How the Emerging IoT will prompt Asset Management Issues

As companies leverage the Internet of Things (IoT), the Software Asset Management (SAM) function will be forced to rethink its charter. This article will explore how professionals within the SAM function need to start thinking about the IoT, and how they can prepare to manage the asset management challenges it presents, along with its benefits.

The Internet of Things has been labeled as “the next Industrial Revolution” because of the way it will change the way people live, work, entertain, and travel, as well as how governments and businesses interact with the world.[i] The IoT has many different definitions, but Gartner defines it as a network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.[ii]

Many company’s digital transformation plans are dependent upon the IoT; in fact, Gartner forecasts that by 2020 IoT technology will be in 95% of electronics for new product designs.[iii] The IoT will enable digital transformation in in manufacturing, healthcare, agriculture, energy, and other industries. Bain predicts business-to-business IoT segments will generate more than $300 billion annually by 2020, while consumer applications – such as smart homes and autonomous vehicles – will generate $150 billion.[iv]

But, what does this mean for SAM? Can IoT devices be managed in the same way as traditional computers, laptops, mobile devices, and software? Should the SAM function even get involved in IoT initiatives?

I’d like to argue that it’s important for the SAM function to have a seat at the table because IoT devices will bring with them the issues of security, data privacy, and service sustainability. By planning ahead and ensuring these issues are addressed early, enterprises will be able to manage potentially damaging situations later as they progress with their digital transformation efforts.

The “father of the Internet,” Vint Cerf, explains in a podcast with Stacy Higginbotham that “People are rushing to build products that have these [IoT] characteristics – communication, computation, and programmability. But, they’re not paying as much attention to access control, security, privacy, safety, and autonomy.” As a result, the rush to IoT could be compromising safety and security.[v]

Will the Internet of Things (IoT) shift the SAM Agenda?

As technology evolves, we will be forced to rethink how software and hardware management change in the connected world of IoT. The Internet of Things is shifting the SAM agenda, which means your team and your scope will likely expand.

Your organization will need to assemble the right team to drive best practices for SAM in regard to IoT initiatives. Certainly, Software Asset Managers should be part of that team, along with both software and hardware IT professionals. Legal and contracts representatives should be included, as well as the business line owners who are driving the IoT plans. Since the IoT is typically transformative across the entire organization as a broad strategic initiative rather than a specific project, the business owners may be your C-suite executives. Finally, you will certainly want to make sure privacy and cybersecurity experts within your organization are involved, since this where some of the biggest IoT challenges are sure to arise.

The “Big Three” IoT Challenges

As I see it, there are three major challenges that Asset Managers will face as the IoT starts to become an integral part of so many organizations’ digital transformation plans. They are: security; data privacy; and service sustainability. Unfortunately, I don’t have all the answers – no one does. But, I’ll try to uncover some of the issues that most enterprises will need to tackle.

1) Security (Device Control)

Security is a broad topic, but in this context, the primary security issue for SAM and IoT is device control. The IoT will introduce new types of assets beyond the desktop computers, laptops, tablets, and software for which SAM traditionally is responsible. Therefore, you will need to look at all of these new devices and sensors and understand how they operate. Licensing models for these new assets are changing, and so will the ways we track them.

There are various estimates of how many “things” are on the internet today, as well as projected growth, but by any measure it is massive. Gartner estimates more than 8.4 billion things exist within today’s IoT, and that number will increase to 20 billion in 2020[vi] – and Gartner’s forecast is one of the more conservative. Note that IoT device estimates do NOT include smartphones, tablets, or computers. The most prevalent IoT devices reported by analysts are automotive systems, smart TVs, and digital set-top boxes on the consumer side, while smart electric meters and commercial security cameras will be most used by businesses.

For IoT devices like autonomous vehicles, medical devices, and home security systems, the issue of device security will be paramount to mitigate loss or theft of property, as well as physical harm. It will be critical to understand who is responsible for tracking and protecting the device.

Consider for a moment the example of autonomous vehicles. When a driverless car’s software is linked to the cloud, the data is at risk for a security breach and potential hacking. In the first recall of automobiles due to cybersecurity concerns, Fiat Chrysler recalled more than a million vehicles in 2015 due to a software glitch that would have allowed hackers to take control of the vehicles. Cybersecurity researchers used a wireless connection to turn off a volunteer’s Jeep Cherokee engine as it drove, and issue commands to the engine steering and brakes.[vii] As we move into an era where self-driving cars are on the horizon, IoT software glitches such as these have even more perilous possibilities.

An HP Fortify study reveals that 70 percent of IoT devices are vulnerable to attack.[viii] Their advice to protect against security hazards that come along with the rise of IoT is for organizations to implement an end-to-end approach to identify software vulnerabilities before they are exploited. This is why the SAM function needs to coordinate with cybersecurity experts for a unified approach to IoT asset management.

2) Data Privacy

Data privacy will be another major concern as the IoT gains ground. Billions IoT devices will be transmitting data, and much of it is sensitive, private information, such as medical records, personal health information and other information that once aggregated with other data could be used maliciously.

In a TED Talk titled “All your devices can be hacked,” security expert Avi Rubin explains how white-hat hackers were able to reverse engineer the wireless protocol on a pacemaker (inside a piece of meat, not a human body) and control it remotely. The could change the patient’s important data such as name, therapies, or even disable the device.[ix]

In the US, there is no single, comprehensive federal law regulating the collection and use of personal data. However, a patchwork of federal and state laws and regulations guide the use of personal data such as financial, health or electronic communications.[x] Some of the most prominent laws include the Federal Trade Commission Act (FTC Act) for consumer protection, the Gramm-Leach-Bliley Act (GLB) which regulates financial information, and the Health Insurance Portability and Accountability Act (HIPAA) to regulate medical information.

In addition, there are security standards such as the Payment Card Industry Data Security Standard (PCI DSS) which is designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment. Both PCI and HIPAA require companies to identify and record the location and movement of any media or hardware containing confidential data. Plus, with the new General Data Protection Regulation (GDPR), there will be stronger and more unified data protection rights for European citizens. Even with the GDPR’s pending May 25, 2018, deadline, 65% of organizations are still not confident that their GDPR data will stay within the European Union.[xi]

As a SAM professional, some of the issues you’ll need to think about with the IoT are collection practices, transparency and consumer notices, retention and control, and the aggregation of data and de-identification. It’s important to collect what you need and can control and be conscious of how much of your data can be scraped or freely aggregated by bad characters.

3) Service Sustainability

A third challenge in preparing for the IoT is service sustainability. By this, I mean that companies must decide the scope and commitment to the sustainability of the IoT ecosystem in which they participate. This includes device management (security patching), asset management, data portability and aggregation, and source code control for long-term use.

Vint Cerf brings this situation up in the podcast in terms of IoT devices. “There are serious supply chain questions that worry me,” he comments. “An example is someone building a device, throwing in a random piece of source operating system code and not caring whether it will ever be maintained or not, [because they] just want to sell the devices. … What if the company goes out of business within six months because it wasn’t a popular product, yet you want to keep it and use it? Maybe there are escrow arrangements with regard to the source code.”[xii]

Companies need to consider: What is the cost to support the IoT ecosystem and engender trust with my customers? Another situation to think about is how do you do you “end-of-life” IoT assets and securely destroy the ones that contain data or information? As I said earlier, lots of questions …

Practical Advice in an Age of Constant Change

As your company encounters both the opportunities and challenges of the IoT, here are some practical pointers to keep in mind:

• IoT heightens the need for compliance and informational risk management
• The IoT is a cross-functional initiative, and as such, SAM will need to be cross-functional as well
• Pay attention to the assets that collect and store data
• IoT is here to stay and is likely to lead the Digital Transformation of your company
• Don’t underestimate the importance of proper IT asset disposal
• Familiarize yourself with data protection laws in the places where devices
are used and data is stored
• Be conscious of how your IoT devices can unwittingly become proxies for
abuse and harm
• Understand the technical limitations of any devices before they are deployed
• Collect the data you need, and consider de-identification of personal data by experts in the field

Conclusion

In the age of the Internet of Things, IT Asset Management is no longer optional. As a SAM professional, you must get a seat at the table for your company’s IoT initiative alongside your peers in the Privacy, Security, and IT functions. Many organizations are still just dipping their toes in the waters of IoT. Therefore, don’t underestimate the undertaking – it may be wise to take small steps in your IoT deployment. As you proceed with your IoT strategy, make room for collecting security and data information in your SAM plan. And, remember, always stay flexible and adaptable as you embark on your IoT journey.

Sources:
i http://www.businessinsider.com/iot-ecosystem-internet-of-things-forecasts-and-business-opportunities-2016-2
ii https://www.gartner.com/it-glossary/internet-of-things/
iii https://www.gartner.com/doc/3803530?ref=unauthreader&srcId=1-3478922254
iv http://www.bain.com/publications/articles/choosing-the-right-platform-for-the-industrial-iot.aspx
v https://infogoto.com/iot-safety-and-privacy-issues-why-escrow-is-part-of-the-solution-2/
vi https://www.gartner.com/newsroom/id/3598917
vii https://www.reuters.com/article/us-fiat-chrysler-recall/fiat-chrysler-u-s-to-recall-vehicles-to-prevent-hacking-idUSKCN0PY1U920150724
viii http://www8.hp.com/us/en/hp-news/press-release.html?id=1744676#.Wp7yNejwaUm
ix https://www.ted.com/talks/avi_rubin_all_your_devices_can_be_hacked#t-240602
x https://content.next.westlaw.com/6-502-0467?transitionType=Default&firstPage=true&bhcp=1&contextData=(sc.Default)
xi https://www.techrepublic.com/article/65-of-organizations-will-fail-to-meet-critical-gdpr-compliance-by-deadline/
xii https://infogoto.com/iot-safety-and-privacy-issues-why-escrow-is-part-of-the-solution-2/

About John Boruvka

John Boruvka, vice president for Iron Mountain’s Intellectual Property Management group, has been involved in the technology escrow and intellectual property management field for more than 23 years. His focus is helping companies create solutions relating to protecting intellectual property assets. John is considered an authority in the field of technology escrow and issues surrounding the role of a neutral third party in protecting intellectual property. He has participated in the development of strategies and review of thousands of technology escrow agreements for software, hardware and other proprietary information that established to protect against mergers, bankruptcies or other events that affect the ability of vendors to support their technology. A technology escrow agreement could mean the difference between losing mission-critical software that would cripple a company’s operations and maintaining continued business success. Additionally, escrow accounts can serve to protect software from patent, copyright or trade secret infringement. Courts have ruled that source code kept with a neutral third party helps meet the burden of proof for conception of an idea and serves as documentation of how a technology was developed. Mr. Boruvka has also written many articles on this topic and presented extensively at associations, industry meetings and prestigious law firms across the United States, Canada, South America and Europe, including presentations for: • American Chamber of Commerce – Argentina • International Association of IT Asset Managers (IAITAM) • Caucus Software Licensing Course • Caucus Technology Procurement Conference • Independent Computer Consultants Association • International Association of Contract and Commercial Managers (IACCM) • ITechLaw Association • Licensing Executive Society (LES) • MIT Enterprise Forum Computing SIG (special interest group) • Software & Information Industry Association (SIIA) Software Division • Softletter's SaaS University