The Convergence of AV and IT: Protect Your Devices with a Zero Trust Approach

With the proliferation of internet-enabled devices, the risk of IT security breaches is becoming increasingly concerning. From smartphones to tablets and laptops, the number of internet devices connecting with audiovisual devices is growing and with it, the potential for cyber attacks. As we become more connected to AV applications like conferencing systems and digital signage, hackers have more opportunities to access sensitive data. This includes usernames and passwords, financial information, and other personal information. Furthermore, with the growing number of devices connecting to the internet, it becomes increasingly difficult for organizations to track who accesses their networks. This makes it difficult to protect them from malicious actors. What can IT managers do?

The Zero Trust Approach

Zero Trust has evolved into more than just a trend in cybersecurity. It has established itself as an essential concept that guides how many organizations secure their networks and devices. While many are familiar with Zero Trust, it can get complicated when applied to IoT devices.

To understand Zero Trust, you must go back to its beginning – in 2020, when the director of the Defense Information Systems Agency (DISA) first suggested three basic tenets of Zero Trust. The three tenets were to: “Never trust, always verify; assume breach; and verify explicitly.”

Nowadays, it is often agreed that the Least Privilege principle is the best base for Zero Trust. The Principle of Least Privilege states “that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.”

The Principle of Least Route is similar to Least Privilege but concerns a network’s physical wiring and fiber optic data paths. Least Route ensures that a device only possesses the minimum network access required.

But the continuous authentication of users is what sets Zero Trust apart. The most popular technique for implementing Zero Trust at login is multi-factor authentication (MFA), which many enterprises have already started establishing.

AV systems should require logins and MFA whenever possible. Credentials should also not be shared in files that just anyone can access.

Challenges and Promising Solutions

Organizations are also encouraged to consider their devices’ risk profile. And consider establishing a Zero Trust approach with everything infrastructure-related – routers, switches, cloud, IoT, and supply chain. However, this can be particularly challenging with IoT and unmanaged devices, considering that new devices are often introduced, and other devices tend to move from location to location.

When purchasing IoT devices, try to look for ones incorporating a risk management framework in development. Add IoT security controls to your current risk management framework and use them with Zero Trust principles to decrease the attack surface a hacker can access.

A core foundation of Zero Trust is identifying as many users, devices, and other elements as possible. But device authentication, ensuring a device's identity is what it claims to be, remains an adamant issue since IoT devices typically don’t have access controls.

IoT fingerprinting appears to be a promising authentication mechanism. Device fingerprinting profiles a device based on available information and generates a verifiable identity. Maintaining device health through continual updates and monitoring devices to detect threats is critical. And as changes in IT and business needs occur, you can maximize the impact of your Zero Trust approach by continually reassessing your architecture.

Finally, the cybersecurity for AV discussion doesn’t end here. Leave a comment, create a post, and chat in our IT And Networked AV Room to continue the ongoing conversation.