Gartner: Makers of things for Internet of Things undervalue security
"Some of the leading vendors that are developing products are making some effort to address security concerns, but Gartner believes the majority aren't at this stage -- convenience, user friendliness, time-to-market all win out over security at this point," says Earl Perkins, a research vice president at Gartner.
Makers of components for these devices often do address security as evidenced by ARM buying up software security firm Offspark this week so it can put TLS encryption right inside ARM's mbed operating system.
"Gartner views this acquisition as indicative of a general trend in the industry by companies previously concerned about chipsets and firmware now recognizing that software-defined security will play an increased role in their future sales," he says.
"More such purchases by such vendors will occur this year. While not at liberty to go into much detail regarding specific vendors due to the ongoing, early nature of their development, you already see this in prominent vendors such as Intel, who began this journey years ago and has completed several acquisitions to build out their portfolio for IoT application development and security."
But too often that doesn't carry over into the products those components go into. Because builders of devices might not be as security conscious as component manufacturers, customers need to carefully evaluate on their own the security of the products they do buy and see that they don't have weaknesses similar to those that plagued mainframe-to-client, client-to-web, web-to-mobile and cloud architectures in their formative stages, he says. "Raising the level of awareness among enterprise user and consumer alike so that they demand that IoT security not be a repeat of past performances," Perkins says.
Earl Perkins, a research vice president at Gartner
HP studied consumer devices built for the IoT and concluded they lack important security measures. A study done last year looked at 10 of the most popular devices, and a second study, just released, of 10 of the newest home security systems both found security lacking. HP didn't name what devices it looked at in either study.
The best advice HP could offer enterprise customers is to partition IoT devices from the rest of the network so if they are compromised damage can be contained and to turn on security features that might not be activated by default. These could include boosting password strength, locking accounts after a certain number of failed login tries and requiring two-factor authentication, HP says.
This is of such a concern that HP sponsors a study group called the Internet of Things Top Ten within the Open Web Application Security Project (OWASP) to raise awareness about security issues customers should weigh when building, assessing and deploying IoT devices.
The group has formulated a list of the top 10 security problems facing IoT devices, and how to prevent them. The list of problems includes insecure Web interfaces, weak authentication, limited security configurability, buggy software and firmware, and insecure cloud and mobile interfaces as well as transport-layer security.
The need to shore up IoT gear will get increasingly urgent as a majority of businesses come to rely on it for profitability, according to a Gartner survey conducted last month. Of 463 Gartner business clients polled, 63% say that within five years the IoT will either transform their businesses entirely or enable significant new revenues or cost savings.
Manufacturing and retail businesses will be affected most by the IoT, with government, education, banking and insurance being least affected, Gartner says.
Perkins says component makers will address security of their products, makers of devices will have a different set of security concerns and providers that use these devices to deliver services will have yet another set of priorities. "As you move through the supply chain to the consumer or enterprise user, each will have their set of security requirements," he says. "I would like to think all of them know their role in delivering end-to-end cybersecurity, but alas, that is the exception rather than the rule."