When you read about the Internet of Things (IoT) in the press, it can get very confusing, particularly if you want to consider how one might go about securing the IoT. First, there isn’t universal agreement on what the IoT really is, whether it is literally architecture, infrastructure, marketing, or something else. Gartner has a definition for the IoT as do others, so I don’t know that this is a big issue. What we DO know is that the increasing attention focused on an interconnected world of devices far greater in number and variety than PCs, tablets and smartphones uncovers a fundamental truth for all enterprises that buy or sell products and services in the security markets. That truth is that the way decision-makers in enterprises think of the practice of security has to change. Their vision of information security, of IT security, of operational technology (OT) security, of physical security– is now obsolete.
Now why would I say something like that? After all, we still need a strategy for ensuring the confidentiality, integrity and availability of information. We need an infrastructure and practice that protects computer systems and networks. For many enterprises involved in industrial control and automation activities, we need that same protection for those operational systems that are the lifeblood of the enterprise. And yes, we need to continue the practice of protecting our physical infrastructure with the people and technology needed to secure our buildings and other physical assets. So what’s the issue?
Consider a world where the number of connected, communicating devices increases 100-fold. Those devices have hundreds of new form-factors for firmware, operating systems, communications protocols, and interfaces. Those devices are part of IT security, part of OT security, part of physical security. Those devices are interwoven and embedded into complex systems that need more machine-to-machine communications, more data collection, more analytics– more, more, more. But it isn’t just a matter of volume, it’s also a matter of complexity, and the expansion of the “threat surface”, the number of entry points into an enterprise (or multiple, linked enterprises). It is also a matter of the interconnectedness of the IoT, where problems in a physical security system can affect the OT systems, or the IT systems. It also means for example that we have to rethink the ideas of identity and access management, since we’re now going to have uniquely addressable devices and uniquely addressable humans, and complex relationships between humans and devices, devices and other devices– I think you’re starting to get the picture.
Perhaps it’s time to consider whether our current bias to the terms “information security” and “IT security” should remain. Perhaps we should consider a new term at the top of the security “pyramid” for many enterprises. By saying this, I am NOT lessening the importance of information in the new architecture of security– quite the contrary. What objects in the IoT have in common with traditional IT is their hunger for information. The devices of the IoT use that information to (among other things) literally change the state of the environment that device is in, whether it’s increasing temperatures for homes, shutting valves in water companies, or closing relays in an electric grid. But they still need reliable, accurate information to do so. Information is the currency of this new type of security. The ‘consumers’ of that information and the outcomes from decisions made with that information now expand a thousandfold.
So what adjective will we give “security” now in our enterprise? Will we continue to call our approach “information security” but with a broader definition set beneath it (and all of the changes to security risk, governance and management that may entail) or do we use something else? Gartner has a reputation of creating phrases that are used from time to time in the markets and with our clients. Perhaps it’s time we recommend another one. The issue isn’t the term, however. The issue is what enterprises must do to accommodate this new, combined way of looking at security, and the impact it will have on policy and practice. It just might give the idea of BYOD a whole new meaning. It will certainly change the calculus of risk. It’s very likely to change your plans for threat intelligence and incident management. It will change the way we secure our relationships with suppliers and partners. In any event, welcome to the new world of the unified security practice. Buckle your seat belts.