Over 20% of enterprises will have digital security services devoted to protecting business initiatives using devices and services in the Internet of Things (IoT) by year end 2017, according to Gartner, which defines digital security as the risk-driven expansion and extension of current security risk practices that protect digital assets of all forms in the digital business and ensures that relationships among those assets can be trusted.
“The IoT now penetrates to the edge of the physical world and brings an important new ‘physical’ element to security concerns. This is especially true as billions of things begin transporting data,” says Ganesh Ramamoorthy, research vice-president at Gartner. “The IoT redefines security by expanding the scope of responsibility into new platforms, services and directions. Moving forward, enterprises should consider reshaping IT or cybersecurity strategies to incorporate known digital business goals and seek participation in digital business strategy and planning.”
In an IoT world, information is the “fuel” that is used to change the physical state of environments through devices that are not general-purpose computers but, instead, devices and services that are designed for specific purposes. As such, the IoT is at a conspicuous inflection point for IT security, and the chief information security officer (CISO) will be on the front lines of its emerging and complex governance and management.
The IoT is redrawing the lines of IT responsibilities for the enterprise. IoT objects possess the ability to change the state of the environment around them, or even their own state (for example, by raising the temperature of a room automatically once a sensor has determined it is too cold, or by adjusting the flow of fluids to a patient in a hospital bed based on information about the patient’s medical records).
“Governance, management and operations of security functions will need to be significant to accommodate expanded responsibilities, similar to the ways that bring your own device (BYOD), mobile and cloud computing delivery have required changes – but on a much larger scale and in greater breadth,” says Ramamoorthy. “IT will learn much from its operational technology (OT) predecessors in handling this new environment.”
Although an IoT device may seem new and unique, a hybrid of old and new technology infrastructure enables the services that the device consumes to perform. Securing the IoT will force most enterprises to use old and new technologies from all eras to secure devices and services that are integrated via specific business use cases.
A unique characteristic of the IoT is the sheer number of possible combinations of device technologies and services that can be applied to those use cases. What constitutes an IoT object is still up for interpretation, so securing the IoT is a “moving target”.
“Ultimately, the requirements for securing the IoT will be complex, forcing CISOs to use a blend of approaches from mobile and cloud architectures, combined with industrial control, automation and physical security,” Ramamoorthy says. “However CISOs will find that, even though there may be complexity that is introduced by the scale of the IoT use case, the core principles of data, application, network, systems and hardware security are still applicable.”