Internet of Things set to shake up corporate security says Gartner

Gartner predicts that IoT (Internet of Things) security requirements will "reshape and expand" over half of all global enterprise IT security programmes by 2020.

IoT devices are smart and programmable devices that can be remotely controlled and linked to other devices, ranging from utility smart meters and kitchen fridges to vehicle telematics.

"The IoT is redrawing the lines of IT responsibilities for organisations," said Earl Perkins, an analyst at Gartner. "IoT objects possess the ability to change the state of the environment around them, or even their own state. So securing the IoT expands the responsibility of the traditional IT security practice, as every new identifying, sensing and communicating device is added."

Gartner said that although traditional IT infrastructure is capable of many IoT security tasks, it says functions that are delivered as purpose-built platforms using embedded technology, sensors and machine-to-machine (M2M) communications for specific business use, signal a change in the traditional concept of IT and the concept of securing IT.

Perkins said: "Real-time, event-driven applications and non-standard protocols will require changes to application testing, vulnerability assessments, identity and access management (IAM) and other areas.

"And handling network scale, data transfer methods and memory usage differences will also require changes. Governance, management and operations of security functions will need to change to accommodate expanded responsibilities," Perkins said.

He said this was similar to the ways that bring your own device (BYOD), mobile and Cloud computing have required changes - "but on a much larger scale and in greater breadth", when it came to IoT.

Gartner said CISOs (certified information security officers) should not automatically assume that existing security technologies and services must be replaced when it comes to IoT. Instead, Gartner says they should evaluate the potential of integrating new security solutions with old ones.

Many traditional security product and service providers, said Gartner, are already expanding their existing portfolios to incorporate basic support for embedded systems and M2M communications, including support for communications protocols, application security and IAM requirements that are specific to the IoT.

"At this time, there is no 'guide to securing the IoT' available that provides CISOs with a framework for incorporating IoT principles across all industries and use cases," Perkins said.

Gartner claims CISOs should "start small" and develop initial security projects based on specific IoT interactions within specific business use cases. CISOs can then build on these use case experiences to develop common security deployment scenarios, core architectural foundations and competency centres for the future.