If IoT is ever going to work, networks will have to grant access to devices that we'd refuse outright today.

Patrick Hubbard, Head Geek & Director of Technical Product Marketing, SolarWinds

October 20, 2014

5 Min Read

You and your cruddy endpoints are dangerous, unwashed, and unwelcome on most enterprise networks.

Nothing personal. It's the model by which all networks, public and private, protect themselves and other trusted users. Your endpoint is a wretched hive of scum and villainy unless proven otherwise, and the current security model puts the onus (and some cost) on the connecting party to demonstrate trustworthiness.

While that approach has worked with varying degrees of success, there's a problem: It won't work for the Internet of Things.

If IoT is ever going to work, networks will need to grant access to devices that today we'd refuse outright. Imagine not 10 vendors, but 10,000 vendors, making inexpensive gizmos that arrive by the shipping container, with no monitoring hooks. They will be a legion of disposable agents with unknown agendas.

We're about to be forced to turn network security inside-out and actually compete to get IoT traffic, with wide open arms of connectivity.

Um, how about no
"Why would anyone be forced to do this?" you ask. Simple. We won't have a choice. The networks that power IoT won't be funded by subscription or by benevolent enterprise overloads that hand out IP addresses to the laptops and BYOD demands of today.

[IoT devices are at a consumer standstill today, but that will change. Read Survey: Consumers Don't Get IoT, But They Will.]

IoT networks will be funded by Marketing -- that's marketing with a capital "M" -- and big data analytics silos. At first this data will drive the standard targeted marketing and brand awareness campaigns. But in short order IoT connection providers will consolidate into user data-collection networks and resell this information into identity/behavior marketplaces.

Wherever marketplaces appear, they drive upstream production changes to achieve premium demand (and price) on that market. In the case of the IoT networks we'll be asked to build, that means two things: First, get as many devices connected as possible; and second, encourage them to explore their full range of services to create the biggest pile of the most mineable data possible.

More than becoming promiscuous about allowing non-vetted connections while holding our security noses, we will have to actually advertise and even incentivize for random devices to connect to our networks. This is the exact opposite strategy of today, where we fold our arms, say no to all comers, and then force each endpoint to satisfactorily demonstrate its worthiness to pass packets.

The challenge before us is nothing short of reinventing security.

Firewalls we haven't invented yet
No matter how amazing the opportunities may become, I can't imagine walking into a meeting with my CIO and attempting to pitch that idea, at least not an inside-out security model all the way to the data center. That means demarcation in the form of a firewall, but it's not going to be any sort of firewall we're configuring today.

The point where these two networks connect -- the "come hither" enablers of IoT and our current, manicured data center plumbing -- is going to be a bit like that creepy scene in Spielberg's A.I. Artificial Intelligence, where Gigolo Joe is explaining to a wide-eyed 10-year-old David what he does for a living. Neither had a clue what the other's world was really like, and fortunately neither David nor data center admins really need Joe's icky details.

However, the firewalls between these networks will need something entirely new, something that Software-Defined Networking only begins to offer: intelligence. Despite its 130-decibel hype, SDN as currently envisioned isn't much more than automation of existing configs. Sure, VMware's NSX offers magical fairy-packet tunneling and does at least move toward firewall decentralization. However, it's still only as clever as the admins and network programmers who feed SDN its policy rules.

To achieve the true potential of IoT, firewalls will have to get involved in probability.

When probably is good enough
The IoT firewalls of tomorrow will need to weigh security against opportunity outside the comfort zone of today's administrators. They'll need to understand the finance and legal departments' assessment and appetite for business risk, as well as the marketing department's ever-changing market-optimization rules. And if that seems anathema to admins, it should -- it's Business data with a capital "B," an area admins swerve to avoid wherever possible.

The very idea that the same people who use political influence to open firewall holes for cowboy processes are going to be injecting autonomously executing service policies gives me the willies. But at the same time, for IoT to reach its full potential, every single endpoint will have to earn a market citizen score on its packet behavior alone, and then we'll need to allow those endpoints that we expect to drive revenue to have more access.

There's a word for this: trust. It's not certificate trust, device trust, or logon authority trust. No, it's trust as understood by the credit industry. For example, will a bank trust you enough to approve a loan you might not repay?

If we can find a way to create intelligent, trust-based access, IoT will give companies a level of personalization and high-margin personalized services that will let them pull away from the online herd. Although in the short term, it may turn some network admins' stomachs inside out as well.

The Internet of Things demands reliable connectivity, but standards remain up in the air. Here's how to kick your IoT strategy into high gear. Get the new IoT Goes Mobile issue of InformationWeek Tech Digest today. (Free registration required.)

About the Author(s)

Patrick Hubbard

Head Geek & Director of Technical Product Marketing, SolarWinds

Patrick Hubbard is a head geek and director of technical product marketing at SolarWinds, an IT management software provider based in Austin, Texas. Hubbard, who joined SolarWinds in 2007, has more than 20 years of experience in product management and strategy, technical evangelism, sales engineering, and software development, at both Fortune 500 companies and startups spanning the high-tech, transportation, financial services, and telecom industries.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights