OVERCOMING IOT SECURITY CHALLENGES · The term “perfect storm” describes a scenario in which...

August 2017

ZK Research A Division of Kerravala Consulting

© 2017 ZK Research

I n f l u e n ce a n d i ns i g htt h ro u g h so c i a l m e d i a

Prepared by Zeus Kerravala

W H I T E P A P E R

Requires a Combination of Security and Services

OVERCOMING IOT SECURITY CHALLENGES

http://zkresearch.com

http://zkresearch.com

8 2

INTRODUCTION: THE IOT ERA HAS ARRIVED

The term “perfect storm” describes a scenario in which several mega-forces come together to

create a single, massive force. In the 1990s, the technology industry went through a perfect storm.

Technologies such as low-cost PCs, home broadband, the browser and the evolution of Windows

came together and kicked off the internet era. This perfect storm was so powerful that it created

a new economic model, and internet-related companies thrived and became some of the largest

businesses the world has ever seen. Today, we are on the cusp of another perfect storm—this time,

ushering in the era of the Internet of Things (IoT) as more and more unconnected devices become

connected. Several forces are driving IoT, including the following:

Digital transformation: The term “digital transformation” is defined as the application of

technology to build new business models and processes by converging people, business and

things. These advancements are creating new product and service opportunities as well as

transforming business operations. IoT is a relatively new technology that connects a world of

devices that were previously not connected, giving organizations the ability to capture more

information and gain new insights.

Low-cost sensors: Historically, connecting a device could cost as much as $15—which made

connecting everyday devices somewhat impractical. Today, the cost of a sensor is as low as

10 cents, so now we can afford to connect almost anything—from automobiles, to healthcare

equipment, to building facilities—to a common network.

The standardization to Internet Protocol (IP): Machine-to-machine (M2M) connections

were made over a variety of protocols that did not interoperate. This created a number of

“islands” of connected endpoints that had no way of interacting with each other. Today, almost

all IoT connections are made over IP, allowing potentially hundreds of billions of devices to be

connected to one another. The standardization to IP allows all devices to communicate with

each other, enabling the number of connected devices to explode to more than 50 billion by

2020 (Exhibit 1).

The growth of big data: IoT requires more than just connecting the unconnected. Although

this is certainly important, it only creates the foundation for IoT. For IoT to thrive, organizations

need to capture the massive amounts of data made available and analyze that information to

make more intelligent decisions.

IoT will be the largest technology shift since the birth of computing. It will connect many cur-

rently unconnected devices and create more economic value and opportunity than the internet did.

ZK Research: A Division of Kerravala Consulting © 2017 ZK Research

ZK RESEARCH | Report Title Goes Here

ABOUT THE AUTHOR

Zeus Kerravala is

the founder and

principal analyst with

ZK Research. Kerravala

provides tactical advice

and strategic guidance

to help his clients in both

the current business

climate and the long

term. He delivers

research and insight

to the following

constituents: end-user

IT and network

managers; vendors

of IT hardware,

software and services;

and members of the

financial community

looking to invest in

the companies that

he covers.

ZK RESEARCH | Overcoming IoT Security Challenges Requires a Combination of Security and Services

8 2

8 3

IoT will forever change the way people live and work, and businesses must be ready to capitalize on

this trend. Companies that embrace IoT will thrive, while those that do not will struggle to survive.

As IoT grows, organizations are connecting nontraditional IT devices such as air-conditioning sys-

tems, badge readers, building-management systems, healthcare equipment, sensors and other end-

points. These devices do not have any inherent security capabilities, which creates new security risks.

Traditional security methods are exclusively focused on the perimeter that protects the company from

malicious traffic coming from the internet. However, this approach will not work with IoT, as many

devices are connected behind the perimeter, and they are often connected to partner networks.

For example, a hacker who breaches a network that includes healthcare devices may gain

access to patient records. A retail organization whose building facilities network is breached could

have its customer credit card numbers stolen. Therefore, a successful IoT deployment requires a

new approach to an organization’s security strategies.

SECTION II: UNDERSTANDING IOT SECURITY CHALLENGES

IoT is evolving quickly, and almost every organization will need to embrace it to remain competi-

tive. IoT promises to lower costs as well as enable businesses to create new processes and discover

new insights. This begs the question: If IoT is so powerful, why aren’t companies being more aggres-

sive with it? The ZK Research 2017 Network Purchase Intention Study reveals that only 13% of


Fixed Computing200 million

endpoints

Portable Computing1 billion

endpoints

Mobile Computing10 billionendpoints

1995 - 2015

1995 2005 2010 2015 2020Internet of Things

50 billionendpoints

Exhibit 1: The Number of Connected Devices Explodes


ZK Research, 2017

https://www.carouselindustries.com/industries/retail/

8 4

businesses have deployed an IoT solution, while 47% are currently somewhere in the evaluation

or testing phase (Exhibit 2). In reality, the number of organizations that have deployed IoT is much

higher than the exhibit indicates, but many deployments have been conducted by operational

technology (OT) without IT’s knowledge.

In the same survey, ZK Research asked respondents about their biggest challenges related to

IoT, and the top answer was security (71%) (Exhibit 3).

There are numerous reasons why security is such a significant challenge with IoT, including

the following:

Physical security is often overlooked. A tremendous amount of energy and time is devoted

to cybersecurity today. However, physical security is often overlooked. Devices need to be

protected against theft or hacking of the hardware. Because IoT is often deployed by non-IT

individuals, there can be many devices that IT departments are unaware of. These unknown

devices can be breached from a console or USB port and create backdoors into other net-

works. Exhibit 4 illustrates how widespread this problem is, as 55% of respondents to the ZK

Research 2017 Security Survey had little to no confidence that they were aware of all the IoT

devices on the network.


Currentlyevaluating

No plans

10%

12%

28%

19%

13%

18%Testing

Alreadydeployed

ResearchingIoT

PlanningIoT

What is the status of IoT in your organization?

Exhibit 2: Only a Handful of Companies Have Completed an IoT Initiative


ZK Research 2017 Network Purchase Intention Study

8 5 ZK Research: A Division of Kerravala Consulting © 2017 ZK Research

What are the biggest IT challenges with respect to IoT?

Security concerns

Systems integration

Network investment

Data analytic skills

Investments in sensors

71%

44%

25%

23%

17%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Percentage of Respondents

Exhibit 3: Security Is the Top Obstacle to IoT



Somewhatconfident

Very confident

10%

15%

20%29%

26%

Not confident

Confident

Neutral

How confident are you that you knowall IoT devices on your network?

Exhibit 4: Security Departments Don’t Know What Devices Are on the Network

ZK Research 2017 Security Survey

ZK RESEARCH | The Top 10 Reasons Healthcare Organizations Should Deploy New IP Network

�Traditional�security�is�not�sufficient. Today’s security is primarily focused on protecting the

perimeter of a network with a large, expensive firewall. Although firewalls are still needed to

protect the network, IoT devices cause breaches to occur inside the network. Alarmingly, the ZK

Research 2017 Security Survey found that 90% of security spend is focused at the perimeter,

yet only 27% of breaches occur there. Therefore, IoT requires organizations to rethink their

security strategies.

Many IoT devices are inherently insecure. Most IT endpoints such as PCs and mobile devices

have some embedded security capabilities or can have an agent placed on them. Many IoT de-

vices—particularly older ones—have old operating systems, embedded passwords and no ability

to be secured by a resident agent.

Cybersecurity is growing in complexity. Protecting against external threats used to be a

straightforward process: Place a state-of-the-art firewall at the perimeter, and trust everything

inside of the network. This made sense when all the applications and endpoints were under the

control of the IT department. Today, however, workers are bringing in their own devices, and the

use of cloud services is extensive, creating new entry points. To combat this, security teams have

been deploying more niche point products, which often increases the level of complexity. Accord-

ing to ZK Research, an organization uses an average of 32 security vendors, and this number is

growing—leading to an environment that is becoming increasingly complex and ultimately less

secure. Also, IT departments struggle today to manage the current set of connected devices.

Adding three to five times more endpoints will overwhelm many security teams.

The number of blind spots is growing. Cobbling together a patchwork of security tools from

different vendors may seem like a sound strategy, as each device was meant to solve a specific

problem. However, this approach leaves massive blind spots because the devices have little to no

communications among them. Also, this architecture lacks automation, so the configuration of

these devices must be done one at a time, meaning changes can often take months to imple-

ment. This delay puts organizations at serious risk.

The impact of a breach is massive. A successful IoT implementation is based on automating

several processes that need to work together. A breach at any point can interrupt the service.

In many vertical markets such as healthcare, state and local government, and banks and credit

unions, IoT services are mission critical, so any kind of outage can cost companies millions. In

May 2016, the Ponemon Institute found the average cost of a data breach to be $3.62 million,

up from $3.5 million in 2015.

8 6

ZK Research | Title of Report

The ZK Research

2017 Security

Survey found that

90% of security

spend is focused

at the perimeter,

yet only 27% of

breaches occur

there.

6


ZK Research: A Division of Kerravala Consulting © 2017 ZK Research 8 6

8 7

IoT is a core component of digital transformation and should be a top priority for IT and busi-

ness leaders. However, organizations can’t afford to put their businesses, employees or customers

at risk, so they can’t compromise when it comes to securing the environment. Clearly, the legacy

security model of trying to deploy best-of-breed components at various places in the network has

not worked and will not work in an environment of increasing complexity. It’s time for organizations

to rethink their security strategies and consider implementing a security fabric.

SECTION III: INTRODUCING THE SECURITY FABRIC

Fabrics have been widely used in certain segments of the IT industry for decades. For example,

storage networks are built on the concept of a fabric where every service is available at every point

in the network at all times. This gives the storage network the high performance and resiliency it

needs for businesses to run mission-critical applications on it.

Similarly, a security fabric is a way of delivering the required security features to any point in

the environment (Exhibit 5) in real time—from the endpoint to the cloud. To enable this, the data

and security elements across all the various environments need to be well integrated and able to

share intelligence and visibility. A security fabric gives the responsible team the necessary control,

integration and ease of management across the company. Because a security fabric is pervasive, it

eliminates the blind spots that may have been introduced from the deployment of disparate security

products or the expansion of data centers and networks. Also, a security fabric is an intelligent, scal-

able framework designed to interconnect security functions to provide actionable threat intelligence.


Advanced ThreatIntelligence

Network Operations Center/Security Operations Center

Client

Access Network

Cloud

Application

Partner API

Exhibit 5: A Security Fabric Delivers Threat Protection Everywhere


ZK Research and Fortinet

8 8

One example of a security fabric vendor is Fortinet, whose mature offering is currently used by

thousands of customers. The Fortinet Security Fabric is built around the following three key attributes:

Broad: Fortinet offers breadth of protection, as it covers the entire attack surface and can be

applied to the network, endpoint, access, applications and cloud.

Powerful: High performance is delivered through Fortinet’s own security processors (Exhibit 6)

to reduce the burden on infrastructure, delivering comprehensive security without compromise.

Vendors that use off-the-shelf components often need to sacrifice performance in specific areas.

Automated: Automation of security functions enables a fast and coordinated response to

threats. All elements can quickly exchange threat intelligence and coordinate actions.

Fortinet’s Security Fabric is much more cost effective than a multivendor environment. Addition-

ally, using multiple vendors requires additional training for the staff, more administrative/manage-

ment time and additional maintenance costs. In fact, ZK Research has calculated the cost of a

security fabric to be about 10% less than that of a multivendor solution over a six-year period.

The Security Fabric will deliver much faster breach detection and isolation. Because all of the

products work off the same code base and silicon, it’s easy for Fortinet to understand the real-


Private and PublicCloud Security

Email and Web Security

Carrier-ClassFirewall

Data CenterFirewall

DistributedFirewallAccess

Point1 Gbps

1 Tbps

SwitchEndpoint

Next-GenerationFirewall

S it h

Exhibit 6: Fortinet Security Fabric Is Powered by Custom Silicon


ZK Research and Fortinet

https://www.fortinet.com/


time network topology as well as the interaction between the physical and virtual elements. Given

the dynamic nature of IT, this is a critical component of being able to automate security. There’s an

expression that states “You can’t secure what you can’t see,” and the Fortinet Security Fabric sees

everything, enabling it to secure the end-to-end environment.

One more key differentiator for fabric is the ease of integration with third-party vendors. It’s a fact

that no single security vendor can do everything. Fortinet’s fabric is open, and the company has put

together a large ecosystem of technology partners.

Today, the following functions collaborate to form the Fortinet Security Fabric:

Enterprise firewall

Cloud security

Advanced threat protection

Connected unified threat management (UTM)

Application security

Secure access

Security operations

SECTION IV: THE ROLE OF SERVICES IN IOT SECURITY

There is no single driver for IoT. According to the ZK Research 2017 Network Purchase Intention

Study, companies are looking for IoT to solve a myriad of issues such as automating processes, lower-

ing costs and improving the efficiency of the business (Exhibit 7). Consequently, most IoT initiatives are

business-outcome led and require collaboration between the IT organization and lines of business.

Implementing IoT can be a highly complex process that many companies are not equipped to

handle due to security challenges, increased complexity and IT staff that already have too much on

their plates. Also, the concept of working toward a business outcome may require best practices that

have yet to be fully outlined or developed in a company. For example, a hospital may embark on an

IoT project to connect patient monitoring equipment for remote diagnosis, which requires technical

knowledge, security expertise and business acumen that many organizations can’t bring together into

a single team.

Unless the company has implemented many IoT projects, it’s likely there is a gap in critical skills

necessary to make the deployment a success. This is one reason why 76% of IoT initiatives are either

8 9


Implementing

IoT can be a

highly complex

process that many

companies are

not equipped to

handle.

9



8 1 0

cancelled, delivered late or do not produce the expected return on investment, according to the ZK

Research 2017 IoT Study, primarily because of unforeseen management and security challenges.

A services partner can help close the skills gap across every phase of the project life cycle,

including the following:

Planning: Ensure business goals are aligned with IT deployment strategy and identification of

security risks up front.

Design: Map the capabilities of a security fabric to IoT risks and plan for the unexpected.

Implementation: Ensure the security solution is deployed correctly. With IoT creating so

many new entry points, this is critical to securing the business.

Operation: Audit processes and optimize the deployment of the technology. Regular audits

must be conducted to find new security risks and remediate them before they become issues.

Services can be deployed in two different ways. For businesses that prefer to maintain control

of their security operations, the services partner can provide skills to augment the organization’s


What are the business drivers behind your IoT deployment?

Process automation

Improving business efficiency

Cost savings

Risk management

Location tracking

Equipment monitoring/tracking

44%

35%

32%

27%

24%

21%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

Percentage of Respondents

Exhibit 7: The IoT Value Proposition Is Multifaceted




own team. For example, a company may have the necessary skills to implement the technology but

lack the talent and best practices to plan the deployment and design the solution. In such cases, the

service partner can help with those tasks to ensure success. Business leaders who wish to focus on

their core operations and offload all security operations can leverage a managed services partner to

take over security operations.

Carousel Industries is an award-winning, nationwide services firm that has been helping IT and

business leaders make better IT decisions for more than 25 years. The company helps its customers

drive successful innovation in their businesses through an integrated solutions approach in a wide

range of technologies, including security.

Carousel follows Information Technology Infrastructure Library (ITIL) standards and uses its

extensive experience to execute on a proven methodology with predictable, repeatable, high-quality

results. Also, it has the vertical knowledge to drill down on specific business requirements to ensure

that its outcome-based approach leads to success, regardless of a company’s compliance, regulatory

or other industry needs.

Every engagement begins with an audit that can identify the investments required to support the

right technology solutions both today and in the future for growth and expansion. Together, Carousel

and Fortinet can co-deliver a security fabric that can meet the needs of a business looking to maxi-

mize its investment in IoT without putting the organization at risk.

SECTION V: CONCLUSION AND RECOMMENDATIONS

The IoT era has arrived, and businesses must prepare for a massive wave of devices that will

connect to the company network. However, unlike traditional IT infrastructure, many of these devices

have little to no inherent security capabilities, cannot have agents deployed on them and often have

old or outdated operating systems—making them vulnerable to attacks.

A breach of an IoT system can compromise the device, putting critical processes at risk, but it can

also create “backdoors” into other systems such as account servers, point-of-sale systems and others

that store sensitive data. Securing the wide range of IoT endpoints poses a significant challenge

because traditional perimeter-based security devices are blind to most of the new endpoints. There-

fore, security leaders must rethink their security strategies and implement new tools and processes to

secure the business in a world where literally everything will be connected.

The world of IoT security is vast and can be intimidating. To help business and security leaders

get started, ZK Research makes the following recommendations:

Architect security into IoT design. Many projects are deployed with no thought to protection

and with security often an afterthought. IoT only works if business leaders, employees, custom-

ers and other end users trust the systems and believe their personal data will be protected. It’s

absolutely critical that the data, endpoints and infrastructure be secured with the best possible

8 1 1


Security leaders

must rethink their

security strategies

and implement

new tools and

processes to secure

the business in

a world where

literally everything

will be connected.

1 1


ZK Research: A Division of Kerravala Consulting © 2017 ZK Research 8 1 1

https://www.carouselindustries.com/

https://www.fortinet.com/partners.html

https://www.fortinet.com/partners.html


technology to ensure the trust exists to enable IoT to thrive. For maximum effectiveness, security

must be built into the design of the IoT solution instead of being bolted on after the fact.

Shift to a security fabric. The legacy model of deploying many niche security tools at various

places in the network has never been and will never be effective in a world where everything

is connected. A better approach is to leverage the benefits of a security fabric where the right

security services can be applied to specific points in the environment to remove blind spots and

ensure the company is protected from the endpoints to the cloud.

Consider a services partner to guarantee success. Very few companies have the neces-

sary skills to implement an IoT project, particularly when it comes to overcoming all of the new

security challenges. A services partner can be used to either augment a company’s existing skill

set or take over security operations via managed services. It’s critical to choose a partner that has

a proven methodology and a track record of repeatable success.

8 1 2


1 2



[email protected]

Cell: 301-775-7447 Office: 978-252-5314

© 2017 ZK Research: A Division of Kerravala ConsultingAll rights reserved. Reproduction or redistribution in any form without the express prior permission of ZK Research is expressly prohibited. For questions, comments or further information, email [email protected].

Date post:	25-Jun-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

OVERCOMING IOT SECURITY CHALLENGES · The term “perfect storm” describes a scenario in which...

Documents