The Internet of Things: Security's endpoint nightmare gets supersized

It wasn't too long ago that the Internet of Things (IoT) was just another catchphrase for a niche class of product that was expected to slowly creep from the periphery of the CSO's attention towards the mainstream.

But with the IoT market now growing faster than most initially expected, the urgency to manage it with workable security technologies has become a pressing priority for every IT executive.

Deciding just how quickly the IoT market is growing depending on who you ask: IDC, for one, has projected a market that is growing at 16.9 percent annually and will nearly triple to be worth $US1.7 trillion by 2020. ABI Research has predicted a total of 40.9 billion active, wirelessly-connected devices will be installed by 2020 – up from 16 billion in 2014.

This growth will be driven as much by an increasingly diversified array of connected products – smart meters, smart cars, smart lightbulbs, smart dishwashers, machine-to-machine (M2M) communications, embedded environmental sensors, smart meters, home routers, drones, smartwatches and a dizzying array of other gadgets – as well as by the rapid maturation of the enabling technologies and supporting technologies to make a widely connected IoT ecosystem a reality.

Those enabling technologies reached Australia in April after IoT-networking aspirant Thinxtra announced that it had begun deploying a live SIGFOX public network in Sydney and Melbourne. SIGFOX uses low-power wide area network (LPWAN) technology that uses long-wavelength technology to allow IoT devices to send up to 140 packets of data, each containing just 12 bytes, per day over up to 1000km.

Access to a live SIGFOX environment – which complements competing IoT initiatives such as Nest Labs' Thread protocol, ZigBee mesh networking, LTE-MTC and LTE-M cellular M2M protocols, and others – is likely to light a fire under IoT adoption amongst Australian enterprises that still generally speak of IoT as something that is yet to make a serious impact on corporate strategy.

Yet even as the inevitable new applications come to fruition – Verizon's State of the Market: Internet of Things 2016 report suggests that utilities, home monitoring and sensor-driven transportation applications are likely to lead corporate adoption – the need to secure those channels and their enabling platforms will be pre-eminent.

This, according to Verizon Enterprise Solutions managing director for operations and strategy Robert le Busque, is where the technology's security implications will come to the fore. “Development in the IoT space is accelerating far faster than we could have imagined or projected,” he explains.

“It's a rapidly maturing market that is no longer a mashup of technology and devices and software being deployed by early adopters; we're really starting to see large-scale, dense applications appearing and an incredibly healthy ecosystem as well. IoT will be a significant multiplier in terms of the amount of data that is collated, organised and interpreted – and the security challenges for IoT are no different to security questions elsewhere.”

While network managers may see IoT networks as simply conventional networks with thousands or millions of data-generating endpoints, this unprecedented scale means automation of related security infrastructure will be critical – as will deployment of a data-analytics platform capable of combing through and meaningfully curating massive volumes of data.

Methodically anonymising and tokenising data play a key part in this process, as does the establishment of a robust identity-driven infrastructure that can manage data credentials and access to IoT networks.

By approaching IoT security in multiple layers – named by Verizon as governance, risk and compliance; threat management; authentication and privacy; and professional security services – every stage of the process, and its associated security risks, can in theory be effectively contained.

Yet continuing demonstrations of the hackability of IoT devices – home routers, cars and other devices are regularly being hacked in proof-of-concepts – are fuelled by a growing conceit that their manufacturers simply aren't concerned about security. This poses practical concerns given that a recent Bullguard survey suggested that consumers are drowning in gadgets and – despite two-thirds of UK respondents saying they were highly concerned about the security of those devices – were nonetheless expecting outside parties to secure them.

This expectation has been driving remote-access giant LogMeIn to invest heavily in the IoT space, launching its Xively IoT security and connectivity platform in 2013 and recently complementing it with LastPass – an identity-based authentication system that LogMeIn CEO Bill Wagner believes will impose order on an “utterly unconnected” world that will struggle to scale along with IoT.

“The majority of connected products are made by companies that are not software companies, and they don't really know how to deal with security issues,” Wagner explains, highlighting the growing importance of IoT platforms in a steadily expanding security context.

“They really have no interest in building their own IoT management platform and capabilities,” he continues. “For us, identity manifests itself across the entire portfolio – and we can map device and identifies for the different products to make sure that IoT users have authorisation and identification built into the platform. Security now has to be part of every discussion.”

As IoT becomes increasingly driven by emergent business requirements, those discussions will also need to incorporate broad reconsideration of the over-arching security policies by which organisations manage their devices.

This requirement will be particularly pointed because the screen-free, keyboard-free design of many IoT devices is mandating new approaches to user and device authentication.

These new approaches will require a rethink of the very idea of network identity and authentication, says Patrick Harding, chief technology officer with Ping Identity.

That company recently launched two Australian data centres to support its cloud-based authentication system – eliminating the latency of identity-management calls that will become even more common as IoT devices draw on parameters like context and location as additional factors by which to authenticate themselves across increasingly dispersed networks.

Businesses “are realising that they need to completely rethink and refresh the identity infrastructure they have been using for 20 years,” Harding explains. Imagine when there are a billion devices out there, each with their own password: the whole security model is going to break down immediately.”

"This is why we have to be moving identity standards directly into all of these participants in the environments, and have those things dynamically authenticating and authorising one another. This has got to be more automated and dynamic, in ways that we haven't really thought about even today.”

Join the CSO newsletter!

Error: Please check your email address.

Tags hackersverizonM2MPing IdentitylogmeinSigFoxbullguardThe Internet of Things (IoT)LPWANLastPassZigBeeCSO Buyers Guide

More about BillCSOLogMeInNestPing IdentityVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place