“Billions and billions.” That’s the phrase that Carl Sagen is famous for uttering when he was talking about stars and galaxies.
How about IoT device forecasts? If you search for market statistics, you come up with the same “billions and billions”. Every major technology vendor, from Cisco to AT&T, has published their projection, as have the dedicated market research firms. But if you compare the forecasts, you see significant discrepancies.
What does it all mean? What kinds of devices are included in the various forecasts, and which are excluded? Toasters? Mobile phones? Do the numbers include enterprise devices like network printers? Network switches? IP video cameras?
More specifically—what is the forecast for IoT devices in the enterprise, and what kinds of devices should enterprise security teams care about?
Armis claims on our homepage that by the year 2021, 90% of devices in enterprise environments will not be manageable through traditional IT security tools such as agents. How strongly is that supported by actual market research?
So, I set out on a mission to get some data to answer these questions.
Any market research effort needs to start with a clear definition of what you are counting. The following is the most common definition of an IoT device:
Thanks to low-cost processors and wireless networks, it’s possible to turn anything, from a fidget spinner to a self-driving car, into an IoT device. In fact, within a complex device like a car, there might be multiple IoT devices talking to one another, to the cloud, or to the manufacturer.
For our purposes, we will focus on enterprise (not consumer) devices. So for this exercise, we will use the following definition, which neatly defines the “Enterprise of Things”:
The last point above is highly useful for this exercise. IT security vendors have been building agents to help secure and manage corporate-owned computers for many years, and enterprise IT managers have been buying and deploying these agents for many years. So that domain is well understood. There is no significant security gap—be it protection, monitoring, or management—associated with computers on which you can install agents. Therefore, we’re going to exclude any “agentable” devices from our Enterprise of Things statistics.
At Armis, we use the term “un-agentable” to refer to the entire set of devices that are the Enterprise of Things. These devices are typically invisible, unmonitored, unprotected, and vulnerable.
It’s useful to note that BYOD devices (smartphones, tablets, etc.) are usually un-agentable, therefore they fit into the above definition of the Enterprise of Things from the perspective of the enterprise security manager.
Rather than just look at the total number of un-agentable devices, it is useful to segment those devices into classes, and see how fast each class is growing. There are several ways that you could do it, but here is the method we’re using:
As I searched for the data, I discovered that forecasts for some categories of devices are readily available, but others are not. There are various reasons for this, but mostly it is due to how the market researchers count stuff. The types of devices that I could not find explicit data for were as follows:
Okay, here are the numbers.
The graph above shows a projection of the total installed base of Enterprise of Things devices in business environments, excluding BYOD devices and prosumer devices. So, this graph presents a very conservative number of the Enterprise of Things.
The total of approximately 7 billion devices is lower than the 25 billion number you may have seen published in the news primarily because this does not include consumer devices used in consumer settings—like smart refrigerators, Nest thermostats, Ring video door bells, etc. This analysis is strictly about enterprise devices, because Armis’ customers and the readers of this blog are strictly focused on the needs of the enterprise.
The compound annual growth rate shown in the graph above is 29%.
How does this compare with the number of traditional computers? The graph below shows the forecast for traditional managed computers—defined as a machine that can accommodate a traditional endpoint security agent—in enterprise environments.
When we compare the numbers, we find that by the year 2021, over 90% of devices in enterprise environments will be unmanaged or un-agentable devices. Which is to say, they will not be manageable by traditional IT security tools such as agents. Enterprise security managers will need some new kind of security system to discover, monitor, and manage these devices.
The take away here is that traditional agent-based systems will be effective on 10% or less of devices in enterprise environments by 2021. And with the continued growth of un-agentable devices past 2021, we expect to see that number decrease even further.
For any thoughts or questions, please send a note to [email protected].
Sign up to receive the latest news