ANALYST REPORT
IoT SECURITY - perilous, porous, up-close and personal
GOLD SPONSORS
ANALYST REPORT
IoT Security: perilous, porous, up-close and personal The Internet of Things offers greater opportunities - but in interconnected environments, security risks increase exponentially The IoT provides great efficiencies and opportunities, but in connecting myriad sensors, devices, applications, people and ecosystems, it also creates greater security and data privacy risks. Laura DiDio of Strategy Analytics forecasts that there will be 35 billion connected devices by 2022.
30
IoT Security/Data Privacy integration and interoperability with legacy and existing systems - exacerbated by the current dearth of standard APIs and protocols - also topped the list of technical challenges cited by respondents to Strategy Analytics earlier IoT 2015 Deployment and Usage Trends Survey which polled over 400 businesses worldwide in June 2015. IoT security concerns were called out by 40% of organisations as presenting the singularly biggest impediment to IoT deployment. One-third – 33% - of participants said integration and interoperability concerns offered a potential roadblock to their IoT projects. Security issues have not become any easier in the last six months. Indeed, they have become more complicated as IoT mainstream deployments have picked up. Both surveys found that the interconnection of IoT-enabled devices – including employer and employee owned BYOD mobile have created more “moving parts.” This results in greater complexity and more things for already overburdened IT departments to manage from the
▼
The Strategy Analytics 2016 IoT Security Threats and Trends Survey which polled 600 global organisations in November 2015 found that corporate security and IT professionals are frustrated and feel hampered by the lack of both capital expenditure and operational expenditure budget for IoT security items; having to justify and beg for security budgets and resources to management if they haven’t had a catastrophic incident. The corporate security IT administrators also feel powerless in the face of the Bring Your Own Device (BYOD) and mobility phenomena which have given rise to new security issues. Additionally, survey respondents cited their growing concern that in IoT ecosystems the attack surface has increased exponentially and there are many more things to secure: sensors, devices, servers, applications, mobile devices, endpoints/perimeters (e.g. firewalls, gateways, switches, routers, etc.) and track, with multiple vendors and service providers to deal with. The situation is further complicated by the lack of standards and the fact that the existing protocols like Secure Socket Layer (SSL) are, in some instances, inadequate to defend against the latest security threats.
IoT Now - December / January 2015/16
As Figure 1 indicates, Strategy Analytics 2016 IoT Security Threats and Trends Survey found that 27% of the 600 respondents indicated that their organisations have experienced a security breach within the last 12 months, compared with 40 percent who indicated they had not been hacked. Figure 1: Has your firm experienced an attempted or successful hack to its IoT applications, devices or network in the past 12 months?
6%
40%
27%
No Yes Unsure We have no way of knowing
27%
Source: Strategy Analytics December 2015
Among the other Strategy Analytics 2016 IoT Security Threats and Trends Survey highlights: • 56% majority of survey participants indicated that end user carelessness represents the biggest security threat in IoT environments. That was followed by 42% who cited Malware and 32% who said Spyware and 29% who called out organised hackers. • One in 10 or 11% of survey respondents said their firms had experienced a severe or moderate attack on their IoT environments that had resulted in data loss, data privacy breaches and disrupted network operations for hours or days. • Seven out of 10 businesses spend only between 0% to 20% of their time securing their devices, applications and networks. By contrast only a 7% minority of companies devote 50% or more of their time to security and data privacy. • A 58% majority of survey respondents said they are
IoT Now - December / January 2015/16
strengthening their security in response to the rise in attacks by organised hackers as devices and applications are increasingly interconnected via IoT • Organisations have wildly divergent security budgets: 19% of survey participants said they spend $1 million to over US$20 million on security annually compared with 10% of respondent who spend less than US$100,000 each year and 19% who don’t have a separate security budget.
The IoT threat landscape in perspective There’s no doubt that the connectivity of the IoT has created a target rich environment for opportunistic hackers. Security vendor Gemalto, which published its Breach Level Index Report, found that 888 data breaches occurred in the first half of 2015, compromising 245.9 million records worldwide. “In IoT environments, everything is interconnected. Data breaches have reached epidemic proportions,” notes Laetitia Jay, Gemalto’s VP of M2M Solutions and Services. She adds, that, “vendors like Gemalto, OEM manufacturers and end users must respond to the threat by being more proactive and producing advanced identity and data protection solutions.” There are many other statistics that to back up Gemalto’s assertions. AT&T’s Operations Center which also monitors IoT security risks, reported an astounding 458% increase in the number of IoT vulnerability scans during the first nine months of 2015. And a 2014 Report titled, “Net Losses: Estimating the Global Cost of Cybercrime” by the Center for Strategic and International Studies found that cybercrime is a US$445 billion global industry. John Moor, director of the IoT Security Foundation a nonprofit based in London, agrees with these assessments and says that security and data privacy issues will be exacerbated by IoT. The IoT Security Foundation is a new organisation founded in the fall of 2015; its mission is to promote Best Practice in IoT Security and heighten awareness. The foundation already has 40 founder members including British Telecom, Vodafone and Infinium among others. “IoT security is extremely challenging,” Moor says, “Because of the sheer size and enormous complexity of IoT, organisations are literally in the wild. Add to that the burden of mobile users who are using their own devices – BYOD really equates to Bring Your Own Disaster,” he notes. No one argues the benefits that a connected IoT environment can deliver: economies and efficiencies of scale; faster more,
▼
component/device level all the way to the edge or perimeter of the network. Additionally, many IT departments exert little control over their end users and organisations as a whole often lack cogent, compelling computer security policies and procedures governing BYOD, mobility and IoT usage.
31
ANALYST REPORT
At this early stage of development more emphasis and attention has been placed on innovation, without fully understanding the security and data privacy implications and risks in an IoT connected environment. Security cannot be practiced with 20-20 hindsight. It cannot be bolted in afterwards. It must be carefully considered. The IoT Security Foundation’s Moor concurs. “IoT Security must be embedded up front. Organisations need a solid foundation that incorporates the latest security mechanisms and best practices,” he says, adding “The ugly truth is you can put your best people on it, deploy all the best practices and it only takes one vulnerability to take down a network. So you always have to be prepared.” In the IoT where everything is interconnected, the chain is only as strong as the proverbial weakest link. In order to defend against and prevent a successful data breach, the organisation, network and specific components, devices and applications must be secure by design; secure by default, secure in usage and secure at rest (where the data is stored). Secure in usage means the data must be secure during transmission as well. Mihai Voicu, chief security officer at Telit Communications PLC agrees, noting that organisations cannot consider IoT security from a singular perspective. “You need to determine and align your IoT security needs based on the importance of the application. The business need should determine the level of security,” he observes. “Clearly a corporation will want to devote more resources to their mission critical applications and services.” Another consideration in IoT environments is that security is constantly changing and evolving. What is secure today may not be secure tomorrow. No one can afford to stand still or rest on their laurels. “Resilience is crucial,” Moor observes. “Organised crime/hackers look at this as a pure business case. So you make it more difficult and more expensive for them to do business and that can prove to be a very effective deterrent,” he says.
32
In all verticals security and data privacy issues must be dealt with in advance of deployments. Additionally, neither security nor data privacy are static. Organisations are well advised to review and update their policies and procedures annually or on an as-needed basis to reflect changing market conditions. Additionally, businesses should actively engage all of their applicable vendors to discuss cyber-security and data privacy concerns in an IoT environment. One of the most challenging conundrums facing corporations in their IoT environments is the confusion and complexity of dealing with multiple vendors and trying to decide which aspect and which part of their IoT infrastructure to safeguard first. Businesses should insist on having all vendors present during negotiations and make sure that cyber-security and data privacy as well as a well-defined line of responsibility/accountability and governance Terms and Conditions are explicit in the contract. The demand for data privacy will in turn, give rise to yet another specialised IoT service: creating security and data privacy rules and contracts in advance of laws governing these areas. To reiterate, strong security is absolutely essential in IoT environments and ecosystems, across all classes of users and spanning all vertical markets. But security is absolutely essential in highly regulated IoT market segments like automotive and healthcare where non-compliance can be costly and deadly. “We need to put the time and resources into IoT security or we could very well be sleepwalking into disaster,” Moor warns.
IoT Automotive Security: driving blind? It was the Hack heard around the world. This past July Fiat Chrysler issued a voluntary safety recall of 1.4 million vehicles in the United Stated after security researchers performed a live and chilling experiment that showed that one of its cars could be hacked with ease. The Fiat Chrysler hack emphasised the perilous and porous state of security in an IoT environment where myriad devices, applications and people are interconnected but far from safe. Disaster may be only a keystroke or a picosecond away. Specifically, the white hat hacker researchers, Charlie Miller and Chris Valasek, purposely exploited a known security flaw. The vulnerability enabled the security researchers to assume control of a Chrysler Jeep Cherokee via its Internet-connected entertainment system, which was connected to a mobile data network. A technology reporter was at the wheel of the ▼
efficient access to a wide variety of resources via myriad device types; the ability to reduce and contain costs. However, the IoT consists of different types of systems. The different verticals e.g. smart homes, smart cities, connected cars, and smart buildings all require different connectivity approaches and different security mechanisms.
IoT Now - December / January 2015/16
Chrysler issued a voluntary recall to update the software in affected vehicles and predictably issued a statement saying that hacking its vehicles was a criminal action. The issue spawned numerous articles, blogs and a copious amount of finger-pointing and public shaming. It’s now six months on and the furor over the Fiat Chrysler IoT automotive hack has yet to subside. This is in stark contrast to security breaches in other IoT verticals like the retail segment that occur with monotonous regularity and yet inspire little outward outrage or behavioral change by the consumer public. The Fiat Chrysler connected car hack though is fundamentally different from most other IoT verticals. It struck a visceral cord. Because the IoT connected car or automotive IoT segment, much like the healthcare arena quite literally impacts everyone in a very personal way. Even if you don’t own a car or even drive, you’re likely to be a passenger in a car. And it’s not just an automobile. Other modes of transportation buses, trains and planes - are equally vulnerable and have also been victims of similar hacks in recent years. It’s imperative that the automotive, aerospace and other transportation OEMs address this issue. By 2020, the IoT Foundation’s Moor estimates that “90% of new vehicles will be Internet-connected.” “The automotive industry has been fixated on safety. But security and safety are not one and the same,” Moor says. “Hackers have the potential in IoT to access everything. That means the automakers have to re-architect everything.” AT&T is a leader in the IoT market with 25 million connected devices as of September 2015. Of those 25 million devices, nearly 6 million are connected cars, according to Jason Porter, VP of
IoT Now - December / January 2015/16
AT&T Security Solutions. AT&T has relationships with eight of the world’s leading automakers and the company offers a full IoT security portfolio. “It takes a collaborative approach to solve IoT security; AT&T is continually working with manufacturers and partners to help improve the IoT security ecosystem,” Porter says. In order to avert hacks like the Fiat Chrysler situation, Porter says AT&T advises car manufacturers to separate entertainment systems in the car from the system that is managing the car’s core functions. “By separating the telematics from the entertainment system, it helps limit the volume of access points for the bad guys to access the car’s key functions,” Porter says. Furthermore, as connected car technology continues to develops, “our Foundries are researching and developing new innovative security solutions and a comprehensive threat analytics platform that will help us understand and protect against upcoming security threats,” Porter adds. There’s no doubt that IoT heralds sweeping changes for the auto industry. Automakers will have to build security into their vehicles at every layer to safeguard against hacks ranging from sensors, modules, to single board computers (SBCs), body control modules (BCMs), silicon chips, protocols, APIs, applications, datacenter systems and cloud-based systems. Safeguarding the entire stack from bottom to top – physical layer to application and network layer to the cloud with “defense in depth” and layered security is no mean feat. It will take a combined, collaborative effort that will be accomplished over years – not months. No one vendor will be able to do it all. Vendors from every sector – semiconductors, hardware devices, OEMs, software, application, database, internetworking, security, cloud providers, security, telecommunications, carriers, services providers, VARs and auto manufacturers will all have a part to play. The semiconductors will require hardware support for secure boot to prevent spoofing and tampering via OTA attack paths. Sensitive chips include BCM and all MCU that impact drivetrain, hydraulics, and any other part of the car that may
▼
vehicle. The hackers remotely took control of the Cherokee’s various systems by turns: the air conditioning, windshield wipers, radio - and finally they cut the transmission and the brakes, causing the car to slow to a crawl and ultimately slide into a ditch. It’s a good thing this was just an experimental hack. Imagine if it were real.
33
ANALYST REPORT
Many of the traditional security vendors like Symantec are addressing the IoT automotive security market. Symantec markets its Embedded Automotive Security Analytics, which is designed to secure the entire vehicle bus, either from an SBC such as an IVI or head unit of any car still in design, or from the OBD-II port of cars already on the road. Symantec also offers a full range of IoT security technologies including Device Certificates, Code Signing, OTA Management, and Roots of Trust that can be utilised for automotive security. As IoT automotive security threats continue to proliferate expect more vendors to flock to this field. A return to the horse and buggy is not an option.
IoT Security and data privacy in healthcare Key Drivers in the IoT healthcare sector include greater efficiencies, better patient outcomes, faster response times and predictive analytics as hospitals, physicians and insurance companies can analyse and interpret the data. But it also makes IoT security and data privacy all the more imperative. The healthcare vertical is arguably one of the hottest vertical markets in terms of both overall and IoT spending. Health care expenditures in the U.S. soared to US$3.08 trillion in 2014 up from US$2.919 trillion in 2013, according to statistics released by the U.S. Centers for Medicare and Medicaid Services. Additionally, U.S. healthcare officials estimate that hospitals, healthcare corporations, physicians’ offices and clinics will spend approximately US$288 billion over the next decade (2015 to 2025) upgrading and outfitting their networks with IoT-enabled smart health devices, applications and networks. In general, health care expenditures are expected to rise in 2015 to a record 18% of the U.S gross domestic product (GDP), up from 17.7% in 2014 and 17.4% in 2013, according to the U.S. Centers for Medicare and Medicaid Services report. The boom in healthcare IoT is worldwide. The World Healthcare Organisation (WHO) estimated that the total global expenditure on healthcare was US$6.5 trillion in 2010
34
and projects that figure will reach US$10.2 trillion by 2020. Healthcare drivers include: Home care/Remote Patient Telemonitoring: remote, telecommunications between patients, physicians, clinics and hospitals. Disease Prevention: IoT-based applications and services dedicated to disease prevention thanks to their inherent focus on cost savings and risk reduction – a move that is heartily supported by insurance providers. Big Data Analytics: for preventive and predictive analytics to enable physicians, hospitals and clinics to monitor and track changes in patient condition and even predict how the patient’s status may change over hours and days. Portals: Many hospitals and healthcare centers throughout Europe are seeking ways to synergise their multiple information systems such as cameras, sensors, databases and other data sources. Many European start-ups are deploying portals to integrate thousands of General Practitioners (GPs) and pharmacies in “patient-centric models that enable everything from remote consultations and monitoring to management of medications and tracking results.” So it’s little wonder that IoT vendors view the healthcare segment as “just what the doctor ordered.” There is a two-pronged approach to IoT Health: the consumer segment which is taking a bottom up approach with pricey - at least for the time being - wearable devices like Fit Bit and the enterprise healthcare IoT segment which is characterised by a top-down approach.
The addition of embedded analytics capabilities in IoT devices, networks and ecosystems provides organisations with a plethora of advantages and business benefits. For starters, it makes them immeasurably more competitive. Hospitals and healthcare corporations can utilise Big Data Analytics to predict how a seemingly healthy newborn might take a turn for the worse in 24 hours. News organisations and weather channels can use the technology for deeper dives into election coverage or predicting storm tracks. Organisations increasingly need immediate focused answers to their questions to extract business value and drive better decisions. In healthcare, for example, the move to Electronic Medical Records (EMR) can use predictive analytics to provide better quality, faster and more efficient patient care. Traditional, manual methods of analysing and parsing through
▼
adversely impact safety mechanisms. The sensors and modules will require cryptographic and key management capabilities to authenticate data to prohibit hackers from tampering and taking control. This will not happen overnight or even in the next six to 12 months. But the automakers should address the most urgent and vulnerable items: the WiFi, cellular, wireless modules, the analytics, sensors and the actuators, as well as protecting the security of all datacenter and cloud-based systems.
IoT Now - December / January 2015/16
Unfortunately, there is also a potential downside to IoT connectivity and Big Data Analytics. Data security breaches are proliferating as quickly as IoT connections and they are as hard to eradicate as the common cold. A 2014 report by the Ponemon Institute found that 94% of healthcare institutions experienced a data breach involving one or more records in the past two years. And on average it costs hospitals and healthcare organisations US$201 for each hacked data record. Healthcare institutions worldwide are increasingly migrating to entirely automated healthcare systems characterised by Electronic Health Records and Personal Health Records (EHRs and PHRs), clinical data warehousing and advanced databases that are linked in IoT-interconnected ecosystems. To reiterate, these IoT systems offer the potential for greater operational efficiencies, faster responses times, better patient outcomes and improved customer service and the ability to cut costs. Healthcare organisations worldwide are overwhelmed with simultaneously attempting to stay abreast of various government regulations like HIPAA in the U.S. and the Data Protection Directive in the European Union, while deciding which new technologies to deploy; wrestling with budgetary constraints and how best to safeguard their IoT environments from devices to BYOD to the edge/perimeter against the constant onslaught of cyber-attacks. Most IT departments don’t possess the necessary in-house expertise to proactively address these issues. CIOs, CTOs and Chief Information Security Officers (CISOs) are rarely experts in healthcare compliance regulations.
IoT Now - December / January 2015/16
Demand for IoT Data Privacy spawns tougher regulatory compliance and governance Data privacy is the opposite side of the IoT security coin. The two issues are separate and distinct. Programs in the U.S. such as the Affordable Care Act, Medicare and Medicaid EHR Incentive Programs, Centers for Medicare and Medicate Services and Health Insurance Portability and Accountability Act (HIPAA) have introduced a number of regulatory requirements that healthcare providers, insurers and benefit program managers must comply with to receive and process incentive payments and reimbursements. Each regulation requires complying organisations to adopt specific workflows and technology solutions to remain in good standing with the respective governing entities. Organisational compliance is a necessity to remain competitive in healthcare markets and avoid costly financial and criminal penalties and expensive litigation. In the U.S. the Office for Civil Rights (OCR), the division of the U.S. Department of Health and Human Services that regulates HIPAA, can levy a maximum US$1.l5 million per violation. Common causes of violations include: unencrypted data, data stored on insecure devices, employee negligence and non-vetted business associates. The Data Protection Directive is a European Union (EU) edict implemented in 1995. It regulates the processing of personal data within EU member states, including healthcare data. Each EU member state must transform the directive into internal law; the directive acts as the crucial component of EU privacy and human rights regulations. EU countries spend over €1 trillion annually providing nationalised healthcare for their citizens. A report by the European Healthcare Fraud and Corruption Network indicates that “€56 billion of these healthcare budgets are lost to fraud in Europe annually and €180 billion globally.” ▼
hundreds of millions of lines of claims data can take a dedicated team of analysts weeks or months. And they may only produce annual or biannual reports. But, by deploying a Big Data predictive analytics solution, a risk management team can run a detailed report in 30 to 60 minutes; provide recommendations to superiors and take immediate action to rectify problems and improve patient care.
35
ANALYST REPORT
If a patient’s records are hacked and their data privacy compromised, the consequences can include: identity theft, blackmail, fraud, hijacking of medical records and stealing prescriptions to cite just a few examples. Data privacy breaches can result in dire consequences for the consumer/patients – who may spend months or years trying to recover. The hospital/healthcare and insurance providers also don’t escape unscathed, though they don’t merit much sympathy, they may face civil, criminal penalties and sometimes fines as well as damage to their reputation for failure to comply with security and data privacy regulations. The growing requirement for data privacy is in turn fueling demand for yet another specialised IoT service: creating security and data privacy rules and contracts in advance of laws governing these areas. Vendors in this space include familiar chip, software OS and application vendors and traditional security firms such as: Bosch, Cryptography Research, Dell Secure Works, FireEye, Green Hills Software, IBM, Intel/Wind River, McAfee, Microsoft, NXP, QNX/RIM, Red Hat, RSA and Symantec that are active in this space today. These larger vendors are also developing Security as Service platforms. There are also myriad types of new, emerging IoT security solutions such as: • Device security • Application security • Data security • Endpoint or perimeter security • Network security • Cloud Security The addressable IoT security market is also segmented on the basis of multiple solution types. They include: • Analytics • Authentication and tracking • Data encryption • Data loss protection (PLP) • Identity and Access Management (IAM) • Intrusion detection and prevention • Device management • Distributed Denial of Service (DDoS) • Unified Threat Management (UTM) • Vulnerability testing There is also a thriving market for security services and many vendors are expanding their offerings to address the burgeoning IoT market. Among the security services offered:
36
• • • • • •
Traditional consulting Managed and hosted services Risk Assessment Security awareness training Threat Analysis Vulnerability Testing
Addressing cyber-security and data privacy issues in advance of launching corporate IoT projects will reduce the organisation’s monetary risk in the event of a data breach and mitigate the threat of litigation to a more acceptable level. This is a smart and necessary move from both a business, revenue and cost containment perspective.
IoT Data privacy solutions Better safe than sorry. The best prescription for IoT data privacy is to take proactive measures to secure all patient records. This includes X-rays, medical images, documents, files etc. That means using multi-factor authentication and data encryption. Healthcare, hospitals, physician’s offices, clinicians and insurance providers should deploy information lifecycle data protection packages to secure all their EHRs and PHRs as they transfer and transmit them across the IoT ecosystem. End-to-end security is a must. Organisations must be able to trust and authenticate all documents, deploying digital signature solutions to deliver in-network and out-of-network healthcare providers and ensure the validity of electronic files. To reiterate, it’s essential to secure and encrypt all confidential patient data from the on-premises datacenters and the cloud to the endpoint and network perimeter. The data should encrypted and secure in transmission and secure at rest. Organisations should also have persistent policy-based management and access rights that are on a “need to know” basis only. The physician needs to access the patient’s specific medical data, while the insurance provider only needs to know what’s necessary to authorise payment.
Conclusions and recommendations IoT is a disruptive technology. IoT is complex and challenging. Although many aspects and components of IoT are in use today, IoT security and data privacy will demand that vendors, OEMs and end users step up their game with respect to security and data privacy. Once again, in a world where devices, applications and people are increasingly interconnected, the attack surface is potentially limitless. Organised hackers have become more proficient and the hacks more pernicious. Mobility and BYOD usage are on the rise and careless users constitute an even bigger threat than malware and organised hackers, according to Strategy Analytics’ latest survey data. ▼
Not surprisingly, data privacy has immediate implications and consequences in the IoT healthcare vertical.
IoT Now - December / January 2015/16
In specific IoT vertical segments like automotive and healthcare, the security hacks can be accomplished remotely and with stealth. The victims may never know it’s happened until it’s too late. “IoT is an expanding and an expansive universe; you only need one weak link,” observes the IoT Security Foundation’s Moor. “There are many people and organisations who are security conscious; but there are many for whom security is not an issue. Who owns IoT security? It’s a
shared responsibility we all need to do our part. You are only as good as your supply chain,” he adds. IoT is here to stay. No one advocates disconnecting from the Internet. However, we must proceed with caution and adhere to best practices for IoT security and data privacy. Ask yourself: what have you got to lose? How much can you afford to risk? If you don’t defend your data and safeguard your privacy, who will?
Strategy Analytics is a market research and consulting firm that helps clients build defensible, distinctive strategies to win in complex technology markets, on a global and regional scale. Strategy Analytics has a unique combination of researchers, experts and analytics covering supply side and demand side market dynamics. We deliver accurate market data at a granular level that few companies can match. Our quality data is supported by the expert analysis and superior responsiveness that are vital to client decision making. Market coverage includes: wireless devices, automotive electronics, consumer electronics, enterprise, entertainment and media, defence systems, telecommunications infrastructure, pricing and services. Our focused M2M, IoT, Smart Home and Automotive teams are industry recognised sources of global market infrastructure, device, competitive landscape and value chain insights.
By Laura DiDio, Strategy Analytics director Enterprise IoT Research and Consulting Laura DiDio, Strategy Analytics director of IoT and Analytics Enterprise Research and Consulting is a highly visible technology industry analyst and consultant with over two decades experience in high technology. Prior to joining Strategy Analytics in Boston she was principal analyst at Information Technology Intelligence Consulting (ITIC). She also spent over six years as a Research Fellow at the Yankee Group and four years as a Director/Research Fellow at Giga Information Group. Ms. DiDio consults extensively with vendors and corporate enterprises worldwide. She also conducts independent and custom surveys on a variety of technology and business topics and does competitive analysis and market forecasts. She is a frequent speaker at industry trade shows and user conferences and is widely quoted in the general, business and trade press.
IoT Now - December / January 2015/16
37
COMPANY PROFILE
Company Summary Telit Communications PLC, headquartered in London, UK is a global provider of wireless Machine-to-Machine (M2M) and Internet of Things (IoT) technologies and valued added services. Telit has more than 5,000 customers worldwide. It supports its customers and advances its leadership position via its eight global Research and Development (R&D) centres. Telit’s IoT initiatives support a wide variety of vertical industries including: automotive, retail, smart energy, smart transportation and security and surveillance. Telit’s core values are: reliability, quality, customer support, ease of integration and investment protection. Telit has three technology pillars: • Long-range cellular connection of devices to each other and the IoT • Short-to-long range license-free wireless connection of devices to their peripherals, to each other and to long-range gateways • Positional awareness for all connected devices Telit recognises that security is an integral part of IoT. It aims to provide customers with end-to-end security. Telit integrates security into its connectivity modules and into its 2G, 3G, 4G and LTE platforms across all vertical markets.
Company Credentials
Key Differentiators
Telit has focused on security from both a product/solution standpoint as well as a strategic direction for the last decade, notes Mihai Voicu, Telit’s chief security officer, based in Boca Raton, Florida. “We have security at every level and layer of the stack and at every connection point: network security, application security, data security, platform security edge security - it goes as high as the customer needs to protect their data and their assets,” Voicu explains. In IoT environments, where devices, applications and people are interconnected in vast ecosystems, the threat(s) increase exponentially. “Telit’s IoT security is pro-active and positioned for bi-directional communications. It actively works with customers to provide proactive maintenance – on premises and in the cloud. Telit protects and encrypts all data in transit and at rest. Telit security incorporates:
End-to-end security; defense in depth and a focus on security feature in the products as well as in the ongoing operational security. “We don’t rely on third parties. We control end-to-end security. This is crucial across all IoT verticals because they all require a different level of complexity,” Voicu says.
• • • • • • •
Competitive Pressures: Telit has a robust set of role-based access and authentication features. Its goal is to bring security “close to the source”. While many competitors are content to utilise existing security protocols, Telit is adding an extra layer of IoT security at the application layer. It is committed to delivering end-to-end, bi-directional security from module, to onpremises and cloud throughout the entire product lifecycle.
Encryption Secure networking Session management Permissions Authentication Auditing Validation
PREPARED BY TELIT COMMUNICATIONS PLC
38
IoT Now - December / January 2015/16
COMPANY PROFILE
Company Summary AT&T, headquartered in Dallas, Texas is a highly respected global brand. In fiscal 2014, the company reported consolidated revenues of US$132.4 billion. AT&T has over 3.5 million business customers, including nearly all of the Fortune 1000 corporations. AT&T’s Enterprise Business brings its telecommunications expertise to bear in the Internet of Things (IoT) arena including connecting cars, machines and devices.
Company Credentials AT&T is a leader in the IoT market with 25 million connected devices as of September 2015. Of those 25 million devices, nearly 6 million are connected cars, via relationships with nine of the world’s leading automakers. The company offers a full IoT security portfolio and this includes its AT&T Security Network Gateway (SNG) which delivers a suite of cloud-based security services from a single source. Components of the suite include: • • • •
AT&T AT&T AT&T AT&T
Network-Based Firewall Service Secure Email Gateway Service Web Security Service DDoS Defense
Key Differentiators AT&T espouses a “Defense in Depth” approach to IoT Security. According to AT&T, businesses suffered nearly 43 million security incidents in 2014 a 43% increase over the prior year. AT&T’s mantra is “The status quo is not an option.” AT&T has eight Security Operations Centers which it staffs 24x7, 365 days a year. And it has visibility into over 100.4 petabytes of traffic crossing its network every day. “We have a unique vantage point into the threat landscape and
IoT Now - December / January 2015/16
how to help our customers stay ahead,” according to Jason Porter, VP of Security Solutions at AT&T. Furthermore, he adds, “AT&T’s leadership in SDN has enabled it to be a leader in virtualised security functions to match the scale of the ever-growing and fast-paced environment of the IoT. Transitioning security to a software-based service model enables faster deployment of security where it is needed, as well as the ability to scale the network based on data traffic needs. This allows us to extend security into the application layer, to help protect individual applications and data sets, customisable to the customer’s needs”. AT&T’s takes a multi-layered approach to safeguard IoT connected businesses. This includes: • Protect Intellectual Property (IP) • Sustain operations • Secure sensitive information
Competitive Pressures: AT&T says it saw a 62% increase in DDoS attacks across its network in the last two years. “With an explosion of connected devices, there is an increasing need for security across the industry. All companies must work together to provide an IoT security experience throughout the entire product lifecycle,” Porter says.
39
COMPANY PROFILE
Company Summary Gemalto, headquartered in North Holland, the Netherlands, is one of the most world renowned and widely respected international digital security companies. Gemalto delivers a wide range of security solutions including software applications, managed services and devices including smart cards and tokens and is the world’s largest manufacturer of SIM cards. The company had revenue of €2.5 billion in 2014. It is also a global brand, with 14,000 employees representing 116 nationalities and operates in 46 countries worldwide. The company’s motto: “We help people to trust one another in an increasingly connected digital world.”
Company Credentials
Key Differentiators
As Laetitia Jay, Gemalto’s VP of M2M Solutions and Services says, “Security is at the heart of Gemalto’s business and raison d’etre”. Gemalto’s Breach Level Index Report found that 888 data breaches occurred in the first half of 2015, compromising 245.9 million records worldwide. “In IoT environments, everything is interconnected and in the Digital Age, people are increasingly mobile and they expect to be able to access their data anytime, irrespective of geographic location,” Jay says. At the same time, she notes, “data breaches have reached epidemic proportions, so we at Gemalto have to respond to the threat by being even more proactive and producing advanced identity and data protection solutions.”
Gemalto’s portfolio of data encryption solutions deliver multi-factor authentication and key management capabilities that extend protection and ownership across the lifecycle of sensitive data as it is created, accessed, shared, stored and moved. From the data centre to the cloud, enterprises can remain protected, compliant and in control, no matter where their business takes them, Jay says. Gemalto also recognises that organisations and their IT departments, particularly those in heavily regulated verticals like banking/finance, defense, government, healthcare, insurance, retail and transportation – are not always experts in compliance. Therefore, she says, Gemalto’s portfolio of compliance regulations and mandate solutions can take the administrative and cost burdens and guesswork off the corporation and ensure that they are compliant in their chosen fields via Gemalto’s layered approach which is called the Compliance Infrastructure. This can save businesses huge sums in potential fines and penalties.
Gemalto has a full suite of identity and data protection solutions for enterprise security. They enable organisations to assume a data-centric approach to security and control access to the infrastructure and applications. Businesses can create the levels of trust and authentication that align to their business needs for their on-premise as well as public, private and hybrid cloud environments. Gemalto security solutions include: • • • •
Identity and access management Data encryption Crypto management Cloud security
40
Competitive Pressures: “You can’t concentrate on any one point of the network in IoT to the exclusion of all else,” Jay says. “At Gemalto, we focus on best practices overall. Security is never static. It’s constantly evolving just to keep pace with the threats and the hackers.”
IoT Now - December / January 2015/16