August 2017
ZK Research A Division of Kerravala Consulting
© 2017 ZK Research
I n f l u e n ce a n d i ns i g htt h ro u g h so c i a l m e d i a
Prepared by Zeus Kerravala
W H I T E P A P E R
Requires a Combination of Security and Services
OVERCOMING IOT SECURITY CHALLENGES
8 2
INTRODUCTION: THE IOT ERA HAS ARRIVED
The term “perfect storm” describes a scenario in which several mega-forces come together to
create a single, massive force. In the 1990s, the technology industry went through a perfect storm.
Technologies such as low-cost PCs, home broadband, the browser and the evolution of Windows
came together and kicked off the internet era. This perfect storm was so powerful that it created
a new economic model, and internet-related companies thrived and became some of the largest
businesses the world has ever seen. Today, we are on the cusp of another perfect storm—this time,
ushering in the era of the Internet of Things (IoT) as more and more unconnected devices become
connected. Several forces are driving IoT, including the following:
Digital transformation: The term “digital transformation” is defined as the application of
technology to build new business models and processes by converging people, business and
things. These advancements are creating new product and service opportunities as well as
transforming business operations. IoT is a relatively new technology that connects a world of
devices that were previously not connected, giving organizations the ability to capture more
information and gain new insights.
Low-cost sensors: Historically, connecting a device could cost as much as $15—which made
connecting everyday devices somewhat impractical. Today, the cost of a sensor is as low as
10 cents, so now we can afford to connect almost anything—from automobiles, to healthcare
equipment, to building facilities—to a common network.
The standardization to Internet Protocol (IP): Machine-to-machine (M2M) connections
were made over a variety of protocols that did not interoperate. This created a number of
“islands” of connected endpoints that had no way of interacting with each other. Today, almost
all IoT connections are made over IP, allowing potentially hundreds of billions of devices to be
connected to one another. The standardization to IP allows all devices to communicate with
each other, enabling the number of connected devices to explode to more than 50 billion by
2020 (Exhibit 1).
The growth of big data: IoT requires more than just connecting the unconnected. Although
this is certainly important, it only creates the foundation for IoT. For IoT to thrive, organizations
need to capture the massive amounts of data made available and analyze that information to
make more intelligent decisions.
IoT will be the largest technology shift since the birth of computing. It will connect many cur-
rently unconnected devices and create more economic value and opportunity than the internet did.
ZK Research: A Division of Kerravala Consulting © 2017 ZK Research
ZK RESEARCH | Report Title Goes Here
ABOUT THE AUTHOR
Zeus Kerravala is
the founder and
principal analyst with
ZK Research. Kerravala
provides tactical advice
and strategic guidance
to help his clients in both
the current business
climate and the long
term. He delivers
research and insight
to the following
constituents: end-user
IT and network
managers; vendors
of IT hardware,
software and services;
and members of the
financial community
looking to invest in
the companies that
he covers.
ZK RESEARCH | Overcoming IoT Security Challenges Requires a Combination of Security and Services
8 2
8 3
IoT will forever change the way people live and work, and businesses must be ready to capitalize on
this trend. Companies that embrace IoT will thrive, while those that do not will struggle to survive.
As IoT grows, organizations are connecting nontraditional IT devices such as air-conditioning sys-
tems, badge readers, building-management systems, healthcare equipment, sensors and other end-
points. These devices do not have any inherent security capabilities, which creates new security risks.
Traditional security methods are exclusively focused on the perimeter that protects the company from
malicious traffic coming from the internet. However, this approach will not work with IoT, as many
devices are connected behind the perimeter, and they are often connected to partner networks.
For example, a hacker who breaches a network that includes healthcare devices may gain
access to patient records. A retail organization whose building facilities network is breached could
have its customer credit card numbers stolen. Therefore, a successful IoT deployment requires a
new approach to an organization’s security strategies.
SECTION II: UNDERSTANDING IOT SECURITY CHALLENGES
IoT is evolving quickly, and almost every organization will need to embrace it to remain competi-
tive. IoT promises to lower costs as well as enable businesses to create new processes and discover
new insights. This begs the question: If IoT is so powerful, why aren’t companies being more aggres-
sive with it? The ZK Research 2017 Network Purchase Intention Study reveals that only 13% of
ZK Research: A Division of Kerravala Consulting © 2017 ZK Research
Fixed Computing200 million
endpoints
Portable Computing1 billion
endpoints
Mobile Computing10 billionendpoints
1995 - 2015
1995 2005 2010 2015 2020Internet of Things
50 billionendpoints
Exhibit 1: The Number of Connected Devices Explodes
ZK RESEARCH | Overcoming IoT Security Challenges Requires a Combination of Security and Services
ZK Research, 2017
8 4
businesses have deployed an IoT solution, while 47% are currently somewhere in the evaluation
or testing phase (Exhibit 2). In reality, the number of organizations that have deployed IoT is much
higher than the exhibit indicates, but many deployments have been conducted by operational
technology (OT) without IT’s knowledge.
In the same survey, ZK Research asked respondents about their biggest challenges related to
IoT, and the top answer was security (71%) (Exhibit 3).
There are numerous reasons why security is such a significant challenge with IoT, including
the following:
Physical security is often overlooked. A tremendous amount of energy and time is devoted
to cybersecurity today. However, physical security is often overlooked. Devices need to be
protected against theft or hacking of the hardware. Because IoT is often deployed by non-IT
individuals, there can be many devices that IT departments are unaware of. These unknown
devices can be breached from a console or USB port and create backdoors into other net-
works. Exhibit 4 illustrates how widespread this problem is, as 55% of respondents to the ZK
Research 2017 Security Survey had little to no confidence that they were aware of all the IoT
devices on the network.
ZK Research: A Division of Kerravala Consulting © 2017 ZK Research
Currentlyevaluating
No plans
10%
12%
28%
19%
13%
18%Testing
Alreadydeployed
ResearchingIoT
PlanningIoT
What is the status of IoT in your organization?
Exhibit 2: Only a Handful of Companies Have Completed an IoT Initiative
ZK RESEARCH | Overcoming IoT Security Challenges Requires a Combination of Security and Services
ZK Research 2017 Network Purchase Intention Study
8 5 ZK Research: A Division of Kerravala Consulting © 2017 ZK Research
What are the biggest IT challenges with respect to IoT?
Security concerns
Systems integration
Network investment
Data analytic skills
Investments in sensors
71%
44%
25%
23%
17%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Percentage of Respondents
Exhibit 3: Security Is the Top Obstacle to IoT
ZK RESEARCH | Overcoming IoT Security Challenges Requires a Combination of Security and Services
ZK Research 2017 Network Purchase Intention Study
Somewhatconfident
Very confident
10%
15%
20%29%
26%
Not confident
Confident
Neutral
How confident are you that you knowall IoT devices on your network?
Exhibit 4: Security Departments Don’t Know What Devices Are on the Network
ZK Research 2017 Security Survey
ZK RESEARCH | The Top 10 Reasons Healthcare Organizations Should Deploy New IP Network
�Traditional�security�is�not�sufficient. Today’s security is primarily focused on protecting the
perimeter of a network with a large, expensive firewall. Although firewalls are still needed to
protect the network, IoT devices cause breaches to occur inside the network. Alarmingly, the ZK
Research 2017 Security Survey found that 90% of security spend is focused at the perimeter,
yet only 27% of breaches occur there. Therefore, IoT requires organizations to rethink their
security strategies.
Many IoT devices are inherently insecure. Most IT endpoints such as PCs and mobile devices
have some embedded security capabilities or can have an agent placed on them. Many IoT de-
vices—particularly older ones—have old operating systems, embedded passwords and no ability
to be secured by a resident agent.
Cybersecurity is growing in complexity. Protecting against external threats used to be a
straightforward process: Place a state-of-the-art firewall at the perimeter, and trust everything
inside of the network. This made sense when all the applications and endpoints were under the
control of the IT department. Today, however, workers are bringing in their own devices, and the
use of cloud services is extensive, creating new entry points. To combat this, security teams have
been deploying more niche point products, which often increases the level of complexity. Accord-
ing to ZK Research, an organization uses an average of 32 security vendors, and this number is
growing—leading to an environment that is becoming increasingly complex and ultimately less
secure. Also, IT departments struggle today to manage the current set of connected devices.
Adding three to five times more endpoints will overwhelm many security teams.
The number of blind spots is growing. Cobbling together a patchwork of security tools from
different vendors may seem like a sound strategy, as each device was meant to solve a specific
problem. However, this approach leaves massive blind spots because the devices have little to no
communications among them. Also, this architecture lacks automation, so the configuration of
these devices must be done one at a time, meaning changes can often take months to imple-
ment. This delay puts organizations at serious risk.
The impact of a breach is massive. A successful IoT implementation is based on automating
several processes that need to work together. A breach at any point can interrupt the service.
In many vertical markets such as healthcare, state and local government, and banks and credit
unions, IoT services are mission critical, so any kind of outage can cost companies millions. In
May 2016, the Ponemon Institute found the average cost of a data breach to be $3.62 million,
up from $3.5 million in 2015.
8 6
ZK Research | Title of Report
The ZK Research
2017 Security
Survey found that
90% of security
spend is focused
at the perimeter,
yet only 27% of
breaches occur
there.
6
ZK RESEARCH | Overcoming IoT Security Challenges Requires a Combination of Security and Services
ZK Research: A Division of Kerravala Consulting © 2017 ZK Research 8 6
8 7
IoT is a core component of digital transformation and should be a top priority for IT and busi-
ness leaders. However, organizations can’t afford to put their businesses, employees or customers
at risk, so they can’t compromise when it comes to securing the environment. Clearly, the legacy
security model of trying to deploy best-of-breed components at various places in the network has
not worked and will not work in an environment of increasing complexity. It’s time for organizations
to rethink their security strategies and consider implementing a security fabric.
SECTION III: INTRODUCING THE SECURITY FABRIC
Fabrics have been widely used in certain segments of the IT industry for decades. For example,
storage networks are built on the concept of a fabric where every service is available at every point
in the network at all times. This gives the storage network the high performance and resiliency it
needs for businesses to run mission-critical applications on it.
Similarly, a security fabric is a way of delivering the required security features to any point in
the environment (Exhibit 5) in real time—from the endpoint to the cloud. To enable this, the data
and security elements across all the various environments need to be well integrated and able to
share intelligence and visibility. A security fabric gives the responsible team the necessary control,
integration and ease of management across the company. Because a security fabric is pervasive, it
eliminates the blind spots that may have been introduced from the deployment of disparate security
products or the expansion of data centers and networks. Also, a security fabric is an intelligent, scal-
able framework designed to interconnect security functions to provide actionable threat intelligence.
ZK Research: A Division of Kerravala Consulting © 2017 ZK Research
Advanced ThreatIntelligence
Network Operations Center/Security Operations Center
Client
Access Network
Cloud
Application
Partner API
Exhibit 5: A Security Fabric Delivers Threat Protection Everywhere
ZK RESEARCH | Overcoming IoT Security Challenges Requires a Combination of Security and Services
ZK Research and Fortinet
8 8
One example of a security fabric vendor is Fortinet, whose mature offering is currently used by
thousands of customers. The Fortinet Security Fabric is built around the following three key attributes:
Broad: Fortinet offers breadth of protection, as it covers the entire attack surface and can be
applied to the network, endpoint, access, applications and cloud.
Powerful: High performance is delivered through Fortinet’s own security processors (Exhibit 6)
to reduce the burden on infrastructure, delivering comprehensive security without compromise.
Vendors that use off-the-shelf components often need to sacrifice performance in specific areas.
Automated: Automation of security functions enables a fast and coordinated response to
threats. All elements can quickly exchange threat intelligence and coordinate actions.
Fortinet’s Security Fabric is much more cost effective than a multivendor environment. Addition-
ally, using multiple vendors requires additional training for the staff, more administrative/manage-
ment time and additional maintenance costs. In fact, ZK Research has calculated the cost of a
security fabric to be about 10% less than that of a multivendor solution over a six-year period.
The Security Fabric will deliver much faster breach detection and isolation. Because all of the
products work off the same code base and silicon, it’s easy for Fortinet to understand the real-
ZK Research: A Division of Kerravala Consulting © 2017 ZK Research
Private and PublicCloud Security
Email and Web Security
Carrier-ClassFirewall
Data CenterFirewall
DistributedFirewallAccess
Point1 Gbps
1 Tbps
SwitchEndpoint
Next-GenerationFirewall
S it h
Exhibit 6: Fortinet Security Fabric Is Powered by Custom Silicon
ZK RESEARCH | Overcoming IoT Security Challenges Requires a Combination of Security and Services
ZK Research and Fortinet
ZK RESEARCH | The Top 10 Reasons Healthcare Organizations Should Deploy New IP Network
time network topology as well as the interaction between the physical and virtual elements. Given
the dynamic nature of IT, this is a critical component of being able to automate security. There’s an
expression that states “You can’t secure what you can’t see,” and the Fortinet Security Fabric sees
everything, enabling it to secure the end-to-end environment.
One more key differentiator for fabric is the ease of integration with third-party vendors. It’s a fact
that no single security vendor can do everything. Fortinet’s fabric is open, and the company has put
together a large ecosystem of technology partners.
Today, the following functions collaborate to form the Fortinet Security Fabric:
Enterprise firewall
Cloud security
Advanced threat protection
Connected unified threat management (UTM)
Application security
Secure access
Security operations
SECTION IV: THE ROLE OF SERVICES IN IOT SECURITY
There is no single driver for IoT. According to the ZK Research 2017 Network Purchase Intention
Study, companies are looking for IoT to solve a myriad of issues such as automating processes, lower-
ing costs and improving the efficiency of the business (Exhibit 7). Consequently, most IoT initiatives are
business-outcome led and require collaboration between the IT organization and lines of business.
Implementing IoT can be a highly complex process that many companies are not equipped to
handle due to security challenges, increased complexity and IT staff that already have too much on
their plates. Also, the concept of working toward a business outcome may require best practices that
have yet to be fully outlined or developed in a company. For example, a hospital may embark on an
IoT project to connect patient monitoring equipment for remote diagnosis, which requires technical
knowledge, security expertise and business acumen that many organizations can’t bring together into
a single team.
Unless the company has implemented many IoT projects, it’s likely there is a gap in critical skills
necessary to make the deployment a success. This is one reason why 76% of IoT initiatives are either
8 9
ZK Research | Title of Report
Implementing
IoT can be a
highly complex
process that many
companies are
not equipped to
handle.
9
ZK RESEARCH | Overcoming IoT Security Challenges Requires a Combination of Security and Services
ZK Research: A Division of Kerravala Consulting © 2017 ZK Research
8 1 0
cancelled, delivered late or do not produce the expected return on investment, according to the ZK
Research 2017 IoT Study, primarily because of unforeseen management and security challenges.
A services partner can help close the skills gap across every phase of the project life cycle,
including the following:
Planning: Ensure business goals are aligned with IT deployment strategy and identification of
security risks up front.
Design: Map the capabilities of a security fabric to IoT risks and plan for the unexpected.
Implementation: Ensure the security solution is deployed correctly. With IoT creating so
many new entry points, this is critical to securing the business.
Operation: Audit processes and optimize the deployment of the technology. Regular audits
must be conducted to find new security risks and remediate them before they become issues.
Services can be deployed in two different ways. For businesses that prefer to maintain control
of their security operations, the services partner can provide skills to augment the organization’s
ZK Research: A Division of Kerravala Consulting © 2017 ZK Research
What are the business drivers behind your IoT deployment?
Process automation
Improving business efficiency
Cost savings
Risk management
Location tracking
Equipment monitoring/tracking
44%
35%
32%
27%
24%
21%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Percentage of Respondents
Exhibit 7: The IoT Value Proposition Is Multifaceted
ZK RESEARCH | Overcoming IoT Security Challenges Requires a Combination of Security and Services
ZK Research 2017 Network Purchase Intention Study
ZK RESEARCH | The Top 10 Reasons Healthcare Organizations Should Deploy New IP Network
own team. For example, a company may have the necessary skills to implement the technology but
lack the talent and best practices to plan the deployment and design the solution. In such cases, the
service partner can help with those tasks to ensure success. Business leaders who wish to focus on
their core operations and offload all security operations can leverage a managed services partner to
take over security operations.
Carousel Industries is an award-winning, nationwide services firm that has been helping IT and
business leaders make better IT decisions for more than 25 years. The company helps its customers
drive successful innovation in their businesses through an integrated solutions approach in a wide
range of technologies, including security.
Carousel follows Information Technology Infrastructure Library (ITIL) standards and uses its
extensive experience to execute on a proven methodology with predictable, repeatable, high-quality
results. Also, it has the vertical knowledge to drill down on specific business requirements to ensure
that its outcome-based approach leads to success, regardless of a company’s compliance, regulatory
or other industry needs.
Every engagement begins with an audit that can identify the investments required to support the
right technology solutions both today and in the future for growth and expansion. Together, Carousel
and Fortinet can co-deliver a security fabric that can meet the needs of a business looking to maxi-
mize its investment in IoT without putting the organization at risk.
SECTION V: CONCLUSION AND RECOMMENDATIONS
The IoT era has arrived, and businesses must prepare for a massive wave of devices that will
connect to the company network. However, unlike traditional IT infrastructure, many of these devices
have little to no inherent security capabilities, cannot have agents deployed on them and often have
old or outdated operating systems—making them vulnerable to attacks.
A breach of an IoT system can compromise the device, putting critical processes at risk, but it can
also create “backdoors” into other systems such as account servers, point-of-sale systems and others
that store sensitive data. Securing the wide range of IoT endpoints poses a significant challenge
because traditional perimeter-based security devices are blind to most of the new endpoints. There-
fore, security leaders must rethink their security strategies and implement new tools and processes to
secure the business in a world where literally everything will be connected.
The world of IoT security is vast and can be intimidating. To help business and security leaders
get started, ZK Research makes the following recommendations:
Architect security into IoT design. Many projects are deployed with no thought to protection
and with security often an afterthought. IoT only works if business leaders, employees, custom-
ers and other end users trust the systems and believe their personal data will be protected. It’s
absolutely critical that the data, endpoints and infrastructure be secured with the best possible
8 1 1
ZK Research | Title of Report
Security leaders
must rethink their
security strategies
and implement
new tools and
processes to secure
the business in
a world where
literally everything
will be connected.
1 1
ZK RESEARCH | Overcoming IoT Security Challenges Requires a Combination of Security and Services
ZK Research: A Division of Kerravala Consulting © 2017 ZK Research 8 1 1
ZK RESEARCH | The Top 10 Reasons Healthcare Organizations Should Deploy New IP Network
technology to ensure the trust exists to enable IoT to thrive. For maximum effectiveness, security
must be built into the design of the IoT solution instead of being bolted on after the fact.
Shift to a security fabric. The legacy model of deploying many niche security tools at various
places in the network has never been and will never be effective in a world where everything
is connected. A better approach is to leverage the benefits of a security fabric where the right
security services can be applied to specific points in the environment to remove blind spots and
ensure the company is protected from the endpoints to the cloud.
Consider a services partner to guarantee success. Very few companies have the neces-
sary skills to implement an IoT project, particularly when it comes to overcoming all of the new
security challenges. A services partner can be used to either augment a company’s existing skill
set or take over security operations via managed services. It’s critical to choose a partner that has
a proven methodology and a track record of repeatable success.
8 1 2
ZK Research | Title of Report
1 2
ZK RESEARCH | Overcoming IoT Security Challenges Requires a Combination of Security and Services
ZK Research: A Division of Kerravala Consulting © 2017 ZK Research
Cell: 301-775-7447 Office: 978-252-5314
© 2017 ZK Research: A Division of Kerravala ConsultingAll rights reserved. Reproduction or redistribution in any form without the express prior permission of ZK Research is expressly prohibited. For questions, comments or further information, email [email protected].