The Internet of Things likely to drive an upheaval for security

Securely managing IoT will require a combination of IT, physical and industrial control security, Gartner says

Analyst firm Gartner expects the Internet of Things (IoT) to drive a convergence of IT, physical and industrial control security practices over the next several years.

Much of the convergence will result from the sheer heterogeneity and number of devices that will become Internet-enabled by 2020. Current estimates range from Gartner's 26 billion devices to IDC's mind-boggling projection of 212 billion installed devices.

While most of the devices are unlikely to pose security threats, many will intersect with enterprise networks in the form of smart heating and lighting systems, equipment monitoring and maintenance sensors, industrial robots, asset tracking systems, plant control systems and personal devices such as fitness bands and smartwatches.

Managing those devices securely will require a combination of security skills, said Earl Perkins, Gartner analyst and the author of a new report that looks at the security implications of the IoT for CISOs.

"We are at the early stages of a major inflection point in security," Perkins said.

Most of the devices will be function-specific and use a variety of non-standard communication protocols. The devices will also feature embedded operating systems and software that provide little way for IT to add a security layer on top. Some devices will just be sensors for storing and forwarding data. Often, new devices will need to interact with older systems and software.

While IT organizations have been able to add some measure of protection to smartphones, tablets and other mobile devices in the workplace, they will find it hard to do the same with many of the devices that will comprise IoT in a few years.

Instead of layering protection at the device level, organizations may need to think about centralizing and aggregating security controls via gateway devices. The massive number of devices that will need to be managed in this way could pose new problems.

"There will be many different kinds of service providers who will contribute to security" in the enterprise, Perkins predicted. In addition to traditional security vendors, others like embedded application and operating system vendors and equipment manufactures will have a role to play, too.

"All of [these entities] will become players in the security space," Perkins noted. "Some will be customers of security and some will contribute to security."

Dealing with the real-time, event-driven applications and non-standard protocols that define much of IoT will require significant changes to app testing, vulnerability, identity and access management practices, Perkins said. It will also require changes to other practices such as governance, management and enforcement of security functions.

Just as mobile devices and the BYOD trend have forced IT managers to think differently about security, IoT will require companies to rethink what they do. The main difference is that the scale is magnitudes larger than what security managers deal with now, he said.

The challenge for IT is less about technology and more about getting ahead of the security curve. Many of the technology controls needed to secure a highly connected world already exist. What CISOs and other IT managers need to focus on are policy and process -- specifically, developing secure deployment practices and polices and putting in place architectural foundations for accommodating new IP-enabled devices.

The issues confronting IT are no different from the challenges they faced when migrating from mainframes to client/server or to mobile, the Web and the cloud. "Every time we have a major infection point, we seem to make the same mistakes. We allow it to get away from us and end up playing catch up for the next five to 10 years."

IoT presents another opportunity for IT to get ahead on security, Perkins said, "Just like every new generation of technology, we've got to be sanguine about how to approach it."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags GartnerIDCsecurityEmerging Technologieshardware systems

More about GartnerIDC AustraliaTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place