For businesses, IoT promises to revolutionise everything from inventory management and distribution to sales and marketing.Connected devices help to speed operations and generate actionable data to help gain deeper insights into how consumers are using products and services – increasing the quality of customer support, apply targeted marketing campaigns and hopefully increase customer loyalty and profit.
IDC predicts that by 2017, IoT devices will generate $7.3trillion in revenue.Not surprisingly, this massive market opportunity has many companies eager to bring innovative connected devices to market.The range of available IoT-ready equipment grows daily – from personal health and fitness devices to connected lighting systems to workplace safety monitors – everyone is getting into the IoT game.
It’s certainly an exciting time.We are experiencing real innovation and it’s generating some serious revenue. Looking beyond the dollar figures, though, a key concern for anyone trying to get into or take advantage of IoT needs to be security. With hacks, breaches and data leaks making headlines on a daily basis, confidence in the security of business technology is low.It’s understandable how that scepticism has made its way to the IoT as well.In order for the IoT to live up to all of its potential, we need to get the security strategy right.
The Security Implications of the IoT
Every day IT security fears of having sensitive information stolen (or business systems crippled) by malicious hackers only scratch the surface of what we are facing with the IoT.Data compromise is still a huge concern, but hackers gaining remote access to connected cars, planes, nuclear power plants, building-control systems, implanted medical devices, can result in catastrophe.Even everyday devices could give criminals access to a wealth of sensitive information such as people’s daily routines, time of day a house is unoccupied, etc.
It’s certainly a scary concept, but it’s also preventable.As we continue to connect more and more devices, security cannot be an afterthought.Companies looking to embark on IoT initiatives need to bake in security from the outset and deploy devices on platforms specifically designed to verify the identity of the vast number of people, devices and IT systems permitted to exchange data with one another (and precisely what data each is permitted to access from where).
Security Starts with Identity
There are many facets of security, but a good security posture always starts with the ‘who’.Who is accessing what device and how and when they are accessing it are all critical questions that need to be answered.That’s where Identity and Access Management (IAM) comes in.A good identity management program enables a business to have visibility into exactly who and what is accessing the network and quickly provision identities when access rights need to be added, deleted or changed.It’s certainly not an easy task and becomes even more complex in the world of IoT. Connecting anything with an On/Off switch has immense potential to change the way we live and work, but if not secured correctly can open a Pandora’s Box of vulnerabilities.Connected devices aren’t the ‘set it and forget it’ products of the past.They are connected to the Internet, each-other and have a myriad of users that require access.
Additionally, and to make things even more complex, it’s not just about the identity of the user. The identity of the device is equally if not more important. Establishing trust in a remote, connected device is one of the hardest problems to solve in IoT. However, once you can trust that the device is the exact model and serial it claims to be, and is running an OEM verified firmware, it becomes much easier to solve other security challenges like ensuring that the remote device has not been compromised. Once you can trust the device and user’s identity independently you can build and broker trusted communication between and information sharing for many different use cases.Unfortunately, unless you are a security expert, getting there isn’t easy to achieve.
According to analyst firm Gartner, by year-end 2017, the IoT will drive device and user relationship requirements in 50% of new identity and access management implications’. That’s a huge number – but more troubling is that Gartner also believes that today’s IAM cannot provide the scale or manage the complexity that the IoT brings to the enterprise.This essentially means that traditional security infrastructures are not ready for the potential risks IoT brings with it.
While building a robust IAM system for IoT devices is certainly not easy, it doesn’t have to be impossible.Rather than taking the DIY approach, companies should look to partner with experts who have a strong track record with IAM in the IoT.Many offer IoT platform as a service (PaaS) options that can help offload some of the work all together.
The IoT offers one of the best and most innovative market opportunities we have seen since the dawn of the Internet.We learned a lot about security from the evolution of the Internet – lessons we continue to learn.Those lessons are our best blueprint on how to ensure the IoT remains one of the greatest innovations of our time – and not a playground for cyber-criminals.
Calum Barnes is senior software engineer at Xively by LogMeIn