The Internet of Things (IoT) is set to represent the most significant IT opportunity of a generation. By 2020, it is estimated that between 25 billion and 1 trillion devices will be connected to the Internet – creating a true “Internet of Everything.” From smart TVs to intelligent cars and wearable computers, almost everything around us is going to be online, and communicating.
The potential limits of the IoT are still unknown. As even rural communities get involved with plans to track sheep via digital collars and recent data from Beecham Research hints at the huge potential improvements to the farming industry, it begs the question of where this “always on” world will lead us.
Just as the potential scope of the IoT is undiscovered for now, the full security implications are also unknown. Billions of connected devices will offer new opportunities but security measures will have to be considered for every device and sensor. Everything must be managed and secured but, on such a large scale, this is a major challenge. Failure to ensure that the correct security measures and protocols are in place will have significant repercussions on data protection and privacy. The vast scale of the IoT requires a completely different attitude to IT security: identity will be key.
Identity is becoming increasingly important, more complicated and less manageable. We all now have an aggregate identity; from our corporate log-ins to LinkedIn, Facebook, plus individual usernames and passwords for online banking, etc. User identity is nothing new but identity of devices must also be considered when looking at the huge scope of the IoT. This will enable device behaviour to be analysed and anything unusual can set alarm bells ringing. Imagine a freighter's engines, comprised of expensive components which are difficult to maintain. If each component was given its own unique identity and tracked from initial manufacturing to final replacement, we would be able to optimise its useful lifespan and eliminate unnecessary downtime. Identity is at the very heart of everything the IoT will become.
This identity factor will be critical when considering the three main ways in which IoT security considerations differ from those linked to traditional device connections.
Firstly, the nature of IoT devices will change our security perspective. Composed largely of lightweight sensors embedded in buildings and devices, the IoT will present a stark contrast to the current trend for heavier devices such as PCs, tablets and smartphones. While lightweight devices will offer a simpler product from a security perspective, they will also be more difficult to update and patch if a vulnerability is discovered, leading to difficulties in keeping networks secure.
Secondly, the complexity of interactions occurring between the billions of IoT devices will be a leap from anything we have seen before. This makes it difficult to plan for security implications: how can we tell where the biggest security issues will lie? The potential security implications are being considered and efforts are being made to ensure devices are as secure as possible. However, as the complex IoT network becomes even more complicated, we will see cyber-criminals targeting, and exploiting, any new potential weaknesses which arise.
Thirdly, the arrival of the IoT will force us to interact with a large number of devices which are deeply embedded in our lives and the infrastructure around us. If we imagine the potential for security threats now when we only interact with a limited number of devices, think of the security threats which could result from misuse of IoT devices. City-wide interruptions to critical services, entire regions losing power and massive breaches of personal data are all potential threats.
The IoT heralds a new era in terms of security. To date, regulators have played a key role in the security of enterprise and governmental IT systems, imposing regulations which force organisations to reconsider their security measures. We are recognising that the ubiquitous nature of the IoT will require further action. This fact, twinned with the potential for national security threats, implies that governments will need to play a part in enforcing minimum standards for a secure IoT.
Security best practices will develop organically as the IoT becomes part of our daily lives to an even greater extent, but developers and cyber-security experts always have to stay one step ahead of cyber-criminals. The IoT is no different: considering how identity can help us to manage potential threats is vital as we begin to further integrate IoT technology into devices and interact with the new hyper-connected world.
Contributed by Geoff Webb, director of solution strategy at NetIQ