Growth of Un-agentable Devices in the Enterprise

How Many Billions Will There Be?

“Billions and billions.” That’s the phrase that Carl Sagen is famous for uttering when he was talking about stars and galaxies.

How about IoT device forecasts? If you search for market statistics, you come up with the same “billions and billions”. Every major technology vendor, from Cisco to AT&T, has published their projection, as have the dedicated market research firms. But if you compare the forecasts, you see significant discrepancies.

What does it all mean? What kinds of devices are included in the various forecasts, and which are excluded? Toasters? Mobile phones? Do the numbers include enterprise devices like network printers? Network switches? IP video cameras?

More specifically—what is the forecast for IoT devices in the enterprise, and what kinds of devices should enterprise security teams care about?

Armis claims on our homepage that by the year 2021, 90% of devices in enterprise environments will not be manageable through traditional IT security tools such as agents. How strongly is that supported by actual market research?

So, I set out on a mission to get some data to answer these questions.

Let’s Start with Definitions

Any market research effort needs to start with a clear definition of what you are counting. The following is the most common definition of an IoT device:

• A physical device
• That has an operating system
• Can communicate with other things
• Is not a general-purpose computer

Thanks to low-cost processors and wireless networks, it’s possible to turn anything, from a fidget spinner to a self-driving car, into an IoT device. In fact, within a complex device like a car, there might be multiple IoT devices talking to one another, to the cloud, or to the manufacturer.

For our purposes, we will focus on enterprise (not consumer) devices. So for this exercise, we will use the following definition, which neatly defines the “Enterprise of Things”:

• A physical device
• Has an operating system
• Can communicate with other things
• Exists in the enterprise environment (either on the network, or in the airspace, or otherwise of concern to enterprise IT managers, but not necessarily known to IT)
• Can’t accommodate a standard security agent, either because of device limitations (memory and CPU) or because the device is not owned by the enterprise

The last point above is highly useful for this exercise. IT security vendors have been building agents to help secure and manage corporate-owned computers for many years, and enterprise IT managers have been buying and deploying these agents for many years. So that domain is well understood. There is no significant security gap—be it protection, monitoring, or management—associated with computers on which you can install agents. Therefore, we’re going to exclude any “agentable” devices from our Enterprise of Things statistics.

At Armis, we use the term “un-agentable” to refer to the entire set of devices that are the Enterprise of Things. These devices are typically invisible, unmonitored, unprotected, and vulnerable.

It’s useful to note that BYOD devices (smartphones, tablets, etc.) are usually un-agentable, therefore they fit into the above definition of the Enterprise of Things from the perspective of the enterprise security manager.

Meet the Un-Agentables

Rather than just look at the total number of un-agentable devices, it is useful to segment those devices into classes, and see how fast each class is growing. There are several ways that you could do it, but here is the method we’re using:

• Office devices and printers — Printers, VoIP phones, smart TVs and monitors, Bluetooth keyboards, smart speakers, etc.
• Building automation — HVAC systems, lighting systems, elevator systems, energy management systems, badge readers, etc..
• Smart cities facilities — traffic management, asset tracking, outdoor lighting systems.
• Personal devices — These are devices that employees carry with them when they come into the office such as smartphones, watches, gaming consoles, digital assistants, wireless speakers, and personal (BYOD) computers.
• Industry-specific devices
  • Manufacturing, industrial, farming — control systems, PLCs, robotics, process automation, livestock monitoring devices
  • Healthcare — patient monitoring systems, mobile imaging systems, infusion pumps, communication badges
  • Retail and wholesale trade — barcode scanners, POS system, loss prevention, inventory systems/robots
  • Utilities — smart electric meters, smart gas meters, smart water meters
  • Transportation — security cameras, security hardware, tracking devices
• Network equipment — Routers, switches, access points, firewalls, etc.
• Commercial fleet — telematics devices and embedded systems in automotive and trucking fleets
• Enterprise physical security — intrusion detection systems, IP video cameras, networked fire alarms

Known Knowns and Known Unknowns

As I searched for the data, I discovered that forecasts for some categories of devices are readily available, but others are not. There are various reasons for this, but mostly it is due to how the market researchers count stuff. The types of devices that I could not find explicit data for were as follows:

• Personal devices. An accurate number of BYOD devices—personally owned computers, smartphones, tablets, or smart watches or speakers used in the workplace—is not something that is regularly reported on. This obviously represents a significant percentage of devices in enterprise environments. But it’s more than just these devices, there is a wide variety of personal devices being brought into the workplace. Recently, we actually found a Peloton bike that an employee had brought into the office environment. By monitoring the network activity of this machine, we could tell when the employee was exercising. Yep, it’s true.
• Prosumer devices. There are various types of consumer devices bought by businesses and used in the business environment that are also missing from the market research. A prime example is the smart TV. How many businesses still have overhead projectors? Not many. They have been replaced by smart TVs and smart AV control systems. These are also un-agentable devices, and they are vulnerable to attack, so they should be highly interesting to enterprise security professionals. But market research does not typically break out sales by consumer and business use. So the category titled “Office devices and printers” does not include these devices.

The Numbers, Please!

Okay, here are the numbers.

The graph above shows a projection of the total installed base of Enterprise of Things devices in business environments, excluding BYOD devices and prosumer devices. So, this graph presents a very conservative number of the Enterprise of Things.

The total of approximately 7 billion devices is lower than the 25 billion number you may have seen published in the news primarily because this does not include consumer devices used in consumer settings—like smart refrigerators, Nest thermostats, Ring video door bells, etc. This analysis is strictly about enterprise devices, because Armis’ customers and the readers of this blog are strictly focused on the needs of the enterprise.

The compound annual growth rate shown in the graph above is 29%.

How does this compare with the number of traditional computers? The graph below shows the forecast for traditional managed computers—defined as a machine that can accommodate a traditional endpoint security agent—in enterprise environments.

Conclusion

When we compare the numbers, we find that by the year 2021, over 90% of devices in enterprise environments will be unmanaged or un-agentable devices. Which is to say, they will not be manageable by traditional IT security tools such as agents. Enterprise security managers will need some new kind of security system to discover, monitor, and manage these devices.

The take away here is that traditional agent-based systems will be effective on 10% or less of devices in enterprise environments by 2021. And with the continued growth of un-agentable devices past 2021, we expect to see that number decrease even further.