While there is still some debate as to the number of Internet of Things (IoT) devices that will come online over the next several years, continued adoption across nearly all industries represents an opportunity for a variety of stakeholders – especially the cloud service providers (CSPs) that will act as the centralized computing and storage infrastructure for a wide range of use cases. Just what percentage of IoT traffic ultimately makes its way to the cloud will depend on a number of important factors, particularly the degree to which stronger security controls for IoT devices become both available and employed.

Across the board, security has increasingly become an area of focus for CSPs as they work to move up the value chain by broadening the services they are able to offer customers. They have gradually rolled out new security offerings such as tools for incident response, identity and access management controls, vulnerability and risk management, and penetration testing, among others. CSPs’ position as the computing, storage and connectivity back end for many enterprise workloads affords them a high level of visibility into enterprise IT operations that would be hard for any other type of provider to match (including many individual security vendors), making them a logical provider of security products and services.

These providers will not only be competing with each other in this arena; they will also face competition from established vendors in the security market, some of which have developed well-elaborated software-as-a-service (SaaS) platforms to serve the needs of asset inventory, vulnerability management and remediation, and other functions for which CSPs could contend alongside strategies for more general IoT support. Many of these competing security specialists already have substantial customer bases and credibility that will challenge CSPs, which must often face uphill battles to win the market’s confidence and trust in what, for them, is often a new endeavor.

While CSPs have made strides in establishing a security strategy for IT workloads, IoT security is a more complicated problem to solve and the CSP’s role in providing IoT security is not very well defined. Issues that have long been solved in conventional IT, such as encrypted traffic and establishing a cryptographic identity for an endpoint, can be difficult to implement on an IoT device. Traditional endpoints often rely on significant on-device storage, compute and networking capability as well as user interaction to assure proper authentication and protection not only for sensitive functionality, but also for data in use, in transit and locally at rest. IoT devices are not always so flush, and human interaction may not enter into their operations. They are also commonly deployed in environments where the need for real-time responses to sensor inputs are critical, such as an autonomous vehicle that needs to determine if it’s approaching a stop sign in order to hit the brakes before reaching an intersection. In cases such as this, routing data back for analysis to resources that are strictly centralized is not feasible due to latency concerns, while implementing stronger encryption and authentication appropriate to IoT endpoints could interfere with performance. This creates a unique problem for CSPs that stand to benefit from an increase in the number of IoT devices deployed, but that have little if any influence over furthering the penetration of the type of security functionality on chips and devices that could help spur adoption.

In this Technology & Business Insight (TBI) report, we examine the enterprise motivations and concerns around processing and storing IoT data in the cloud, how CSPs are interacting with other market participants to improve security, current product positioning related to IoT security, the type of factors enterprises should consider in choosing a cloud environment for their IoT workloads, and where cloud providers may be headed from here. These insights are based on a combination of our analysts' deep experience in the information security industry and current, detailed interviews with security service providers, vendors and end users spanning a wide variety of vertical applications. 

The focus of this TBI report is the market of CSPs with broad appeal, including the hyperscalers that dominate the public cloud market. As noted above, the security market is already served by providers of cloud-based, cloud-hosted or SaaS platforms purpose-built to serve security. We make a distinction between those vendors and the CSPs offering broad infrastructure-as-a-service (IaaS) or platform-as-a-service (PaaS) environments, and the multitude of offerings they have developed on these foundations to serve a wide array of use cases. This report examines this latter category, which we generalize as ‘cloud providers,’ ‘cloud service providers’ or ‘CSPs.'