The scaling out to many thousands of devices per organization represents a wealth of new opportunities, according to a report by Quocirca. However, the same security rigor and vigilance applied to traditional IT devices needs to be extended to all connected things.
The IoT is an evolutionary concept with as much power to improve existing or brown-field business processes as it does to create new green-field ones. Many equate the IoT purely to machine-to-machine (M2M) communications, but it is also about how humans interact with machines either through human-to-machine (H2M) such as industrial equipment or consumer devices, or machine-to-human (M2H) for things like digital signage.
One thing is for certain, all this activity adds up to a huge number of devices with the overall average per individual UK organization expected to run into the thousands over the next 12 months. All these devices will be attached to a variety of networks resulting in increased stress on both existing and new networks.
Although the report – compiled from the responses of 100 senior UK IT managers – shows that security is considered highly important by all respondents, it is clear that no business can ignore the wide range of issues arising from the growing numbers of network attached devices that constitute the IoT. Below is a breakdown of key findings and statistics from the report:
Relevance: a small number (3%) think the IoT is overhyped, but the overwhelming majority say the IoT is already impacting their organization (37%) or will soon (45%).
Personal to global: respondents believe the IoT is expected to scale up through vehicles, buildings, cities to the national and global level. Management and security capabilities put in place to support IoT must operate at these scales.
Design: effective management and security is only possible through good design. 66% of respondents see viewing IoT deployment being a series of hubs that interoperate with spokes on closed networks, making network configuration and security more manageable.
Security: Security starts with identity. 47% or respondents are already scanning IoT devices for vulnerabilities, another 29% are planning to do so. When asked about the capabilities they feel are most important for authenticating the identity of devices, nearly all see DNS services as playing an important role. More experienced users supplement these third party registry and IoT database services.
“Sceptic or otherwise, the IoT is now relevant to all organisations. Whether IoT applications are deployed to help IT function, driven by lines of business or through devices introduced by end users, various practices will need adapting to accommodate the millions of things involved which will, over time, dwarf the number of traditional IT endpoints,” explained Bob Tarzey, Analyst & Director, Quocirca. “These challenges can be minimized through thoughtful design and the use of hubs, in addition to new networks, management tools and security capabilities to get the most out of the IoT. Quocirca’s research suggests that the cost of supporting investments can be justified by the business value derived from newly IoT-enabled applications.”
Many IoT security issues such as data protection, botnet recruitment and DDoS-style attacks on IoT enabled processes are addressable through adapting and scaling measures that are already in place for existing IT infrastructure. For instance, 39% of respondents were found to have DDoS protection in place, with another 31% planning a deployment. However, the report found that there is not much difference between major IoT users and sceptics as DDoS attacks have been an issue for many years. More could be done to address the problem.
The adoption of a decentralized security and management model where a gateway needing a unique IP address controls communications with the outside world (for example, network routers, set top boxes, smartphones etc) which in turn communicates onwards with remote devices which do not need unique IP addresses, avoids the need for each device to have a unique IP address. This approach can work at scale, making the selective, effective and cost efficient deployment of IoT security more straightforward as scanning can be carried out using the same processes in place for existing IT endpoints. 35% of experienced IoT users already recognize the value of such an approach.