The Security Vulnerability You Can Prevent
According to Gartner, there will be 4.9 billion IoT devices active in 2015, representing a 30 percent increase from 2014 – and that trend is set to continue as 25 billion connected objects are expected by 2020. IoT technology has taken root across countless business verticals – and according to PwC's 6th Annual Digital IQ Survey, 20 percent of companies are currently investing in IoT sensors, up from 17 percent in 2014.
IoT innovation has provided developers with the chance to tap into a new world of potential opportunities for improving everyday life through applications ranging from home, health, factories, finances and beyond. A new Business Insider Intelligence Report found that globally, cities' investments in IoT technologies will increase by $97 billion between 2015 and 2019.
However, the rapid pace at which IoT infrastructure and applications are evolving have placed both consumers and enterprises at risk. The infrastructure itself has become potentially vulnerable, as has the ever-growing amount of sensitive personal and enterprise data that it holds. That data and infrastructure must be protected. Without the proper identity security in place, enterprise and consumer data is vulnerable. In fact, HP recently reviewed 10 of the most commonly used connected devices in the HP Fortify on Demand Internet of Things State of the Union Study and found that 70 percent contained serious vulnerabilities.
The problem? Developers often accidentally take shortcuts with security, either because they don't have adequate training to know their code is vulnerable – because they're trying to keep up with competitive pressure to ship – or through simple oversight. With terabytes of internet-accessible data and infrastructure, these security-weak IoT devices are vulnerable to attack because they don't implement a security architecture that starts with strong identity security.
Recently, PC gaming giant, Valve, saw millions of its Steam customer accounts hacked through a simple login implementation oversight that allowed hackers to access accounts that were not their own by simply clicking through the “forgot my password” prompts. Valve employs some of the best software developers in the world, but even the best developers are susceptible to simple mistakes. When these errors involve identity security, the results can be disastrous.
Generally, the problem of weak security isn't rooted in malice but rather in inertia. Security has traditionally been an afterthought for developers, viewed as a “tax” on the effort to build core business logic. Previously, when most applications ran behind a defended network perimeter, that wasn't unreasonable – if the application was inside the firewall, it was probably safe. Unfortunately, that's not true anymore.
Every enterprise, regardless of the sophistication of its security measures, must assume its internal IT infrastructure hosts at least some malware and was built with at least a few simple oversights that create vulnerabilities – as demonstrated by the headline-making breaches of even very sophisticated enterprises that we've seen almost weekly over the last few years. Today, every application, API and IoT device should assume that it's running in a hostile environment – even if it's inside the network perimeter – and should take appropriate steps to keep itself secure. A basic and easy-to-implement best practice to improve security is to implement strong identity security, as identity has become the new firewall.
The fact is, developers can't be expected to be experts across every subspecialty of the development chain. The rising tide of headline black-hat attacks is often the result of great software developers that make the mistake of trying to keep up part-time with a changing security environment while their opponents – the black hats – are focused full-time on trying to find a vulnerability.
IoT is bringing enormous benefits to all of us today – but headline IoT breaches would slow the pace of innovation in the industry and do a disservice to all of us. By simplifying identity within an enterprise through IdaaS, IoT developers can easily and with high confidence secure those areas that would have otherwise been most vulnerable.