IoT security is still being viewed through the prism of enterprise security, which is built on medieval logic. First, build a big moat around your castle – offices and data centers. Second, if you need mobility, painstakingly build and outfit operators with armor to go out into a dangerous and cruel world. Hopefully, these “outside operators” won’t bring back disease. If they do, then burn everything! Back then, the whole thing was as expensive and messy as it is in relation to enterprise security today.
First, let’s define the Internet of Things as it relates to this article. Although we are frequently focused on $5 sensors, IoT is really the Internet of “Everything”. IoT is not just the Internet of gadgets; autonomous vehicles and $20-million mining machines are IoT devices as well.
Also, IoTs don’t function in a vacuum – they belong to ecosystems. The IoT Ecosystem consists of one or more endpoints, applications, data sets, and management platforms. Endpoints function as sensors, or perform electronic or mechanical functions, and depend on the applications as much as the applications depend on them. Frequently, IoT Ecosystems are wildly distributed and mobile.
IoT Ecosystems are dramatically different than anything in the enterprise today. Traditional enterprise security, built over time in response to specific threat types, is based on piecemealing disparate security silos with disparate elements. This approach, though not optimal, seemed manageable for a traditional enterprise largely made of:
- Standards-based hardware with plenty of horsepower
- Standards-based software
- Sporting a 3-5 year lifespan
- Operating within a few highly accessible networks
- Accessing unlimited electrical supplies technologies
- Physically touchable by people who manage them
Contrast this environment with what we find in IoT:
- Purpose-built devices with no hardware guidelines
- Software that is non-standard
- Designed for an 8-20 year lifespan
- Platform that is highly distributed and mobile
- Sipping limited and controlled power resources
- Minimal access to human touch or altogether inaccessible
Traditional enterprise security environments and the realities of IoT could not be more different.
IoT Ecosystems are typically highly distributed beyond the location(s) of the endpoints. The applications, data sets and management for IoT endpoints all operate from disparate platforms and locations. And because more and more operational tools are showing up with IP addresses, IT will not control the how, when and where of IoT network participation. Traditional management processes simply will not scale, or be agile enough for these environments.
Placing many devices with external dependencies and control on a shared network neuters perimeter security. In addition, having many IoTs on a common shared network significantly increases cross-contamination risk. This risk increases exponentially with the addition of each new device and IoT brand.
Faced with these challenges, many organizations will continue applying their historical “silo” security approach to IoT because it is what they know. However, they will quickly be overwhelmed managing multiple point technologies that do not scale with the demands of IoT.
Where do we go from here?
We must recognize that new IoT security models will consume enterprise security – it is inevitable. IoT is not the tail – it is the dog! We need to move away from the “death by a thousand cuts” silo approach and move to a security model that is simple, agile, adaptive, and sustainable. And, the new model must work across an organization’s entire technology expanse.
In addition, IoT security choices must take into account the extended 8-20 year lifespan of an IoT device. No longer can we think in terms of a three-year refresh cycle, with constant upgrades to the compute and memory needed to run the latest on-board security application.
IoT has already shifted how we work and will continue to do so at a more and more rapid pace until it reaches blistering proportions. There are viable security options, but they require that we shed our security conservatism. Managing security individually on hundreds of thousands or millions of assets, all of which are different, is impossible. Datacenter grade security delivered from-the-cloud “for” entire IoT Ecosystems rather than “on” each individual device is not just viable, but the new necessity. This will become the new standard over time.
About Acreto IoT Security
Acreto IoT Security delivers advanced security for IoT Ecosystems, from the cloud. IoTs are slated to grow to 50 Billion by 2021. Acreto’s Ecosystem security protects all Clouds, users, applications, and purpose-built IoTs that are unable to defend themselves in-the-wild. The Acreto platform offers simplicity and agility, and is guaranteed to protect IoTs for their entire 8-20 year lifespan. The company is founded and led by an experienced management team, with multiple successful cloud security innovations. Learn more by visiting Acreto IoT Security on the web at acreto.io or on Twitter @acretoio.