
- Enforce password security best practices: Poor password hygiene remains a significant vulnerability for many organizations. Build a culture of security by training employees to understand that the slight inconveniences of strong passwords, multi-factor authentication and password expiration protect the company from the potentially devastating consequences of a breach.
Secure CSPs are the backbone of a secure IoT
Without secure CSP networks, the IoT is a cybercriminal’s playground. Before worrying about the millions of edge devices, CSP security experts should look inwards and secure their internal systems as best as possible. Applying least privilege principles and privileged access management systems is a useful first step.
|Ludovic Rembert is a security analyst, researcher, and the founder of PrivacyCanada.net. He spent his career as a network security engineer before taking up freelance writing on a variety of technical and cybersecurity subjects.
- 5G’s biggest challenges for communications service providers
- Mobile edge computing powering virtualized 5G networks and industry
- How O-RAN will transform interoperability in 5G networks
- Edge computing is here: what’s next?
- Defining a standard federated model for multi-access edge computing
- ETSI report paves way for standardizing AI security
For more Embedded, subscribe to Embedded’s weekly email newsletter.