July 9th, 2018 |
For the last 30 years, enterprise technologies have represented the pinnacle of capability, scale and complexity in the IT space. Anyone remotely connected to the enterprise space has heard the term “Enterprise-Grade”, and technology companies work hard to earn the elite product label, “Enterprise-Grade”. However, IT operating models have changed dramatically, and as they continue to evolve, many “enterprise” product offerings have just not adapted. IoT Security is one such area.
The first round of changes were driven by the transition to the cloud, where platforms, users and data operate in a distributed fashion and are remote to one-another. Today, it’s not uncommon for teams from across the planet to talk, collaborate or share data, just as easily as they would if they were in the same office.
The industry’s response has been to tweak existing options to make them cloud-ready. But these tweaks are like whittling away at square pegs to force-fit them into round holes. It’s not pretty, it’s not smooth, and at the end of the day – it’s still a mangled square peg.
This has never been more true than with Cyber-Security tools and technologies. Since the industry came to be in the late 1980s, there have been two security tool options: on-device or gateway.
On-device is marred by limited function and capabilities, while Gateway suffers from its lack of mobility. These options were acceptable with traditional enterprises, but they fell flat with highly distributed and diversified enterprises known as the New Enterprise.
Both on-device and gateway security approaches, when employed for the New Enterprise, make things very complex for two reasons:
- Many disparate security technologies have to be acquired, implemented, integrated, operationalized, managed, troubleshot and refreshed every 3-5 years.
- Different batches of disparate security technologies are needed for each compute silo, such as Clouds, SaaS, Offices, Data Centers, Remote Users, and Mobile Devices.
This has made security for the New Enterprise much more complex and expensive, with far less agility. Complexity is the enemy of security, resulting in less effective security. That is a lot of blood and treasure for marginal results — at best!
IoTs: Molding Enterprise Technologies in their Likeness
Enter the Internet-of-Things (IoT). IoTs will turn the current approach to security on its head. First, let’s take a look at the difference between IoTs and Enterprise technologies.
Unlike standard-based, high-powered enterprise technologies that use only a handful of operating systems, the majority of IoTs cannot function autonomously. IoTs have even introduced a new application model called dependency computing. Thanks to their highly distributed, purpose-built nature and limited resources, IoTs are dependent on a supporting application. That application is often remote and cloud-based. And just as the IoT is dependent on the application to perform its function, the application depends on the IoT’s contributions to to fulfill its purpose.
Another standout difference is that IoTs have an 8-20 year lifespan, a significantly expanded lifetime in comparison to their enterprise counterparts’ 3-5 years. Coupled with distributed or mobile implementations, it means that updates and upgrades can be expensive or prohibitive altogether. Any meaningful security needs to be future-proof, providing sustainability over a device’s 20 year life.
Yet another difference is the operating network. Enterprise technologies mainly operate on secured networks the organization owns and controls. IoTs need to operate on a much wider array of networks that often include multiple disparate public and private networks.
So, it is not uncommon for the location, network, IoT and its dependent applications to be owned and operated by completely different and disassociated parties.
Energy-Rich Enterprises Meet Low-Powered IoTs
One of the most impactful challenges for IoTs and IoT security is power consumption. Enterprise tech has unlimited access to power compared to IoTs, many of which are often limited to on-board power systems. Some of these units have embedded batteries intended to power the device for its full life-cycle, which can be as much as 20 years.
Juxtapose that with the power drain that resource-intensive security functions place on the battery. Ongoing and consistent attacks on devices can lead to premature mortality for devices, by way of battery drain. In fact, if enough IoTs are consistently attacked, the power drain could jeopardize application function or availability.
Then the organization has to decide whether to roll out replacements or operate without the out-of-commission IoTs. In some use-cases depending on the IoT replacement or break-fix costs, some may abandon the application altogether.
Death by 50 Billion IoTs
This drives the next point: IoTs have long-term ownership challenges. Touching an IoT for maintenance is an extremely expensive process, if even possible. And of all technology functions the IoTs may be asked to perform, Security requires the most touches in the form of updates and upgrades.
Considering that security tools need to be upgraded every 3 years or so to keep up with a very dynamic threat landscape, rolling out devices today means that they have security for ½ to ¼ the life of the useful life of the IoT. This is further exasperated by the inability to know that in 3 years an enhanced on-device security option will even be available, and the device is capable of being updated and upgraded.
Then there is scale. Slated to top 50 billion devices in the next 3-4 years, IoTs operate at a scale that the technology industry has never experienced. So not only does the solution need to support distributed, fragmented and under-powered tech, but it has to do it for an unprecedented number of devices. The scale issue alone means that many organizations have to re-think their whole technology strategy.
By virtue of the scale, pricing models have to be re-thought. No one can afford to build out disparate security stacks of many different products for each of the clouds, SaaS, Data Centers and Remote users, and another patchwork quilt of IoT security for all the IoTs in their environment. And no one is willing to pay enterprise prices for the massive volume of different IoTs that need to be supported.
Enterprise-Grade Cedes to IoT-Grade
As the industry has started to regain its balance from the invasion of the cloud, IoTs have appeared on the scene to completely disrupt technology standards and operating models all over again. IoT, especially IoT security has started to, and will continue to knock enterprise security down notch after notch, ultimately to replace the term “Enterprise-Grade” with “IoT-Grade”.
It’s fair to think of enterprise as the 800-pound gorilla, however, the collective IoT pool can best be represented by a massive swarm of bees. With the coming of age of the cloud and now the proliferation of IoTs, the old and tired enterprise security model will suffer a death by a thousand stings from IoT’s killer swarm.
Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at https://acreto.io or @acretoio.