Professional Documents
Culture Documents
W
Designing Security For The Internet of Things
The Internet was designed in the 1960s to allow the incompatible data networks and
computing systems of the time to share information—to “talk to each other”. The In-
ternet is literally a “network of networks.” As we know it today, the public Internet is a
worldwide embodiment of those original data communications protocols—which are,
by design, extremely simple. The original designers made very few assumptions about
the data being sent and about the devices connecting to the network to send and receive
data.
It is this extensible, technology-neutral basis of the Internet that has allowed it to scale so
dramatically and gracefully since its inception, with minimal central administration. The
massive volume of data-points coming from the growing number and diversity of smart
info@harborresearch.comttt
Securing The Future - White Paper
Designing Security For The Internet of Things
3
devices presents an unprecedented information management challenge. So too does the
evolution of IP devices to network platforms capable of delivering and consuming IP
applications and services. That data will require scrubbing, filtering, compression, ware-
housing, analysis, reporting, and perhaps more importantly, securing. The astronomical
growth of connected devices that continues today and is predicted well into the future
pushes the bounds of what the designers of the Internet had in mind.
The growth of devices on the Internet today is chiefly occurring in two distinct ways.
The first is that previously separate networks – such as video, voice, cellular, etc., - are all
migrating toward shared IP. As opposed to organic growth of devices on the periphery,
this trend requires the Internet to absorb wholesale transi-
tions of full-scale networks into its existing framework.
Device Growth Statistics
At the same time, new classes of devices are becoming net-
work enabled. The types of devices being connected today There are approximately 2.8 billion
extend far beyond the laptops and cell phones we have be- NPCJMFQIPOFTJOVTFUPEBZ
XJUI
million new ones added daily - Projected
come so accustomed to. Any manufactured object has the
UPSFBDICJMMJPOVTFSTCZú
potential to be networked. Today, virtually all products
that use electricity - from toys and coffee makers to cars *UJTFTUJNBUFEUIBUJOúZFBST
and medical diagnostic machines - possess inherent data the global network will need to
processing capability. accommodate one trillion devices, most
of which will be wireless devices.
It thus follows that virtually all electronic and electro-me-
M2M communications are projected
chanical products are being designed with more and more
to surpass human-to-human
capabilities. The fact that many common devices have the DPNNVOJDBUJPOTCFUXFFOúúBOEú
capability to automatically transmit information about sta-
tus, performance and usage and can interact with people CJMMJPO3'*%DIJQTGPSFDBTUUPCF
and other devices anywhere in real time points to the in- TPMEJOúú
VQGSPNCJMMJPOJOúú
creasing complexity of these devices. For example, today 7FIJDVMBS..NBSLFUJTúúCJMMJPO
the average mobile phone contains just over 2 million lines FYQFDUFEUPHSPXBUúBOOVBMMZ
of code; this is expected to rise to 10 million by 2010. An
automobile on average has 35 million lines of code; this is
predicted to grow to over 100 million by 2010.
Objects that operate completely independent of human interaction are being networked
as part of the growing trend in M2M (machine-to-machine) communication. Security
cameras transmitting digital video, electric meters sending regular usage readings, even
4
simple sensors and circuit breakers are being IP-enabled so they can talk to us and to
each other.
This phenomenon is not just about the dichotomy between people communicating with
people or machines communicating with machines: it also includes people communicat-
ing with machines (e.g. a networked ATM), and machines communicating with people
(e.g. automated stock ticker alerts on your PDA). The Internet’s most profound potential
lies in its ability to connect billions upon billions of smart sensors, devices, and ordinary
products into a global “digital nervous system” that will allow every business the ability
to achieve undreamed-of efficiency, optimization, and profitability. However, the nature
and behavior of a truly distributed global information system are concerns that have yet
to take center stage - not only in business communities, but in most technology com-
munities, too.
Some basic design principles must be put in place to guide the growth of this vast, distrib-
uted technological organism. It demands that we design not only devices and networks
but also information interaction in ways not addressed by current IT. The reader may
ask, don’t we already have a vast public information space called the World Wide Web?
Didn’t the Web completely revolutionize human communication? And isn’t the Web
working and scaling quite handsomely?
Almost everyone will answer with a resounding “Yes!” But consider this analogy from
Buckminster Fuller: Suppose you are traveling on an ocean liner that suddenly begins to
sink. If you rip the lid off the grand piano in the ballroom, throw it overboard, and jump
on it, the floating piano lid may well save your life. But if, under normal circumstances,
you set about to design the best possible life preserver, are you going to come up with the
lid of a grand piano?
info@harborresearch.comttt
Securing The Future - White Paper
Designing Security For The Internet of Things
5
The growing scale of interactions between devices with more and more features and the
antiquated client/server architecture of the web is like that piano lid. In a period of great
change and tumult, it worked—in the sense that it kept us afloat. But that does not make
it the best possible design, or qualify it to be something that we should plan to live with
forever.
Yet, in the course of one mere decade, the world has become so dependent upon the Web
that most people, inside IT and out, cannot bring themselves to think about it with any
critical detachment. Even high-tech business people use the terms “the Web” and “the Inter-
net” interchangeably without giving it a thought.
But the Web is not the Internet. The Internet itself is a simple, elegant, extensible, scalable,
technology-neutral networking system that will do exactly what it was designed to do for
the indefinite future. The same cannot be said of the Web, which is essentially an applica-
tion running on top of the Internet. It is hardly the only possible Internet application, nor is
it the most profound one conceivable.
6
The Achilles heel in this story does not originate in browser software, or markup lan-
guages or other superficial aspects that most users touch directly. Those inventions are
not necessarily ideal, but they are useful enough for today, and they can be replaced over
time with better alternatives.
Rather, the growing bottleneck lies in the relationship and interactions between ever
more complex devices and the antiquated client/server architecture of the web. With
memory and processor capabilities getting cheaper by the day, product designers are em-
bedding feature upon feature into their designs. What may finally bring Moore’s law to
its knees is the sheer complexity of software driving infinite interactions.
The growing disparity of devices on networks is diluting the ability of technicians to ef-
fectively manage them. It is extremely difficult to keep up with the unique requirements
of each new device and all its advanced features. Increasingly what is needed is a means
of creating an abstraction layer that unifies common tasks and manages the complex-
ity of implementation down to the device. Customers expect networked devices to be
functional, ubiquitous, and easy-to-use. Within this construct, however, the first two
expectations run counter to the third. In order to achieve all three, the network must be
loaded with intelligence.
When telephones first came into existence, all calls were routed through switchboards
and had to be connected by a live operator. It was long ago forecast that if telephone
traffic continued to grow in this way, soon everybody in the world would have to be a
switchboard operator. Of course that has not happened, because automation was built
into the network to handle common tasks like connecting calls.
info@harborresearch.comttt
Securing The Future - White Paper
Designing Security For The Internet of Things
THE INTERNET OF THINGS: HOW MANY THINGS & WHERE ARE THE THINGS?
Intelligent device networking is a global and economic phenomenon of unprecedented
proportions. It will radically transform customer service, resource allocation and pro-
7
ductivity.
Global Device Networking Market Growth is Exponential
Harbor Research expects that by 2010 there could be anywhere from 500 million to
over one billion devices communicating continuously. These devices will drive new net-
worked applications and services such as status monitoring, usage tracking, consum-
able replenishing, automated repairing, and new modes of entertainment whose value
together could reach beyond $500 billion in value-added revenues from services. These
new services are based upon the convergence of networks, embedded computing, control,
and content.
A casual but informed observer may say that is preposterous, particularly considering
some of the fluffy prognostications from the ‘e’ era. Well, consider that depending on
your definition of a sensor, there are already more sensors on earth than people. To the
8 well informed, the potential scale of device connectivity and value added network services
is less a question about whether it will happen and more often a question about when.
Soon, any device that is not networked will rapidly decrease in value, creating even great-
er pressure to be online. Devices will blend into every venue and vast opportunities will
arise for companies delivering, managing and responding to the rich media and data
being generated.
Any ‘Thing’ On A Network Can Communicate With Other ‘Things’ Across Global Venues
This is not an isolated phenomenon by any means. No matter what means are used to
segment markets, growing device networks have applications in every venue across the
global economy.
Anything that operates over IP – cell phones, computers, VoIP phones, car navigation
systems – is capable of intercommunicating with other IP devices. This is relatively easy
to conceive of in the familiar contexts of consumer and business devices like these, but
the chart helps illustrate some of the devices being connected in other less familiar areas.
Sophisticated, expensive devices are among the first to get connected, so that they may
be closely monitored and report information about their status. Windmills, pipelines,
info@harborresearch.comttt
Securing The Future - White Paper
Designing Security For The Internet of Things
construction equipment, oil rigs, harvesters, mass spectrometers, and mass production
equipment – any piece of high-value capital built within the past twenty years has some
kind of embedded electronics, and the newer it is the greater the intelligence.
9
Even in developing areas, new networking technologies are keeping up with and even
outpacing growth here in North America. They have “late-mover advantage,” which
allows them to design infrastructures with new requirements and capabilities in mind.
Developing regions tend to skip steps that seem standard in first-world countries.
For example, many developing countries use cell phones as their dominant means of com-
munication, as the wireless infrastructure is easier to set up than running telephone lines
to every house. Consequently data communications must also operate predominantly
wirelessly, raising the importance of developing technologies like WiMax and cellular
broadband. Lacking many preconceived notions for how certain products and devices
have functioned in the past, these markets may well be among the most receptive to new
service-centric offerings from networked product manufacturers and their partners.
As Moore’s law persists and the price of embedding intelligence and connectivity into de-
vices continues to fall, networked devices push further and further into the mainstream.
This process is somewhat self-reinforcing as low prices are driven by high quantities, and
vice versa, making these devices increasingly prevalent in our lives and businesses. While
the growth is spread through all areas of our lives, it is concentrated on the same global
network. The immense growth that is just now beginning will continue to accelerate,
creating new strains on existing infrastructure and skill sets.
Each of these devices can benefit from connected services, and this is just the tip of the
iceberg. This phenomenon has far-reaching effects the likes of which have never before
been seen in business or our everyday lives. The Internet versions 1.0 and 2.0 had broad
implications on how people and businesses interact with computers and other new in-
formation devices, but did not necessarily change every aspect of our lives. Device Net-
working represents version 3.0 of the Internet, and it will be felt in everything that we
10 touch and do. No matter who you are, what industry, or what job function, this tidal
wave of change will be inescapable.
THE STAKES ARE HIGH FOR BOTH INDIVIDUALS AND THE ENTERPRISE
Today’s enterprises are evolving at a pace unseen before in human or business history.
While they grow, they fall subject to an intriguing paradox: as they become ever more
connected, they also get more dispersed, and visa versa. Globalization and outsourcing,
penetration of broadband networking, and pressures to be financially lean have all con-
tributed to the trend of distributing organizational resources. Whether it is managing
a work-from-home sales force, or teleconferencing with clients on a different continent,
organizations are relying on networks to keep them connected as they grow ever more
diffuse.
As their prey evolves, so do the predators, so as enterprises improve and expand their
networks, hackers are constantly developing new tools for breaking into them. Not only
info@harborresearch.comttt
Securing The Future - White Paper
Designing Security For The Internet of Things
does this growth mean more endpoints for organizations to secure, but even devices
thought to be protected are increasingly susceptible to attack. A skilled hacker can eas-
ily circumvent security measures that are old, weak, or not properly configured.
11
Corporations invest millions of dollars on physical perimeter security for their offices,
but what is the point if the information flowing constantly to and from the building is
not secure? With the increasing use of streaming media over IP networks, like Telecon-
ferencing and VoIP, more and more valuable and potentially sensitive information is be-
ing transmitted, often unprotected. Yet with these real-time communication services,
latency is misguidedly the main concern, not security. For fear that security measures
will slow down transmissions, many are not secured properly, if at all. Effectively secur-
ing these devices requires a solution that is highly optimized and can operate efficiently
without introducing latency and disruption to the communications process.
While corporations face security concerns over ever-growing corporate networks, simi-
larly individuals must deal with concerns over their increasing vulnerabilities. Conve-
niences like wireless credit cards, cell-phone payments, online banking and more, leave
us increasingly exposed to information interception and identity theft. Whether for
home or for enterprise, no matter what type of business, security is a common concern,
and one that will be discussed in detail later in this paper.
Consider the implications of pervasive networked devices not just on the user experi-
ence but on the organization of businesses aligned to deliver value to these users. The
“value chain” for a non-networked device has remained relatively consistent for hun-
dreds of years. From raw materials to components to finished products, the obligations
of the manufacturer and their relationship with their customer essentially began and
ended at the point of sale.
Most businesses have been built around this product-centric paradigm – it is ingrained
in their culture and organizational structure to focus all of their efforts on selling a
12
physical product. But now device connectivity is changing the entire structure of value
delivery, threatening long-standing business models, and forcing all companies to con-
sider how to participate in service delivery and building ongoing relationships with their
customers.
New capabilities will bend the traditional linear value chain into a loop of complex in-
terdependencies that will demand new thinking and will require new alliances with the
many new participants in the chain.
Businesses that create the best ecosystem of alliance partners - from complementary de-
vice manufacturers to third party application software providers – will be the most suc-
cessful. Device manufacturers, network service providers, new software and value added
services players will all combine to create significant business and customer service value
or devolve into an environment of strange “bedfellows.”
Even if a device manufacturer decided that it did not want to build an ecosystem and
instead wanted to vertically integrate and own all aspects of device networking for a
particular class of devices, it must still embrace the concept of value added services and
recognize that it is the combination of hardware, software and value added online ser-
vices that define the ultimate value to end customers. You need look no further than
Apple’s iPod device and iTunes service for a present day example. In a very short period
of time, Apple has rocketed to become the third largest music retailer in the world, while
also creating a billion dollar revenue device business -- all with a device that connects to
a networked service.
info@harborresearch.comttt
Securing The Future - White Paper
Designing Security For The Internet of Things
Now with the introduction of the iPhone, Apple is entering a market that many would
consider saturated: the cell phone market, whose structure is the definition of linking de-
vices and services. Not only must a cell phone plan match the capabilities of the device,
13
often the ongoing service fee is used to offset the upfront cost of the device. In Apple’s
case, they feel they can be successful here both for the revolutionary capabilities of their
device, and for the range of new services it will allow. For the first time the iPhone al-
lows uncompromised access to web content from a cell phone. While not fully open, the
iPhone will allow third party developers to write web-based applications for the device.
This is sure to cause significant disruption to the market, as a broad range of new partici-
pants start gravitating towards delivering new functions and services to cell phones, all of
which will deliver enhanced value to users of the devices. Taken to the extreme, this all
has the potential to redefine the definition of a cell phone.
Expanding Constituents In The Networked Value Chain Create New Value & New Risks
With all of this cooperation and collaboration, not just around cell phones but all net-
14 worked devices, it is a foregone conclusion that the device networking community must
agree upon universally accepted, open communication standards. While historically,
proprietary protocols have dominated in some arenas, the pervasive nature of IP is
eroding these proprietary boundaries. IP will over time be the dominant transport for
device networking.
As revolutionary and far-reaching as the device-networking paradigm shift is, this does
not change everything, and the eternal truths remain eternal. When you open yourself
to relationships, and connect to other people or devices, you can get hurt. And the
greatest opportunities usually involve the greatest risk. The real-world risks of open
technology and asset connectedness include possible breaches of secure systems that can
have catastrophic impact.
WAITING FOR THE WAKE UP CALL YOU HOPE WILL NEVER COME
Despite a growing awareness of the presence of connected devices and their importance
as a phenomenon, there is quite little understanding within most device manufacturers,
service providers and enterprises as to how best to secure them and the services they
enable. Device security is usually handled on an ad-hoc basis surrounding a device or
network specific project. Rarely are there horizontal, organization-wide security solu-
tions from which a device manufacturer and device network might benefit. Instead,
security design and implementation decisions occur deep within organizations. Often
times, individual developers are left to port software designed originally for PC and
server security to their burgeoning devices and device networks. Besides being labor-
intensive, this is not a scalable solution, nor does it provide adequate functionality or an
acceptable level of protection.
Many companies today have let their connectivity outpace their security. The focus
of most companies’ security efforts is on devices with which humans interact directly.
They fail to realize that each newly connected device represents another potential point
of weakness through which hackers can gain unauthorized access to sensitive informa-
tion. These customers must demand more complete security from their device manu-
facturers. Often, device manufacturers will do the bare minimum, claiming security
support that is in reality very narrow and only provides protection along a very limited
dimension. The practical consequences of the resulting under-investment and trivializa-
tion of security can be devastating.
info@harborresearch.comttt
Securing The Future - White Paper
Designing Security For The Internet of Things
15
Recently the major retail chain, TJX Co., operator of such stores as TJ Maxx, Marshall’s,
and Bob’s, incurred a security breach that reportedly resulted in the exposure of at least
45.7 million customers’ debit and credit card information. Reportedly, hackers accessed
the network wirelessly while parked outside using a laptop. As a consequence the com-
pany is facing backlash and lawsuits that, according to some estimates, have potential to
cost nearly $1 billion, and may jeopardize the entire company itself.
According to some reports, nearly 98 percent of laws that include personal information
have an express encryption standard written into the definition. They define personal in-
formation under the law as data being unencrypted or they use a harm standard stating
that if there is an encryption there is no probability of identity theft or harm to the vic-
tim. It started with house bill 1386 in California, approximately five years ago. Now 35
states have similar laws and there are provisions as well for financial institutions, which
are federally administered. In those industries where the level of connectedness and the
value of the data are both high, such as financial services, the costs of security breaches
have proven to be so substantial, that many of these enterprises are already carrying “data
breach insurance.” These same dynamics will absolutely play out in device networking,
perhaps even to a greater degree. While the example above illustrates the huge potential
for financial liability associated with security breaches, device networking has potential
to take this one step further. A device network security breach can have devastating real
world, life and death consequences.
The problem with securing today’s device networks is one of human nature – one of mo-
tivation and incentives. Investing in security is sometimes viewed as buying insurance,
and unfortunately many companies do not face up to the risk until after they’ve already
experienced the impact. Just as airport security increased after 9/11, or a household will
finally invest in an alarm system after a break-in, it often takes some kind of “wake-up
call” to get motivated to upgrade device network security.
Further, corporate structures, and the segregation of expertise therein, means that usu-
ally the person in charge of investment decisions related to security is not the person with
the keenest understanding of the present risks and protection level. A technician who
calls for a security upgrade out of the blue is easily ignored. An engineering manager in a
device manufacturer is only concerned with satisfying minimally specified requirements,
regardless of how naïve those specified requirements are. In the absence of any problems,
managers are quick to assume that present measures are working adequately. Yet that
reasoning is inherently flawed and dangerous. By that logic, it could be claimed that this
white paper is coated in tiger-repellent. And because there aren’t currently any tigers
16 around to prove otherwise, we can assume the tiger-repellent is working. The days of
leaving well-enough alone have passed, and it is imperative now more than ever not
just to fix problems but to preempt them.
When evaluating any type of risk, there are two main considerations that must be
weighed. The first is the likelihood or chance that a particular undesired outcome
would occur. In the security context, this comes down to an assessment of a device or
network’s vulnerability or protection level. The second consideration is the size of the
impact that would occur if such a risk were to materialize. In the realm of security,
the potential consequence could be just a few hours of network downtime, or it could
be millions of dollars worth of credit fraud, or a device that is rendered inoperable
and must be returned to the manufacturer, all of which can cause irreparable damage
to the brand and customer confidence.
Both of these dimensions weigh into a person’s decision of how to approach risk
mitigation. As they relate to device networking, one must also realize that both risk
factors grow quickly with the size of the network that must be protected. A larger
network means more nodes and endpoints, and more potential points of weakness. It
also means more information that has a higher value being transmitted on the net-
work and consequently a greater impact if that network is compromised. As networks
grow, so too must the focus on security, and as they begin encompassing new types
of devices, that becomes increasingly difficult.
The net of this analysis is that a functional and elegantly simple security solution for
devices and device networks becomes the “silver bullet” of sorts – the catalyst that
will allow organizations to comfortably deploy large device networks while also al-
lowing them to operate safely. A catalyst like this may be all that is needed to spur
the enormous growth that has been forecast.
info@harborresearch.comttt
Securing The Future - White Paper
Designing Security For The Internet of Things
17
be a combination of resident software embedded in the devices, plus capabilities deliv-
ered as applications across the network.
As this is describing the unique needs of an entirely new type of network, it stands to
reason that this solution does not fall within the specialties of any current mainstream
software companies. In fact, the Device Security Framework being described is best
viewed as an entirely new market category.
With the disjointed, patchwork security solutions presently in place and the lack of
general market understanding, particularly among larger software players, of what is
needed for device security, the field is wide-open for any viable solution. Nevertheless,
18 this solution must not be a stopgap measure. It must create a platform that is extensible
and will be able to solve tomorrow’s problems as well as today’s.
ENTER MOCANA
One company fully understands the needs of these networks and has begun creating a
solution that meets the needs described above. San Francisco based Mocana Corpora-
tion has positioned itself as one of the lone players in this new market, and while they
could rest on their foresight and the advantage of being the first to recognize the needs
of this market, the company continues to develop its Device Security Framework so
that it meets the aforementioned requirements and more.
Mocana’s solution is fully RFC-compliant with FIPS validated cryptography algo-
rithms, meaning it will interoperate with all applicable standards. Mocana’s Device
Security Framework contains software that gets embedded into devices at the time of
manufacture, as well as capabilities delivered across the network, known as Network
Applications.
While philosophically a major supporter of open standards, Mocana realizes that many
companies build their devices on proprietary operating systems, using a wide variety
of chips. To scale across these disparate platforms, all components of Mocana’s Device
Security Framework leverage a common abstraction layer that has two integration axes,
one dealing with OS integration, and the other with CPU integration.
info@harborresearch.comttt
Securing The Future - White Paper
Designing Security For The Internet of Things
This approach provides maximum coverage of OS and CPU combinations and maxi-
mum flexibility for device manufacturers and service providers to make OS and CPU
decisions independent of Mocana’s Device Security Framework.
Mocana’s Framework has another major benefit – it can meet the extremely diverse
needs of disparate wired and wireless operating environments. Some end devices, such
as those involving voice and video, require high performance. Other devices on the
periphery may have intense restraints on power consumption to prolong battery life.
Still others have constraints on memory and processing capabilities. Mocana’s solution
can meet the needs of all of these devices because it possesses three distinct qualities:
20
processing, providing a higher level of performance and scalability than
much of today’s mainstream software making it ideal for voice, video and
data applications.
3) The embedded software has a very small footprint, making it ideal for any IP
connected device – even resource constrained ones.
To understand the value of Certificate-based security takes a brief description of the pro-
cedure itself. If a theoretical entity, Alice, wants to receive secured communications over
a network, she uses her own unique algorithm to create both a Public Key and a Private
Key. While these two encryption devices are related, one cannot be used to determine
the other. As an analogy, if Alice wanted to receive a secure object in the mail from her
friend Bob, she might first send him an open padlock, the key to which she kept herself.
Bob could then use that lock to secure his message before sending it, knowing that only
Alice using her key can open it. In this analogy, the key Alice kept is her Private Key, and
the lock she sent out is her Public Key. Alice could make these open locks available for
anyone who wants to send her a message, knowing that the messages, once locked, will
only be readable by her.
While this structure seems secure, it creates another problem: how does Bob know for
sure that the lock he’s using to secure his message is actually Alice’s? In the digital realm
where Public Keys abound, it is even more conceivable that a malicious hacker could
publish a Public Key claiming it to be Alice’s, when in fact it is not. To solve this problem
info@harborresearch.comttt
Securing The Future - White Paper
Designing Security For The Internet of Things
Certificates are typically issued with expirations dates in the range of about one year, so
they do not need to be issued for each transaction; they can be re-used for a period of
time as long as the identification information of either party has not changed. While cer-
tificate-based security is among the most effective methods for securing communications
on a network, it also leads to several accompanying tasks that are often labor intensive.
Traditionally, certificate management – including enrollment & renewal, revocation,
expiration, query, etc. – is a manual process. But with the size and growth of device
networks, manually managing these tasks does not scale. Built on the Simple Certificate
Enrollment Protocol (SCEP), an evolution of the protocol developed for traditional (non-
device-centric) networks by Verisign and Cisco Systems, Mocana’s Certificate Manage-
ment application allows for automation of these and other common tasks.
Certificate-based security for networked devices completely shifts the paradigm of how
manufacturers and users may conceive of their devices. From an information perspective,
once a device and its identity are trusted, so too is any other information it might convey
about itself and its environment. This might range from location information, to usage
data, to information about or from other devices near it. Similarly, once a user’s identity
can be tied to a device in a secure fashion, user names and passwords become unneces-
sary. The ability to incorporate and transmit this accompanying information opens the
door for the creation of a whole new class of services to end-users. In addition to basic
services required for device network operation, such as certificate management, a tidal
wave of yet inconceivable applications is just over the horizon.
22 this trend of linking devices with accompanying services has been in the marketplace for
some time now. Just consider the previously mentioned iPod and iTunes, TiVo service
and the TiVo box, RIM Blackberry handhelds with data service plans. These are all
examples of traditional product manufacturers that have distinguished themselves by
pairing their devices with high-value services. Harbor Research has been tracking this
market trend for several years, and while it has been gaining recognition, device-centric
services have not yet seen the explosive growth that has been predicted.
Now it is apparent that difficulties with security and identification of devices on a net-
work – and the secure scalability of those networks themselves – have thus far hampered
their growth, both in a literal sense and in the broader market. With the combination of
its technology and its relationship with device makers and chip manufacturers, Mocana
is in the unique position to remove this significant obstacle from the equation and spur
the growth of this burgeoning service industry. By doing this, Mocana has the potential
to capture enormous value for itself and its ecosystem. The success of the iPod created a
billion-dollar side industry for accessories, while keeping its network services proprietary.
In the near future, we will see an abundance of devices on open networks, allowing the
creation of an enormous new side industry – that of third party device-centric service
providers.
Mocana has a keen awareness of this potential, as demonstrated by their ongoing efforts
to build partnerships within the device networking community. Their support of open
standards shows that the company realizes that the real value of device networks will
only be revealed upon arrival of those pervasive device applications and services. While
security is most certainly a prerequisite to that, and a catalyst for much initial growth,
it will be the applications delivering tangible value to device users that will bring device
networking to the mainstream. The difficulty here is that these future device services
will not be uniform. While there are a large number of horizontal Network Applications,
each device type, each customer segment, each industry will demand its own end cus-
tomer facing device applications and services. The requirements are so far-reaching that
no single company could ever anticipate and meet everybody’s needs. Like the networks
themselves, the customer facing applications provided over them will be fragmented.
What Mocana does is provide the platform on which a whole new class of secure, identity
based, device and network independent applications and services can be built. Mocana is
getting the ball rolling by providing some initial necessary Network Applications. From
here they are open to partnering with third-party software developers wishing to build
these applications of the future.
info@harborresearch.comttt
Securing The Future - White Paper
Designing Security For The Internet of Things
23
MOCANA NOW
Despite the futuristic overtones to much of this analysis, it is most important to realize
that this device networking trend is happening right now. Nowhere is this exemplified
better than by the fact that Mocana has already built a substantial base of customers,
some of which are listed below, including several Fortune 500 companies, and many
others of equal significance in their functional areas.
By adopting Mocana’s software, or even incrementally exploring the option, all of these
companies are demonstrating to customers, investors, and the broader market that they
have a grasp on the coming wave of device networking. Not only do they understand the
phenomenon, but they are showing their commitment to securing the communication
of these devices, and to doing so in an open, extensible fashion that will allow them to
24
be active participants in the growing corporate communities providing smart products
and services.
But management, security, and identification are just the tip of the iceberg. These are
the absolutely necessary prerequisite functions that must be in place in order for our
Networked Society to begin to bloom. Once established, a wide range of new applica-
tions will begin to be developed. Some will run behind the scenes, addressing emerging
bottlenecks around efficiency and scalability. Others will be more visible, delivering a
new level of personalized information to us and to our devices 24x7.
While most of this value will be created by a vast ecosystem of companies and develop-
ers making their way into the realm of Device Networking, Mocana will continue to
develop and add to the Device Security Framework enabling it all. Whether by giving
us confidence through continuing to strengthen security, or by creating new uses for the
certainty of device identification, Mocana will continue to be a catalyst for development
of Device Networking, and a driving force behind one of the most disruptive yet benefi-
cial phenomena of ours or anyone’s lifetime.
info@harborresearch.comttt
Securing The Future - White Paper
Designing Security For The Internet of Things
CONTACT
Glen Allmendinger, President
Harbor Research, Inc.
gallmendinger@harborresearch.com
úúFYU
úúFYU PVUTJEF64