Members of the VDC Team spent the last two days at the inaugural IoT Security event on the beautiful Boston waterfront, where Steve Hoffenberg, VDC’s Director of IoT & Embedded Technology, spoke alongside a diverse and distinguished panel of guests that included various leaders of government, research, and industry.
One of the main themes that emerged throughout the two-day conference was the growing importance and adoption of Security as a Service. If it makes more sense from both a financial and an operations perspective to outsource computing, storage, applications, and infrastructure to specialized providers in order to capitalize on economies of scale and aggregated outside expertise, then it follows that portions of IoT security can also be outsourced effectively. As devices are connected to each other, and to the internet, the attack surface of the IoT software environment grows exponentially. Managing this complexity requires solutions that may be lacking in traditional embedded security software. We see a clear trend towards the addition of connected security features such as network data anomaly analysis and constant threat definition updates being built into device security at the OS level. The recently-announced Lynx & Webroot partnership is a clear example of how IoT security companies will be able to provide added value through reduced end-user complexity and enhanced safety to OEMs in the near future.
Another interesting thought came from Carl Stjernfeldt, Senior VP at Shell Venture Technologies, a division of the energy/oil giant. He suggested that Shell was looking to purchase many more sensors in the future, not only for machines, but also for “sensorizing” its people, blurring the line between inert and living assets and the data that could be collected from each. Of course, Shell is not the only company thinking of adding sensors to different production assets, including its human resources, but this comment did lead to the interesting question of how we might see a trend of convergence and growing complexity in the management of device and human directories and their corresponding authentication protocols, which are currently two separate worlds.
One more thought that we would like to leave with the reader is that of the continued overreliance on perimeter security: placing too much emphasis on stopping attackers from gaining any access to the system at all, and not enough emphasis on minimizing damage that could be done if an attacker gains access. In many cases, perimeter security may secure a device or a network extremely well from a technical standpoint, but a simple social hack, shortcut, or human error can render the entire system vulnerable quite easily. The principle of least privilege– properly assigning only necessary access privileges to each user and system element – is a core security principle that will be fundamental in implementing safety-critical IoT networks in the future.
View the 2017 IoT & Embedded Technology Research Outline to learn more.