Weighing the value of pure-play IoT security vendors

Forrester: Pure-Play IoT Security Vendors’ Wares Fill Unique Needs

Forrester names four ‘breakout’ IoT security vendors that it says address problems unique to IoT environments, such as those with constrained and low-power hardware.

Written by Courtney Bjorlin
5th July 2017

To overcome challenges associated with securing IoT deployments, security professionals should look to pure-play IoT security vendors that provide unique capabilities for securing devices, including functionality that ensures protection without compromising device or user performance, according to a new Forrester Research report.

As such, Forrester named four “breakout vendors”—Centri, Device Authority, Mocana and Rubicon Labs—that it says can help security and risk professionals address complex IoT security issues, such as provisioning, device authentication and data integrity, in the unique, constrained hardware and power environments in which IoT deployments exist.

“It’s a very nascent market, but there’s a high level of demand,” said Merritt Maxim, senior analyst for Forrester Research. “IoT environments need security and will continue to experience breaches and other vulnerabilities.”

Researchers writing the “Breakout Vendors: Internet of Things Security” report chose the four IoT security vendors based on conversations with clients, as well as interviews and conversations with end users at major industry trade shows.

Security professionals are in a tight spot when it comes to ensuring IoT device security. IoT initiatives are increasingly led by the business, and oftentimes, security professionals, under pressure to get projects live, struggle to implement strong security controls, or leave certain functionality out of production deployments (including the ability for an end user to easily change a default password), according to the report.

The pressure for a short time-to-market is complicated by the fact that many IoT devices run on constrained hardware, with power/battery and storage limitations, which makes it challenging to carry out cryptographic functions in a way that doesn’t compromise device or user performance, according to the report. Various communication protocols to ensure interoperability make it hard to apply consistent security policy across devices and protocols. And the scale and scope of IoT deployments make it difficult to gain visibility into a single incident.

As such, these four “breakout” IoT security vendors can complement other security technologies to help secure IoT devices and minimize data breaches, according to the report.

The Centri Internet of Things Advanced Security (IoTA S) platform can help overcome the challenges of low power and low CPU utilization prevalent in industrial IoT (IIoT) use cases, according to the report. It uses patented, cache mapping technology and efficient algorithms for low CPU utilization.
The Device Authority KeyScaler platform provides secure IoT device provisioning, policy-based encryption, integrity checks and credential management, including automated password management, according to the report. The company is working with many IoT device manufacturers and cloud platforms such as AWS, Dell, Intel, MultiTech and PTC to embed the Device Authority libraries onto their devices.
Mocana’s IoT Security Platform, which is FIPS 140-2-validated, is used by IoT and industrial control systems (ICS) device manufacturers and cloud providers for secure device-to-cloud communication, according to the report. It is designed for IoT devices and ICS, enabling cryptographic controls for device authentication, nonrepudiation, secure data transport, secure data storage, secure boot and secure update, according to the report.
Rubicon Labs provides a CPU-independent identity and security platform for IoT based on symmetric key architecture, according to the report. Its platform uses a cloud service running at AWS and pairs it with a small-footprint software agent on the IoT device. It then provides zero- knowledge keys, which can be provisioned and revoked as needed, to control the identity of the IoT devices.

In planning IoT security strategies, security professionals should keep in mind that startups and specialty IoT vendors—including the “breakout vendors”—will likely be acquisition targets by larger security and enterprise software vendors. That said, security professionals shouldn’t take a wait-and-see approach to selecting vendors for IoT device security, according to Maxim.

“These technologies aren’t going to be mothballed and put out to pasture. These are technologies that have value longer term,” he said. “These products solve very specific problems, today.”