Building Secure Connected Devices
|発行||VDC Research Group, Inc.||商品コード||301563|
|出版日||ページ情報||英文 19 Pages; 30 Exhibits
This report discusses and analyzes best practices to design and build secure connected embedded devices. Market analyses and critical considerations will be offered across technology types, product categories, and industry sectors. The report integrates selected findings from VDC's recent security survey of OEM embedded device engineers.
Embedded device connectivity is at the core of the Internet of Things, and security risks come along with the territory. OEMs must integrate security procedures, such as code analysis and penetration testing, in their product development processes, and they must add security features to their products. Nearly every aspect of an embedded device can be protected by one or more security solutions, but no individual solution should be considered impenetrable. And the need for security increases time-to-market and engineering costs, although most OEMs are able to compensate by increasing their prices.
[Data available in full report]
Several years ago, device functionality was enough to sell embedded products in most vertical markets. Of course there were exceptions, such as critical infrastructure, aviation, and military, for which security was always of importance. But today's environment has evolved on two fronts. First, end users across nearly all verticals are demanding Internet connectivity to access and control devices as well as to aggregate and analyze data. Second, the magnitude of security threats has exploded, driven by hackers of both the troublemaker and money-seeker varieties, and fueled by the increasingly complex nature of systems that are ever more challenging to protect.
Prospective buyers of embedded devices and systems are now demanding security, without which salespeople for OEMs might not even be able to get a foot in the door. The more sophisticated buyers are asking detailed technical questions about security that often require multiple rounds of engineering-level responses. In some markets, such as industrial automation, OEMs face a barrage of security questions from both IT and operations departments, making OEMs' security tasks doubly difficult. And in markets involving sensitive personal or financial data, such as medicine and banking, government regulations mandate new levels of device security that may change periodically, requiring security modifications to existing systems. Engineers at many OEMs are confronting these security challenges for the first time, either proactively in planning for new products or reactively in response to breaches that have occurred in their products. Without having security experts on staff, they may not know how to address security concerns. Due to cost pressures, they may opt to roll their own security solutions at the risk of either reinventing the wheel or missing important vulnerabilities. Even OEMs who have successfully handled device security in the past may be faced by new threats and vulnerabilities introduced through cloud-based data storage and device control. Embedded devices are no longer standalone entities; they are elements of systems, the security of which may only be partially under the control of the device maker.
No device connected to the public Internet should be considered impenetrable simply because impenetrability is impossible to prove. The best one can hope for is proof that no currently known method has yet penetrated the device in a publicly disclosed manner. (The device may in fact be impenetrable, but device makers set themselves up for potential breaches and greater damage from breaches if they assume impenetrability.)
As we noted in a prior VDC View document entitled “Secure Hardening of Embedded Devices,” OEMs are advised to apply multiple levels of security to their connected devices under the assumption that device perimeters may be virtually penetrated. In this report, we examine how OEMs actually go about securing their embedded devices in the context of connected systems.
In March and April 2014, VDC Research conducted a survey of engineers at embedded device OEMs. (Note: the respondents to this particular survey were highly qualified engineers, so their responses may reflect higher usage rates of certain product technologies and development tools compared to the overall population of engineers.)
As shown in Exhibit 1, XX% of survey respondents said their companies make at least some products that include connectivity features. While this does not imply that XX% of all embedded products are connected, it does imply that nearly all product makers face security issues associated with connectivity.
Exhibit 1: Nearly all OEMs surveyed now making some connected products
Of course, not all connectivity is intended for the Internet, as shown in Exhibit 2. Local area networking is still the most common type of connectivity. This is particularly the case in vertical markets such as industrial automation, where the perceived security risks of Internet connectivity may outweigh the current benefits. Nevertheless, in our survey, more than half the respondents developed products designed to handle some form of Internet- or cloud-based activities, and VDC expects that portion to continue to increase considerably in the coming years.
Exhibit 2: Local area network functions still more prevalent than Internet or cloud
VDC Research's i2: ideas & insights reports provide clients with deep insights into product, market, channel, and competitive strategies and tactics. Using deep and rich datasets based on extensive primary research, the i2 reports provide clients with the insights they need to make strategic decisions for their business about the markets they are in and the markets they want to be in. Coverage includes a combination of market sizing, segmentation, forecasting, end-user requirements analysis, competitive analysis, and more.
XX Commercial in Confidence.