By 2019, 86% of organizations in Asia Pacific will have some form of IoT in place, according to “The Internet of Things: Today and Tomorrow,” research released by Aruba. While organizations adopt IoT to leverage the business benefits of enhanced efficiency and innovation across the enterprise, industrial, healthcare, retail and municipality sectors globally, the study warns that connecting thousands of things to existing business networks will open up new security challenges, which has resulted in security breaches for a large majority of organizations in the region.
The research also found that although 97% of the 1,150 respondents from Asia Pacific (Australia, China, India, Japan, Singapore, and South Korea) have an understanding of IoT, many are still unclear of the exact definition of IoT and what value it brings to their organizations.
So what does IoT really mean and how can enterprises take advantage of it? In an interview with Networks Asia,Partha Narasimhan, Aruba HPE’s Chief Technology Officer, talks about the objective of IoT, the value it offers, the risks it brings.
Excerpts of the interview follows:
1. What is true IoT? How does IoT differ from m2m communication and machine learning?
The objective of IoT is to extract actionable data and contextual information like location from devices and systems for the purpose of meeting a company’s strategic goals. Machine-to-machine and control networks are tools thru which data and context can be extracted, while machine learning is a tool for making sense of and applying these data and context. Working in concert, these tools help companies deliver more engaging services, boost profitability, and enhance productivity and safety.
2. How can enterprises take advantage of IoT? How would it fit into plans to digitally transform their business?
The first order of business in any IoT project is to identify the customer's strategic business goals. Those goals will then flow down into a series of specific objectives that deliver what Gartner calls “business moments” – transient, customer-related opportunities that can be dynamically exploited. A business moment is the point of convergence between the enterprise’s strategic goals and relevant IoT context and data that when properly exploited will positively change a customer’s behavior, attitude, and/or sentiment.
Many vendors position IoT as a way to connect every device in an enterprise to the Internet, which is self-serving because it requires customers to buy a lot of equipment, software, and services. The overarching objective of IoT is NOT to network every device in an enterprise, much less connect every device to the Internet. IoT devices should be considered vessels for context and data, and only relevant information – and devices - need to be connected and tapped. Digital transformation in the context of IoT involves generating, extracting, or finding relevant data and context, and thru the IoT architecture using it to deliver successful business moments.
3. How should devices be categorized, named and organized? What form of communication should be allowed? How should it be secured? How will the devices be monitored and tracked? How should effectiveness be measured? What about maintenance?
Despite all of its benefits IoT also brings new/unfamiliar cybersecurity risks:
- IoT solutions can change the state of a digital environment, in addition to generating data. This variability of state requires a new view of cybersecurity.
- IoT environments consist of mostly unattended endpoints, which create easily avoidable vulnerabilities for IT infrastructures.
- Machine to machine (M2M) authentication works for newer IoT devices but does not include legacy devices, creating trust gaps between devices and gateways.
CIOs need to mitigate IoT security risks using a blended approach that includes security methods taken from mobile, cloud, industrial control, automation and physical security. To do this CIOs need to redefine device security strategy to address new types of vulnerabilities introduced by IoT infrastructures by including embedded trust, device identities/credentials and real-time visibility and control.
Following an adaptive trust paradigm in which no user or IoT device is trusted until proven otherwise, IT can take the following steps to better protect IoT infrastructure:
- Profile: Fingerprint/classify devices as they connect to the wired, wireless, or remote access networks to differentiate between device types and to detect impersonators. This must be supplemented with identity, context, and posture to deliver full protection.
- Identity: Device MAC addresses can be spoofed so identity of headless devices needs to be supplemented with strong authentication protocols (like 802.1x) and contextual data such as location, time of day, day of week, and current security posture to provide more granular role based access control.
- Posture: Device health check based on interactive interrogation of the device to determine known vulnerabilities, active ports, OS version, SNMP security, and openSSL vulnerabilities. Known good devices may be denied access if the posture is sub-standard. Posture needs to be routinely verified to ensure compliance
4. Are there differences in the way data is collected, communicated and analysed for IoT?
Originally intended to describe an ecosystem of interconnected machines, the phrase “Internet of Things” is confusing because it's so non-specific. Companies have been deploying IoT solutions for years, they just never called them IoT. Medical telemetry, Wi-Fi asset tracking, bar code scanning, wireless video surveillance, and navigational wayfinding are all examples of IoT applications. Secure connectivity for IoT includes critical-control networks, Ethernet, Wi-Fi, VPN, and RF technologies like Bluetooth Low Energy (BLE).The implementations of some, like critical control, vary by vertical market, but the others are commonly used across almost all IoT applications.
5. If analytics needs to be done, should it be in the Cloud or Edge?
In latency-sensitive IoT deployments like manufacturing lines data need to be collected and processed deterministically in real-time. In other applications, like meter reading, data can be aggregated and forwarded in batches.
Real-time processing requirements vary, but the trend is to bring big data analytics applications to the edge of the IoT network. To do that you need data center-grade compute and storage that is ruggedly packaged and with remotely accessible diagnostics. To meet compliance, governance, and/or privacy guidelines the IoT data need to be isolated from the remote access connection with no backdoor. Additional security features should include a known trusted BIOS and a secure boot feature that prevents malware from corrupting the operating system or drivers.