The power of objects in the Internet of Things (IoT) to change the state of environments — in addition to generating information — will cause chief information security officers (CISOs) to redefine the scope of their security efforts beyond present responsibilities, according to Gartner, Inc.
Gartner predicts that IoT security requirements will reshape and expand over half of all global enterprise IT security programs by 2020 due to changes in supported platform and service scale, diversity and function.
"The IoT is redrawing the lines of IT responsibilities for the enterprise," said Earl Perkins, Research Vice President at Gartner. "IoT objects possess the ability to change the state of the environment around them, or even their own state; for example, by raising the temperature of a room automatically once a sensor has determined it is too cold or by adjusting the flow of fluids to a patient in a hospital bed based on information about the patient's medical records. Securing the IoT expands the responsibility of the traditional IT security practice with every new identifying, sensing and communicating device that is added for each new business use case."
Traditional "information" technology is now being supplemented by purpose-built, industry-specific technologies that are tailored by where and how that technology is used and what function it delivers. Information remains a key deliverable and is the fuel for IoT devices. The device's ability to identify itself (such as RFID tags that identify cargo), sense the environment (such as temperature and pressure sensors) or communicate (such as devices in ocean buoys that transmit environmental changes to the areas around them) requires information to be generated, communicated and/or used.
Although traditional IT infrastructure is capable of many of these tasks, functions that are delivered as purpose-built platforms using embedded technology, sensors and machine-to-machine (M2M) communications for specific business use cases signal a change in the traditional concept of IT and the concept of securing IT.
"This is an inflection point for security. CISOs will need to deconstruct current principles of IT security in the enterprise by re-evaluating practices and processes in light of the IoT impact," said Perkins. "Real-time, event-driven applications and nonstandard protocols will require changes to application testing, vulnerability, identity and access management (IAM) — the list goes on. Handling network scale, data transfer methods and memory usage differences will also require changes. Governance, management and operations of security functions will need to change to accommodate expanded responsibilities,