What Shift Left and CI/CD mean for the IoT Security Landscape

Shift Left methodologies are increasingly being discussed in the broader Internet of Things (IoT) ecosystem. It is essentially the practice of bringing in security considerations much earlier in the application development process and, as such, can perhaps be seen simply as a new way of talking about DevSecOps. However, Shift Left has additional connotations, and these are strongly linked to the emerging mantra that is CI/CD: Continuous Integration (CI) and Continuous Delivery (CD). Much of this forms part of the new pressures for application development as associated with cloud infrastructures and as-a-service delivery models, driven by the advent of low-power wide-area networks and 5G connectivity (such as for massive-machine-type communications) and the pivot toward cloud-native and software-centric applications.

There is a growing demand for high-value and secure life-cycle management services in the IoT ecosystem, whether for devices, parts, platforms, or data. From design and manufacture to postproduction and aftermarket, such services are of interest to deployers because they can provide better operational insight (and oversight) and add new value. Further, 5G connectivity will provide high bandwidth, low latency, and ultra-reliability, capabilities previously reserved for information technology systems in a wireline network. This means that many more IoT devices can be connected with high-powered compute-intense platforms and applications.

Better compute capabilities and connectivity, coupled with a larger infrastructure and an exponential increase in device numbers, mean that the IoT ecosystem is only going to become more complex. Cloud, software, and technologies such as artificial intelligence/machine learning, automation, analytics, edge processing, and so on are all key to helping manage that complexity.

Security, unfortunately, is one of those complex but necessary technologies that don’t simplify with scale. As such, Shift Left focuses on bringing that security discussion much closer to the start of a project in a bid to cut both the costs and the complexity of dealing with it at a later date. Importantly, this mentality fits in with the CI/CD model that is emerging alongside cloud and software evolution (including in 5G). In these newer multi-vendor environments that are focused on software and service applications, CI/CD is the more agile method of dealing with updates and changes to an environment, concentrating on small, continuous, incremental changes rather than the standard yearly overhaul of an entire asset. Security for the IoT can be better dealt with at this scale where bugs and vulnerabilities can be addressed quickly and efficiently in small batches as they appear. This works best however if security has been integrated into the original design strategy and is dealt with as a part of the general software development processes rather than as an additional and separate piece.

For IoT implementations generally, this will be an advantage, not the least because security is seen as a cost and is not often factored in as part of the design or development process. But without it, life-cycle management will always remain limited. Key security features such as identity are necessary for provisioning, onboarding, pushing out policies, visibility, and so on. All of these are important attributes for comprehensive security monitoring and management, especially in end markets such as automotive, healthcare, and industrial where they feature highly critical system components. As such, Shift Left practices can help not only to embed these requirements in product planning but also to cut costs in the long run during CI/CD and monitoring phases. 

The automotive industry offers some interesting ecosystem players with innovative solutions focused on both Shift Left and continuous security monitoring. Cybellum, for example, enables Original Equipment Manufacturers (OEMs) and suppliers to develop and maintain secure connected components through their Cyber Digital Twin platform, which allows for both product security assessment at the design stage and security operations throughout the entire life cycle in compliance with automotive regulations and standards. Similarly, Karamba Security offers VCode (for secure development) and XGuard Monitor (for continuous visibility) that apply to the product development life cycle, with a strong focus on edge native architectures. While both traditionally serve the automotive segment, they are targeting the significant opportunity for use cases in the broader IoT market. These companies are the trendsetters on how security can be managed dynamically and cost-effectively in IoT settings.

For IoT OEMs and operators, these types of applications are key not only to more successfully guaranteeing a trusted product offering but also for unlocking new revenue streams in secure life-cycle management, with product offerings that are not overly costly or complicated. The more stakeholders start buying into Shift Left and CI/CD, the easier it will be for them to successfully deploy enterprise applications in IoT markets, eventually preparing the ground for much easier integration into 5G environments as well.