The Internet of Things: Security's endpoint nightmare gets supersized

It wasn't too long ago that the Internet of Things (IoT) was just another catchphrase for a niche class of product that was expected to slowly creep from the periphery of the CSO's attention towards the mainstream.

But with the IoT market now growing faster than most initially expected, the urgency to manage it with workable security technologies has become a pressing priority for every IT executive.

Deciding just how quickly the IoT market is growing depending on who you ask: IDC, for one, has projected a market that is growing at 16.9 percent annually and will nearly triple to be worth $US1.7 trillion by 2020. ABI Research has predicted a total of 40.9 billion active, wirelessly-connected devices will be installed by 2020 – up from 16 billion in 2014.

This growth will be driven as much by an increasingly diversified array of connected products – smart meters, smart cars, smart lightbulbs, smart dishwashers, machine-to-machine (M2M) communications, embedded environmental sensors, smart meters, home routers, drones, smartwatches and a dizzying array of other gadgets – as well as by the rapid maturation of the enabling technologies and supporting technologies to make a widely connected IoT ecosystem a reality.

Those enabling technologies reached Australia in April after IoT-networking aspirant Thinxtra announced that it had begun deploying a live SIGFOX public network in Sydney and Melbourne. SIGFOX uses low-power wide area network (LPWAN) technology that uses long-wavelength technology to allow IoT devices to send up to 140 packets of data, each containing just 12 bytes, per day over up to 1000km.

Access to a live SIGFOX environment – which complements competing IoT initiatives such as Nest Labs' Thread protocol, ZigBee mesh networking, LTE-MTC and LTE-M cellular M2M protocols, and others – is likely to light a fire under IoT adoption amongst Australian enterprises that still generally speak of IoT as something that is yet to make a serious impact on corporate strategy.

Yet even as the inevitable new applications come to fruition – Verizon's State of the Market: Internet of Things 2016 report suggests that utilities, home monitoring and sensor-driven transportation applications are likely to lead corporate adoption – the need to secure those channels and their enabling platforms will be pre-eminent.

This, according to Verizon Enterprise Solutions managing director for operations and strategy Robert le Busque, is where the technology's security implications will come to the fore. “Development in the IoT space is accelerating far faster than we could have imagined or projected,” he explains.

“It's a rapidly maturing market that is no longer a mashup of technology and devices and software being deployed by early adopters; we're really starting to see large-scale, dense applications appearing and an incredibly healthy ecosystem as well. IoT will be a significant multiplier in terms of the amount of data that is collated, organised and interpreted – and the security challenges for IoT are no different to security questions elsewhere.”

While network managers may see IoT networks as simply conventional networks with thousands or millions of data-generating endpoints, this unprecedented scale means automation of related security infrastructure will be critical – as will deployment of a data-analytics platform capable of combing through and meaningfully curating massive volumes of data.

Methodically anonymising and tokenising data play a key part in this process, as does the establishment of a robust identity-driven infrastructure that can manage data credentials and access to IoT networks.

By approaching IoT security in multiple layers – named by Verizon as governance, risk and compliance; threat management; authentication and privacy; and professional security services – every stage of the process, and its associated security risks, can in theory be effectively contained.

Yet continuing demonstrations of the hackability of IoT devices – home routers, cars and other devices are regularly being hacked in proof-of-concepts – are fuelled by a growing conceit that their manufacturers simply aren't concerned about security. This poses practical concerns given that a recent Bullguard survey suggested that consumers are drowning in gadgets and – despite two-thirds of UK respondents saying they were highly concerned about the security of those devices – were nonetheless expecting outside parties to secure them.

This expectation has been driving remote-access giant LogMeIn to invest heavily in the IoT space, launching its Xively IoT security and connectivity platform in 2013 and recently complementing it with LastPass – an identity-based authentication system that LogMeIn CEO Bill Wagner believes will impose order on an “utterly unconnected” world that will struggle to scale along with IoT.

“The majority of connected products are made by companies that are not software companies, and they don't really know how to deal with security issues,” Wagner explains, highlighting the growing importance of IoT platforms in a steadily expanding security context.

“They really have no interest in building their own IoT management platform and capabilities,” he continues. “For us, identity manifests itself across the entire portfolio – and we can map device and identifies for the different products to make sure that IoT users have authorisation and identification built into the platform. Security now has to be part of every discussion.”

As IoT becomes increasingly driven by emergent business requirements, those discussions will also need to incorporate broad reconsideration of the over-arching security policies by which organisations manage their devices.

This requirement will be particularly pointed because the screen-free, keyboard-free design of many IoT devices is mandating new approaches to user and device authentication.

These new approaches will require a rethink of the very idea of network identity and authentication, says Patrick Harding, chief technology officer with Ping Identity.

That company recently launched two Australian data centres to support its cloud-based authentication system – eliminating the latency of identity-management calls that will become even more common as IoT devices draw on parameters like context and location as additional factors by which to authenticate themselves across increasingly dispersed networks.

Businesses “are realising that they need to completely rethink and refresh the identity infrastructure they have been using for 20 years,” Harding explains. Imagine when there are a billion devices out there, each with their own password: the whole security model is going to break down immediately.”

"This is why we have to be moving identity standards directly into all of these participants in the environments, and have those things dynamically authenticating and authorising one another. This has got to be more automated and dynamic, in ways that we haven't really thought about even today.”

Tags logmeinverizonbullguardZigBeeM2MLastPassPing IdentitySigFoxCSO Buyers GuideThe Internet of Things (IoT)LPWAN

Show Comments