連網型系統的安全管理

IoT環境的連網型系統比企業IT網路有暴露在更多攻擊媒介的可能性，再加上那個情形由於連接IoT的無數設備而有惡化的可能性。許多IT試驗指標&網路安全供應商，雖然提供對應IoT部分或全面的資安管理服務，但機乎沒有提供針對IoT設備及系統特別性方面服務的供應商。安全供應商將自家公司的管理安全解決方案改良為適合IoT的，再加上特別鎖定特定產業，可在IoT市場上得到收益化的機會。

本報告依據對OEM內建式設備工程師、系統廠商、IT管理者、企業幹部等的調查結果，提供連網型系統的安全管理所採用的產品及服務的相關調查、各技術類型/產品類型、產業部門、地區的成長機會分析、策略性課題以及主要趨勢、其他市場影響因素分析等彙整資料。

關於本報告

目錄

摘要整理

• 主要調查結果

安全和梅特卡夫定律

管理安全解決方案

• 表格1:IoT/雲端供應商的選擇中安全的重要性
• 表格2:在組織的連網型設備/系統一般利用的資安管理服務:受訪者的各類型
• 表格3:資安管理服務的政策&應用管理的利用
• 表格4:資安管理服務的系統威脅監視、支援的利用

管理安全供應商

• 表格5:資安管理服務供應商的選擇標準的重要性

見解、分析

This report contains an analysis of products and services used to manage the security of connected systems as well as an analysis of key strategic issues, trends, and other factors impacting the market for these solutions. Market analysis, critical considerations, and growth opportunities will be offered across the following dimensions: technology types/product categories, industry sectors, and geographic regions. The report integrates selected findings from VDC's recent connected systems survey of OEM embedded device engineers as well as systems integrators, IT administrators, and executives. (Full survey data is provided as a separate Excel spreadsheet.)

What questions are addressed ?

• What are the challenges associated with managing the various measures needed to secure connected devices?
• What business opportunities do managed security services open up for OEMs, systems integrators, and other parties?
• What are the unique managed security requirements for IoT devices?
• How does connectivity both hinder and help security efforts?

Executive Summary

Connected systems in the IoT are potentially open to many more attack vectors than are enterprise IT networks, which is exacerbated by the billions of devices being connected to the IoT. Although many IT endpoint and network security vendors offer managed security services that are partially or wholly applicable to the IoT, few vendors offer such services that focus on the unique aspects of IoT devices and systems. Security vendors have the opportunity to capitalize on the nascent IoT market by tailoring their solutions to managed security services for IoT, especially through focusing on vertical market solutions and through the addition of global threat intelligence. VDC recently conducted a survey of OEM engineers and IoT implementers to gauge the state of security for connected embedded systems, with selected findings presented.

[Data available in full report.]

Key Findings

• Security solutions for the IoT are often implemented by IT administrators or engineering services firms, rather than being integrated by OEMs into connected devices and systems.
• Use of reactive security event response is much more common than use of proactive threat intelligence for IoT systems.
• Security solutions for IoT-specific systems are rare today, and many customers must choose among solutions adapted from traditional enterprise IT security and/or enterprise mobility management.

Security Corollaries to Metcalfe's Law

The original version of Metcalfe's Law¹ stated, “The systemic value of compatibly communicating devices grows as the square of their number.” Metcalfe's Law predated by decades the Internet of Things, but as a device-centric theory rather than user-centric one, it is actually more applicable to the IoT than to the Internet of People. What Metcalfe presumably had not anticipated, however, were a couple of corollaries to the law that have since become evident:

• The potential attack vectors of a connected system grow exponentially with the number of devices; and
• The number, intensity, and sophistication of hackers seeking to exploit a connected system grow with its systemic value.

A massively connected system has far more vulnerabilities than an unconnected or a modestly connected system, and hackers' attempts to breach it rise exponentially as well. The combination of these two factors further increases security risk. In a prior VDC report entitled, “Risk Assessment for Connected Systems,” we expressed this conceptually with the equation:

Risk = Vulnerability x Threat

With the number of devices connected in the IoT reaching well into the billions, the risk is clearly large and growing larger. Nevertheless, the power of Metcalfe's Law can also be applied to measures that help secure the IoT, using these corollaries:

• The ability to secure a connected system grows with the number of devices actively monitored and managed for security; and
• The threat intelligence that can be gleaned from attacks grows with the volume and sophistication of the attacks that are discovered.

We don't know the extent to which the growth in these security factors might exponentially match the rising risk to keep pace in an arms race against hackers. It is wishful thinking to believe that in the near term, connected systems can be protected sufficiently enough that hackers lose interest due to poor return on their investment of time and resources. (While such a state of impenetrable security won't arise soon, we could envision a tipping point decades from now when most hackers move on to do other things with their lives.) In the meantime, the security situation is likely to get worse before it gets better.

¹ This is what Bob Metcalfe wrote on a presentation graph circa 1980, which has since been morphed into several popular variations.

The long-term viability of the IoT depends on substantial improvements in security. Arguably, adequate security measures already exist, but they are implemented inadequately and in an insufficient portion of connected devices and systems. OEMs and other interested parties often find them too time-consuming and too resource-intensive to implement, and users may consider them too cumbersome, although neither of those has to be the case. As hardware engineers and software developers gain experience in designing for the IoT, and as security offerings continue to improve in ways that hide some of their complexity from users, IoT security will improve.

In the preceding report of this series, “Securing Applications for Connected Systems,” we examined some of the ways that connectivity can enhance security of embedded applications. In this report, we look at solutions to centrally manage security of connected devices and systems.

Table of Contents

Inside this Report

• What questions are addressed?
• Who should read this report?

Contents

Executive Summary

• Key Findings

Security Corollaries to Metcalfe's Law

Managed Security Solutions

• Exhibit 1: Importance of security in selection of IoT/cloud vendors
• Exhibit 2: Managed Security Services typically used with organization's connected devices/systems, by respondent type
• Exhibit 3: Usage of policy and application controls in Managed Security Services
• Exhibit 4: Usage of system threat monitoring and response in Managed Security Services

Selection of Managed Security Vendors

• Exhibit 5: Importance of criteria for selecting managed security services vendors

Ideas & Insights