IoT will re-shape enterprise IT security programmes by 2020


2 May 2014

Gartner has predicted that the Internet of Things (IoT) security requirements will reshape and expand over half of all global enterprise IT security programmes by 2020.

"The IoT is redrawing the lines of IT responsibilities for the enterprise," said Earl Perkins, research vice president at Gartner. A reason for this is the ability of loT objects to change their state and the state of the environment around them. He gave the example of raising the temperature of a room automatically once a sensor has determined it is too cold or by adjusting the flow of fluids to a patient in a hospital bed based on information about the patient’s medical records.

These developments present an inflection point for security, “CISOs (chief information security officers) will need to deconstruct current principles of IT security in the enterprise by re-evaluating practices and processes in light of the IoT impact," said Perkins.

For example, real-time, event-driven applications and non-standard protocols will require changes to application testing, vulnerability, identity and access management. There will also have to be changes in the way organisations handle network scale, data transfer methods and memory usage differences, as well as the governance, management and operations of security functions to accommodate expanded responsibilities.

Another point that Perkins raised is that although the business use cases being identified daily are innovative and new, the technologies and services that deliver them are seldom new as well. They are also seldom uniform in architecture and design. Given this scenario, each use case risk profile is likely to require the use of an old platform and service architecture with a new technology "overlay" to improve performance and control.

This represents an interesting challenge for CISOs when delivering secure services for the IoT. In some cases, it may be a “past is future” exercise in evaluating mainframe, client/server, Web, cloud and mobile security options as part of an overall IoT business use case, said Gartner. Even out-of-maintenance systems such as Windows XP may still play a critical role for some industry infrastructure as part of an IoT security system.

Security planners should therefore not throw away their old security technology manuals, said Perkins. Instead, they should evaluate the potential of integrating new security solutions with old.

Many traditional security product and service providers are already expanding their existing portfolios to incorporate basic support for embedded systems and machine-to-machine communications, including support for communications protocols, application security and IAM requirements that are specific to the IoT.