Summary Bullets:

• IoT security still comes up as the number one deterrent to IoT adoption, year after year (after year!).

• While point solutions abound, the complex supplier ecosystem coupled with the diversity of IoT use cases and device types makes this a hard nut to crack.

Considering the fact that every survey ever conducted among enterprises over the last five years about IoT has shown that the number one barrier to adoption is lack of security, we would have expected the supplier ecosystem to finally “fix” this problem once and for all. But instead, with the advent of massive proliferation of IoT devices upon us, coupled with an occasional high-profile breach, enterprises are more cautious than ever and rightly so.

The complex ecosystem is frequently blamed not only for the lack of end-to-end security solutions, but for the difficulty and expense of deploying IoT at all. While we still point fingers at the ecosystem, we are finally seeing positive indications of IoT growth in the enterprise. Cisco’s annual mobile VNI forecast, which was presented to analysts on March 20th, projects that IoT deployments will grow from providing 11% of total mobile connections in 2017, to generating 31% of total mobile connections by 2022. The advent of 5G coupled with low cost LPWANs is expected to generate “massive” IoT connectivity requirements. While consumers are legitimately paranoid about Alexa listening to them and laptop cameras spying on them, in light of the two sets of Mirai botnet attacks in 2016 and 2018, businesses with mission-critical operations can be brought to their knees by a major security breach.

A theoretical “end-to-end” solution portfolio for IoT would have solutions at the end-device, gateway, or other edge device; the access interface and throughout the network(s); at the application layer; and for the protection of data stored or processed in a cloud, edge server or on-premise data center. It would also include services to detect and remediate malware and other threats.

The complexity comes from having all of these “attack vectors” or paths through which an attacker can breach the IoT environment. Within each discrete stack are different kinds of vendors selling chipsets, hardware, software, services, network access, and malware detection services that may have overlapping duties. And a company that appears to have implemented a valid cybersecurity solution for all of its information resources may still be subject to breaches, as most IoT devices remain “dumb”, without modern OS’s and are not easily controlled, communicated with, or secured. Each vendor may also not want to be liable for reselling solutions outside of its own domain. For example, while operators may offer secure credentialing/authentication for end devices or even malware protection and remediation services, they can’t be fully responsible for data or application security or for chipset-level encryption.

This is one of the reasons why vendors and operators are joining together in alliances. The most recent one is ‘ioXt’ (aka the Internet of Secure Things) which launched last fall and gathers monthly to align security requirements, help make testing and compatibility certification consistent, and to work together with both vendors and large enterprises to build global standards. The ioXt notes that a “multi-layered” defense is best, and that end-to-end security ranges from baked-in security up front to ongoing management and protection of sensitive machine-generated data. The IoT Security Alliance, which includes AT&T, Qualcomm, IBM, Nokia, Palo Alto, Symantec, and Trustonic is another group that is busy categorizing risk and defining best practices. Presumably the members can be called upon to support joint go-to-market efforts for deals where IoT security is paramount.

The industry has been talking about how to “guarantee” IoT security for a long time. Some consultants like Bain have posited that enterprises would pay extra for a guaranteed IoT security solution. But like any IT security vulnerability, not only is there true risk, there is also perceived risk. It may take a while for all of the different kinds of vendors to work together to provide end-to-end security, but even longer for enterprises and consumers to really believe they are secure.