How to implement Zero Trust IoT solutions with AWS IoT

“Zero Trust” is an often-misunderstood term, it is not a product but a security model and associated set of architectural principles and patterns. One of the main challenges customers face is determining how Zero Trust principles can be applied to IoT and how to get started with incorporating Zero Trust principles using AWS IoT. In this blog post we discuss Zero Trust principles using the NIST 800-207 Zero Trust tenets as a reference and AWS IoT services which support Zero Trust by default and can be used to enable a Zero Trust IoT implementation.

What is Zero Trust Security?

Let’s start with defining Zero Trust which is a conceptual model and an associated set of mechanisms that focus on providing security controls around digital assets. These security controls do not solely or fundamentally depend on traditional network controls or network perimeters. It requires users, devices, and systems to prove their identities and trustworthiness, and enforces fine-grained identity-based authorization rules before allowing them to access applications, data, and other assets.

Zero Trust principles are meant for an organization’s entire infrastructure which includes Operational Technology (OT), IT systems, IoT and Industrial Internet of Things (IIoT). It is about securing everything, everywhere. Traditional security models rely heavily on network segmentation, and give high levels of trust to devices based on their presence on the network. In comparison, Zero Trust is a proactive and integrated approach that explicitly verifies connected devices regardless of network location, asserts least privilege, and relies on intelligence, advanced detection, and real -time response to threats.   With the proliferation of IoT devices in enterprises and IIoT devices in industry, increasing cyber threats and hybrid work models, organizations are faced with protecting an expanded attack surface and new security challenges. Zero Trust offers a better security model because of the security principles it uses and is an area of increasing government and enterprise scrutiny.

A Zero Trust model can significantly improve an organization’s security posture by reducing the sole reliance on perimeter-based protection. This doesn’t mean getting rid of perimeter security altogether. Where possible, use identity and network capabilities together to protect core assets and apply Zero Trust principles working backwards from specific use cases with a focus on extracting business value and achieving measurable business outcomes.

To help you on this journey, AWS provides a number of IoT services which can be used with other AWS identity and networking services to provide core Zero Trust building blocks as standard features that can be applied to enterprise IoT and industrial IoT implementations.

Aligning AWS IoT with NIST 800-207 Zero Trust Principles

AWS IoT helps you adopt a NIST 800-207 based Zero Trust architecture (ZTA) by following the 7 Tenets of Zero Trust described here:

1. All data sources and computing services are considered resources.

In AWS, we already ensure that all of your data sources and computing services are modeled as resources. It’s intrinsic to our access management system. For example, AWS IoT Core, AWS IoT Greengrass, etc. are considered resources as well as services like Amazon S3, Amazon DynamoDB, etc. which IoT devices can securely call. Each connected device must have a credential to interact with AWS IoT services. All traffic to and from AWS IoT services is sent securely over Transport Layer Security (TLS). AWS cloud security mechanisms protect data as it moves between AWS IoT services and other AWS services.

2. All communication is secured regardless of network location.

With AWS IoT services, all communications are secured by default. This means that all communication between devices and devices and cloud services are secured independent of network location by individually authenticating and authorizing every AWS API call over TLS. When a device connects to other devices or cloud services, it must establish trust by authenticating using principals such as X.509 certificates, security tokens, or other credentials. AWS IoT security model supports certificate-based authentication or custom authorizers for legacy devices, authorization using IoT policies, and encryption using TLS 1.2 and all communication between devices and cloud services are secured independent of network location. Along with strong identity provided by AWS IoT services, Zero Trust requires least privilege access control which controls the operations a device is allowed to do after it connects to AWS IoT Core and to limit the impact from authenticated identities that may have been compromised and this can be achieved using AWS IoT policies.

AWS provides device software to enable IoT and IIoT devices to securely connect to other devices and AWS services in the cloud. AWS IoT Greengrass is an IoT open source edge runtime and cloud service that helps build, deploy, and manage device software. AWS IoT Greengrass authenticates and encrypts device data for both local and cloud communications, so that data is never exchanged between devices and the cloud without proven identity. Another example is FreeRTOS. FreeRTOS is an open source, real-time operating system for microcontrollers that makes small, low-power edge devices easy to program, deploy, secure, connect, and manage. FreeRTOS includes support for Transport Layer Security (TLS v1.2) for secure communications and PKCS #11 for use with cryptographic elements used for securely storing credentials. With AWS IoT Device Client you can securely connect your IoT devices to AWS IoT services.

3. Access to individual enterprise resources is granted on a per-session basis and trust is evaluated before access is granted using least privileges needed to complete the task.

AWS IoT services and AWS API calls grant access to resources on a per-session basis. IoT devices need to authenticate with AWS IoT Core and be authorized before it can perform an action, so trust in the device is evaluated by AWS IoT Core before granting permissions. Every time a device wants to connect to AWS IoT Core, it presents its device certificate or custom authorizer to authenticate with AWS IoT Core, during which time IoT policies are enforced to check if the device is authorized to access the resources it is requesting. This authorization is only valid for the current session. The next time the device wants to connect it goes through the same steps again making this a per session access pattern. The same applies if a device wants to connect to other AWS services by using AWS IoT Core credential provider.

4. Access to resources is determined by dynamic policy —including the observable state of client identity, application/service, and the requesting asset and may include other behavioral and environmental attributes.

A core principle behind Zero Trust is that no IoT device should be granted access to other devices and applications until assessed for risk and approved within the set parameters of normal behavior. This principle applies perfectly to IoT devices since they have limited, stable and predictable behaviors by nature and its possible to use their behavior as a measure of device health. Once identified, every IoT device should be verified against baselined behaviors before being granted access to other devices and applications in the network. There are several ways to detect device state using the AWS IoT Device Shadow feature and detect device anomalies using AWS IoT Device Defender. Access policies are applied to a collection of devices, known as a thing-group in AWS IoT and are evaluated at runtime before access is granted. Membership in a group is dynamic and can be configured to change based on device behavior using AWS IoT Device Defender. AWS IoT Device Defender uses Rules Detect or ML Detect features to determine the device’s normal behaviors and any potential deviation from the baseline. Once an anomaly is detected, the device can be moved to a quarantined group with limited permissions based on the static group’s policy or can be disallowed from connecting to AWS IoT Core.

5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets. No asset is inherently trusted. The enterprise evaluates the security posture of the asset when evaluating a resource request. An enterprise implementing a ZTA should establish a continuous diagnostics and mitigation (CDM) or similar system to monitor the state of devices and applications and should apply patches/fixes as needed.

AWS IoT Device Defender continuously audits and monitors your fleet of IoT devices and you can use other AWS services for continuous audit & monitoring of non-IoT components and services which can be used to evaluate the security posture of an asset when evaluating a resource request. For example, based on the results from auditing and monitoring your device fleet using AWS IoT Device Defender, you can take mitigation actions such as placing a device in a static thing group with limited permissions, revoking permissions, quarantine the device, apply patches to keep devices healthy using AWS IoT Jobs feature for over-the-air (OTA) updates, remotely connect to the device for service or troubleshooting using AWS IoT secure tunneling feature.

6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed. This is a constant cycle of obtaining access, scanning and assessing threats, adapting, and continually reevaluating trust in ongoing communication.

Zero Trust begins with “default deny” and no access is granted without proper authentication, authorization combined with signals from device health. AWS IoT services perform authentication and authorization before access is allowed and the same is true with every AWS API call. Zero Trust requires the ability to detect and respond to threats across IoT, IIoT, IT and Cloud networks. In addition to AWS IoT Device Defender, other AWS services can be used for security auditing, monitoring, alerting, machine learning and taking mitigation actions.

7. The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.

You can use IoT device data to make continuous improvements in security posture with AWS IoT Device Defender. For example, you can start by turning on the AWS IoT Device Defender Audit feature in their AWS account to get a security baseline for their IoT devices. Using the baseline, you can make continuous improvements to improve their security posture. You can then add the AWS IoT Device Defender Rules Detect or ML Detect feature to detect anomalies frequently found in connected devices and make improvements based on detect results. In addition, with AWS IoT Device Defender custom metrics, you can define and monitor metrics that are unique to their device fleet or use case. In addition to device data, you can get insights from other data collected on AWS (audit, logging, telemetry data, analytics) and use AWS IoT features such as AWS IoT Jobs to apply patches to improve security posture and software updates to improve device functionality and AWS IoT Secure Tunneling to securely connect to devices for troubleshooting and remote service if needed and other AWS services to make continuous improvements to an enterprise’s security posture which can include fine tuning permissions.

To help you get started, you can try the “Implementing Zero Trust with AWS IoT workshop” which can help you get hands on experience leveraging multiple AWS IoT services to safely and securely deploy commercial and industrial IoT devices at scale using the Zero Trust security architecture principles. Working through a scenario where you are in charge of deploying devices outside of your corporate perimeter, you will leverage AWS IoT Core, AWS IoT Device Defender, AWS IoT Device Management and Amazon Simple Notification Service (SNS) to build a resilient architecture including unique identity, least privilege, dynamic access control, health monitoring, and behavioral analytics to ensure the security of your devices and data. After detecting a security anomaly, you will be able to investigate and take mitigation actions such as quarantining an anomalous device, securing connecting to the device for remote troubleshooting, and apply a security patch to fix device vulnerabilities and keep devices healthy.

Implementing Zero Trust with AWS IoT workshop architecture

Zero Trust Isn’t A Race; It’s A Continuous Journey

Zero Trust requires a phased approach and since every organization is different, their journey will be unique based on their maturity and the cyber security threats they are facing. However, the core Zero Trust principles outlined in this blog can still apply. For IoT and IIoT, AWS recommends a multi-layered security approach to secure IoT solutions end to end from device to edge to cloud, including the need to use strong identities, least privileged access, continuously monitor device health and anomalies, securely connect to devices to fix issues and apply continual updates to keep devices up to date and healthy. When transitioning to a Zero Trust architecture, it’s not necessary to rip and replace existing networks and eliminate traditional security approaches to deploy Zero Trust. Instead, companies can move to Zero Trust over time using an iterative approach to protect one asset at a time until the entire environment is protected, starting with the most critical assets first. Before decommissioning the traditional security controls with Zero Trust components, ensure you have done comprehensive testing. AWS recommends using a Zero Trust approach for modern IoT and IIoT devices and combining identity and network capabilities such as micro network segmentation, AWS Direct Connect and VPC Endpoints to connect legacy OT systems to AWS IoT services. In addition, AWS offers AWS Outposts for certain workloads which are better suited for on-premises management and AWS Snowball Edge for applications needing to process IIoT data at the Edge. This enables the industrial edge to act as a “guardian” to locally interface with less-capable OT systems, bridging them to cloud services with strong identity patterns. Always work backwards from specific use cases and apply Zero Trust to your systems and data in accordance with their value. AWS offers lots of choices with AWS security services and Partner solutions and provides customers with an easier, faster, and more cost-effective path towards enabling a Zero Trust implementation for IoT and IIoT workloads.

Learn more

Learn more about AWS’s value driven approach to Zero Trust at Zero Trust on AWS

About the authors

Ryan Dsouza is a Global Solutions Architect for Industrial IoT (IIoT) at Amazon Web Services (AWS). Based in New York City, Ryan helps customers architect, develop and operate secure, scalable and highly innovative solutions using the breadth and depth of AWS platform capabilities to deliver measurable business outcomes. Ryan has over 25 years’ experience in digital platforms, smart manufacturing, energy management, building and industrial automation, and IIoT security across a diverse range of industries. Prior to AWS, Ryan worked in Accenture, SIEMENS, General Electric, IBM and AECOM, serving customers with their digital transformation initiatives.

Syed Rehan as a Sr. Security Product Manager at AWS plays a pivotal role in driving revenue growth and launching strategic AWS security services. He collaborates closely with cross-functional teams, leveraging his expertise in cybersecurity, IoT, and cloud technologies to develop and launch innovative security solutions that address customers’ evolving needs. Syed’s deep understanding of the market landscape and customer pain points enables him to identify lucrative opportunities and spearhead the development of high-impact security services. Through strategic product planning, roadmap creation, and effective go-to-market strategies, Syed contributes significantly to AWS’s revenue growth and solidifies its position as a trusted leader in cloud security.​​​​​​​​​​​​​​​​