Extending SASE & ZTNA from Users to Connected Devices: IoT Security

The Challenge

The rise of AI and IoT is transforming industries, with connected devices now outnumbering users three to one. While these devices fuel new business models and operational efficiency, they also create significant cybersecurity risks. A staggering 57% are vulnerable to serious attacks, often operating with unchecked network access. Unfortunately, Security Teams are struggling with fragmented architectures to address the security risks from these connected devices. A patchwork of legacy point-solutions increases operational complexity, creates security gaps, and fails to provide the unified visibility & granular control needed to address the IoT challenge. This architectural chaos stands in direct opposition to the consolidated, cloud-native security posture promised by SASE.

Achieving IoT Security with Prisma SASE

In 2021, Palo Alto Networks became the first SASE vendor to launch IoT Security by integrating AI and machine learning from its Zingbox acquisition. This solution delivers precise discovery, classification, control & segmentation of IoT devices, advancing on our vision of Universal ZTNA. As a fully integrated, additional-sensor-free solution with automated security policy recommendation, it simplifies operations for network and security teams.

To help organizations achieve their IoT security objectives, the solution provides multiple deployment and implementation choices. IoT Security empowers security teams to start reclaiming & securing IoT devices in no time on Palo Alto Networks Network Security Platform using any form-factor: Hardware (PA-Series NGFWs), Software (VM-Series NGFWs), or Service (Prisma SASE) and Prisma SD-WANs. These options are designed to align with an organization's specific network architecture and their current progress on their SASE and ZTNA journey.

Discovery

Prisma SASE IoT Security offers several flexible, agentless methods to discover every device by seamlessly integrating with the platforms that are already in use. This ensures there are no blind spots, all without requiring additional hardware sensors. Here's how it works:

• Inline Discovery: This is the most common and powerful method. Organizations can use their existing Palo Alto Networks network security infrastructure such as Next-Generation Firewalls (physical or virtual), Prisma Access, and Prisma SD-WAN that sit in the direct path of traffic. As device traffic flows through these infrastructure components, IoT Security analyzes it in real-time to identify and classify every connected device. This approach provides immediate visibility by leveraging the existing security infrastructure that’s already in place at headquarters, data centers, and branch locations.
• Out-of-Band Discovery: For parts of the network where devices may not send traffic through an inline security inspection point, this method actively scans the network to find them. Organizations often isolate critical IoT devices on separate network segments, giving them static IP addresses for security hence losing access to DHCP & other inline traffic that would have enabled discovery of those devices. In such environments, Prisma SD-WAN ION devices & NGFWs can be set up to query SNMP MIBs from switches and routers on the local network, discovering the IP and MAC addresses of connected IoT devices. This out-of-band discovery ensures comprehensive visibility even for devices that aren't communicating externally, complementing inline discovery and filling any potential gaps.
• Third-Party Integrated Discovery: Most organizations already use asset management or IT administration tools. Prisma SASE IoT Security can integrate with these third-party systems via Cortex XSOAR to ingest the device data from those sources. This enriches device profiles with additional context and accelerates discovery by leveraging existing IT investments.

Accurate discovery of IoT devices is critical. Palo Alto Networks achieves this by implementing multiple sophisticated techniques:

1. Advanced Three-Tier Profiling: Traffic logs, session metadata, enhanced application logs from all connected devices are logged & analyzed using advanced machine learning techniques using a patented three-tier profiling system. By comparing their behavior against known device profiles, the solution accurately identifies the device's unique "personality," creating a detailed profile that includes its type, vendor, model, OS, and over 50 other attributes like firmware and MAC address.
2. Continuous Learning and Adaptation: IoT Security continuously learns and updates the device’s behavioral profile, maintaining a rolling baseline of acceptable behaviors and communication patterns. This ongoing analysis improves accuracy over time, adapting to changes in device behavior and network environment.
3. Cloud-Scale Intelligence: The solution leverages cloud-scale data to compare device usage patterns across many deployments, which helps eliminate "soak time" (the delay in recognizing devices) and fine-tune machine learning models. This crowdsourced intelligence ensures that even previously unseen devices can be accurately classified and profiled
4. Enriched Data and Seamless Integration: IoT Security enriches device profiles through active discovery methods like Device Attribute Polling and integrates with third-party systems. This allows for real-time updates and ensures that the most accurate device attributes are available for policy enforcement.
5. Precision with App-ID™ Technology: Our proprietary App-ID™ technology enhances discovery by identifying the specific applications and services a device is using. This granular detail allows for more precise device classification and behavioral profiling.

Threat & Risk Analytics

The Palo Alto Networks IoT Security solution moves beyond basic device discovery and classification, providing rich, actionable context around every discovered device to empower robust security. This advanced context, powered by AI and machine learning (ML), includes detailed risk analytics, comprehensive vulnerability management, and real-time security alerts.

Continuous Risk Scoring & Analytics

The solution calculates a comprehensive risk score for every device, profile, site, and the entire organization. This score combines:

• Static Factors: The device's baseline profile, including its OS, applications, role, and known risks (like MDS2 for medical devices).
• Dynamic Factors: Real-time data, including active threats, behavioral anomalies, and vulnerabilities from passive analysis or third-party scanners.

Comprehensive Vulnerability Management

The solution focused on what truly matters by distinguishing between a vulnerability (a flaw) and risk (the actual danger that flaw poses to the environment). It automatically detects and categorizes vulnerabilities by severity, providing CVE details and clear remediation steps. For example, a "critical" vulnerability on a device isolated from the internet is a lower risk than a "medium" vulnerability on a device handling sensitive data. This allows Network Security teams to prioritize fixes that have the greatest impact on reducing the overall risk.

Real-time Security Alerts

Using machine learning, IoT Security establishes a baseline of normal behavior for every device. It then triggers alerts for anomalies and suspicious activities, such as: a medical device attempting to connect to a malware site or a security camera suddenly scanning the network or a device using weak or default credentials.

By weaving together risk scoring, vulnerability context, and real-time alerts, IoT Security provides the intelligent insights needed to move from a reactive to a proactive defense, securing all connected devices across the enterprise network

Visibility & Reporting

Effective IoT security requires moving seamlessly from a high-level overview to granular detail. The IoT Security provides deep visibility into network behaviors, discerning what is normal and detecting what is suspicious. 

• The Dashboard: Network Security administrators can engage interactively on the IoT security dashboard that’s available in the Strata Cloud Manager, unified management console. The IoT Dashboard instantly answers critical questions:
• What's on my network? See a live count of all devices, alerts, and vulnerabilities.
• What are they? View the distribution of devices by type, OS, and subnet.
• The Asset Inventory: Presents a detailed inventory of discovered devices, including their status, risk score, name, profile, vendor, model, OS, IP address, MAC address, VLAN, and last activity. Allows administrators to drill-down for details for a dynamic, filterable list of every IT, OT, and IoT device on the enterprise network. This full inventory list can be downloaded as a CSV file for import into other platforms
• Risk Insights and Reporting: The IoT Security portal makes it easy to access and act on risk intelligence. From the main dashboard in Strata Cloud Manager, the "Devices" page includes a "Risk" column, allowing Network Security administrators to instantly sort and identify the highest-risk devices on their network. Clicking on any device provides a detailed breakdown of the alerts and vulnerabilities contributing to its score. For deeper analysis and compliance, administrators can generate custom reports on devices, network behaviors, and security risks. The platform allows administrators to construct powerful queries using dozens of parameters (like device type, OS, or vulnerability severity) and export the customized data in CSV format.

Control & Enforcement

In a ZTNA architecture, least-privileged access is foundational. For IoT environments, this means granting only the minimum necessary access for devices to perform their intended functions - nothing more. Because most IoT devices are purpose-built and predictable, they’re ideal candidates for precise, behavior-based policy enforcement.

Through native integration with Prisma SASE & NGFW, Palo Alto Networks offers the flexibility and scalability required for diverse environments. The solution recommends policies that can be enforced instantly through Palo Alto Networks patented Device-ID technology. Device-ID allows the Prisma SASE and NGFW to:

• Continuously identify and track individual devices, even as IPs or locations change
• Apply context-aware security policies with Layer 7 visibility
• Dynamically adjust controls based on device behavior and real-time risk
• Provide rich telemetry for alert investigation and rapid response

This approach delivers highly scalable enforcement with minimal administrative overhead, significantly improving response times and threat containment. 

Device-IDs can also be used in policies for users - enabling a unified approach to Zero Trust enforcement across both users and devices. This advancement marks a key evolution in segmentation: IoT security is no longer limited to device behavior alone, but extends to the interaction between users and devices.

Conclusion

In the age of AI and hyperconnectivity, securing users alone is no longer enough. Modern enterprises must secure everything - users, devices, apps, and infrastructure - across every location. With IoT security fully integrated with Prisma SASE & NGFWs, Palo Alto Networks offers a Network Security Platform that empowers organizations to move beyond fragmented tools and embrace a truly universal Zero Trust model that secures all entities.