Zero Trust for IoT:
a plain answer to the VPN problem
IoT devices on private APNs and VPNs stay exposed. A VPN gives broad network access, so one compromised device opens a path to others.
Zero Trust removes that risk. It makes every connection device-initiated, hides your servers, and grants each device access to one application at a time. IXT delivers Zero Trust connectivity through the SIM, powered by Zscaler ZTNA, across cellular IoT in 190+ countries.
Frequently asked questions
A VPN was built to connect networks, not to limit what happens once you are inside one. When a device connects through a VPN tunnel, it reaches the whole network behind it. The tunnel does not inspect the traffic inside it or check what each device should be allowed to do. If one device is compromised, an attacker reaches everything that device reaches. A VPN also exposes an endpoint that has to listen for connections, which gives attackers something to find. For IoT, where devices sit in remote, unattended sites, that is a wide opening.
A private APN keeps your IoT traffic off the public internet. That is a good first layer. The limit is what happens inside it. A private APN hides traffic, but it does not defend it. It stays a flat network, so a device that gets onto it reaches other devices on it. If an attacker takes over one remote station, they are already inside the private APN, and from there they look for a way deeper. Separation is not the same as control.
Zero Trust removes the assumption that anything inside your network is safe. Every device and every session is treated as untrusted until verified. Instead of broad network access, each device gets access to one specific application and nothing else. For IoT this matters because the devices cannot defend themselves. They run limited software. They sit in the field for years. Zero Trust moves the security decision to the network, where every connection is checked against a policy before it is allowed.
Most IoT devices cannot run a security client. They are headless, with no screen, no user, and a limited IP stack. Traditional Zero Trust tools from the IT world need agent software on the endpoint, which rules out these devices. IXT takes a different route. The Zero Trust controls sit in the network, not on the device. Traffic from the SIM is brokered through a Zero Trust exchange that verifies every connection and lets each device reach only the application it needs. The device needs no software, no update, and no configuration change.
Field maintenance and vendor upgrades have meant handing a contractor a VPN client and broad access to your network. You cannot see the security state of their laptop, and once they are connected, they reach more than the one device they came for. Privileged remote access changes the model. The contractor logs in through a browser and authenticates. The session to your device is initiated from the Zero Trust exchange, not from their machine. They receive only the screen, so they cannot upload or download files unless you allow it. You set the hours, record the session, and require an employee to join if you want. Access ends when the job ends.
Lateral movement is how a small breach becomes a large one. An attacker gets onto one device that is not well protected, then uses it to reach a shared service, then reaches the systems that hold the data they want. The first device is rarely the target. It is the way in. IoT networks are open to this because they hold many low-protection devices on the same flat network. Segmentation answers it. When each device reaches only its own application, a compromised device has nowhere to go.
This is a fair concern for time-sensitive IoT traffic. Adding security checks sounds like adding delay. In practice the impact on response time is slight. The checks run in parallel rather than one after another, so the device sees little difference. You also gain visibility you did not have before, including a measure of how long a policy takes to apply from the endpoint.
For most deployments, nothing changes on the device. A sensor that talks to an MQTT broker or a CoAP server keeps talking to it the same way. What changes is underneath. By default the device receives a synthetic IP address, so the real address of your backend server stays hidden. You decide in policy whether to show the real IP or mask it. The application sees the traffic arrive through an app connector inside your environment, which means there is no exposed endpoint for an attacker to find.
Most IoT connectivity providers give you a SIM and a VPN, then leave security to you. IXT runs its own core network as a full MVNO, so the security sits in the network the traffic already travels through. Zero Trust connectivity is delivered through the SIM, powered by Zscaler ZTNA, with no client software on the device. Every connection is device-initiated, so there are no exposed ports for an attacker to reach. You get one global SIM, one data pool, and security built into the connection rather than added on top.