451 Research: IoT security M&A, Part 2

IoT presents a compelling demonstration of fragmentation in emerging markets. While IoT solutions combine a mix of components from multiple vendors across the ICT stack, they frequently attempt to merge technologies from different sides of the IT/OT platform divide – in vertically oriented solutions that seek to solve business problems, rather than upgrade technology capabilities as a discrete activity onto itself. If this mixed bag of technologies and ends is confusing to users, it is the contention of 451 analysts Christian Renaud, Brian Partridge and Brenon Daly that the large IoT players will seek to unify their approaches to the market through the creation of end-to-end portfolios – and increasingly, by acquiring missing capabilities in the security field in particular.

Vendor (and 451!) focus on security is especially warranted in the IoT space. While vulnerabilities vary directly with increases in the number of network nodes produced through the connection of millions of physical devices, the linking of critical physical systems introduces new levels of risk – think hacking attacks on medical devices, connected cars or utility systems. Security risk is also heightened at the points where platform and systems intersect, of which there are many in current IoT deployments. In the report below, Renaud, Partridge and Daly provide a thorough account of the security strengths (and weaknesses) of important IoT vendors – as well as a prospectus on the vendors’ likely efforts to bolster their portfolios – which may be helpful to enterprises now considering IoT update or implementation. But in their final analysis is the proof of the instability that characterized emerging markets: while 451 researchers anticipate intensified merger activity and ongoing consolidation through large vendor purchase of security specialists to backfill missing capabilites illustrated in well-crafted chart below, this is set against the backdrop of likely divestiture of significant security assets by key players, including Intel and Dell.  (InsightaaS ed.)

With production deployments growing in number, the top concern for organizations employing Internet of Things (IoT) projects has shifted from organizational capabilities to the security of new deployments. This has resulted in an uptick of investment in IoT security vendors, a growing number of startups and established technology firms ‘planting their flag’ in the IoT security market, and larger organizations developing partner ecosystems to outsource specific vertical opportunities. The latter strategy will become less viable as the sector matures – customers will want the benefits of IoT (multi-vendor, standards-based) but the security integration of single-vendor proprietary services.

As discussed in greater detail in Part 1 of our Sector IQ on IoT security M&A, customer pressures have yet to result in a wave of security-focused IoT acquisitions. According to 451 Research’s M&A KnowledgeBase, security has been the primary rationale in just nine of the 305 transactions included in our larger IoT category. (Granted, we take a narrow definition of ‘security’ in the context of IoT deals, limiting it to transactions where it is the primary rationale for the buyer. Yet even with a more-expansive definition of security, the number of prints would still be a fraction of the number of deals that involve buyers picking up sensor or monitoring technology, or even acquisitions done at the silicon layer, for example.)

The 451 Take

As IoT initiatives transition from ‘kicking the tires’ to full deployments, early adopters have elevated security to the primary point of concern. Therefore, this mandates a response from large technology companies – and their ecosystem partners – that wish to provide an end-to-end IoT service. IoT security startups are numerous and diverse, so we could see large technology firms acquiring vertical-specific security startups depending on their target market(s). Operational technology (OT) security providers, largely overlooked and ignored until recently, have found themselves at the strategic intersection of IoT deployments and operational expertise. This will result in a flurry of IoT security M&A throughout the remainder of 2016 and well into 2017 and beyond.

Potential acquirers

The IoT space features a bevy of large incumbents ranging from Rockwell Automation, HPE, Schneider Electric, IBM, Bosch, SAP, Salesforce, GE, Intel, Symantec’s Blue Coat, and many others. Each vendor is aiming to fortify its core businesses within OT or IT, and use that footing to expand into emerging IoT segments ripe for OT/IT convergence such as transportation, energy, manufacturing and smart cities, among many others. In the current phase of the IoT market maturity, the big vendors are entering into partnerships with one another to bolster their capabilities; however; their customers are unlikely to want to shift from a single provider to multiple ‘federated’ suppliers and will apply pressure to acquire key technologies.

Below is a subset of companies that have planted their flags in the IoT sector as end-to-end service providers that will likely need to buy much-needed security capabilities in specific segments to address client concerns.

• ARM Holdings is a global leader in semiconductor IP and software design and licensing. The company’s Cortex-M series processors span the range of performance and power consumption and are frequently found in IoT microcontroller applications. ARM’s mbed IoT Device Platform includes a device OS (mbed OS), the mbed Device Server, and an ecosystem of partners building vertical-specific and value-added applications on top of mbed.The company originally announced its Intelligent Flexible Cloud for distributed IoT processing and subsequently joined the multi-vendor OpenFog Consortium alongside Cisco (see below), Intel, Microsoft and others. ARM snagged security specialist Sansa Security in July 2015.

• Cisco has extensive experience and product depth in network security and has been gradually integrating its various components underneath a holistic framework that originated from its Sourcefire buy. By nature, the company focuses on network security, with expertise and strength of offering from the gateway to the network, and with its $1.4bn acquisition of Jasper earlier this year, Cisco added IoT platform capabilities to the mix.It will need to address the network edge (on the other side of the gateway) as well as develop a datacenter and cloud data security story beyond network intrusion detection/prevention/mitigation. The company has shown little hesitance to purchase startups to infill perceived portfolio gaps, to put it mildly, and don’t count Cisco out to ‘acq-hire’ some of the smaller potential targets mentioned in Part 1 of this report to gain much-needed expertise in industrial, energy and embedded security.

• Dell is approaching IoT with a full portfolio of compute, storage, networking and software. The company has licensed the Intel IoT gateway platform and has integrated its own (Statistica analytics) as well as third-party (Dell ISV partner program) applications at the edge of the network. Having recently announced the planned divestiture of its services arm, Dell is not shedding its OT OEM Solutions business, and the EMC purchase brings additional service capabilities.The IoT security aspects of its portfolio, however, are now unclear, given that Dell also recently announced the intended sale of its SonicWALL network security offerings (firewalls) along with its software unit, implying that IoT network security capabilities will now be focused primarily on the company’s gateway platforms.

• Fujitsu leads its IoT efforts with MetaArc, a framework that sits atop its K5 cloud services platform. Like Hitachi and Siemens (see below), Fujitsu has decades of experience in operational technology, which gives it vertical insight for IoT deployments that other technology firms normally need partners to achieve. The company has 300 proof-of-concept deployments of its MetaArc platform in multiple markets, but far more production deployments of its pre-platform IoT offerings.Its pickup of GlobeRanger in May 2014 yielded technology that it has since adapted into its Dynamic Resource Controller, which shifts application workloads from the K5 cloud to edge computing devices such as gateways, depending on the latency and policy (cost, security) requirements of the organization. Security has traditionally been enforced by tight vertical integration of Fujitsu’s multiple products, a model that will be challenged as the IoT sector opens up with standards and multiple-provider interoperability.

• Google has numerous IoT offerings, ranging from its Google Cloud IoT analytics and machine-learning capabilities to the Brillo ‘thing OS’ (essentially, Android for IoT), the Weave device management platform, and consumer products such as the IoT poster child Nest thermostat. The company has also expanded into the automotive segment with Android Auto. Its security efforts have focused on device security for Brillo as well as securing its own cloud offerings; however, other than clever internal network engineering, Google has remained relatively silent on other aspects of systemic IoT security.

• Hitachi recently created the Hitachi Insight Group

  

  , composed of assets within the vendor’s extensive portfolio from throughout its operating units. It also launched its Lumada Core IoT Platform focused on data ingestion and blending, orchestration, data analytics and visualization. Hitachi bought big-data analytics firm Pentaho in February 2015 for an estimated $530m.

  Its target markets are extensive – not surprising given the deep OT expertise across the company – and range from smart cities to the medical and industrial verticals. The vendor’s security posture has been similar to that offered by Fujitsu, which has historically been driven by tight integration between Hitachi components, a model that will be challenged as its platform (and open northbound interfaces) gains market traction. Hitachi is a likely candidate for endpoint, gateway, network and cloud security acquisitions.

• Intel has a multifaceted IoT strategy ranging from its microprocessors and microcontroller units to operating systems with Wind River to endpoint and server security. At the moment, security management assets obtained largely from its McAfee pickup would also seem to be a primary factor in the company’s approach, but watch this space: rumors are now circulating that Intel might be interested in putting McAfee on the block, and it has already divested McAfee’s firewall and NGFW businesses to Raytheon Websense (which was itself later re-branded as Forcepoint).The company has also developed an IoT gateway reference architecture that has been adopted by multiple vendors such as Dell, HPE, Huawei and others. Last year, Intel was one of the founding members of the OpenFog Consortium to encourage interoperability and adoption of edge computing capabilities for IoT applications.

• Microsoft has become increasingly interested in positioning its broader business, specifically its Azure cloud platform, for IoT. To that end, in March 2015 Redmond introduced the Azure IoT Suite, an integrated offering that takes advantage of all of the relevant Azure capabilities to connect devices and other assets; capture the diverse and voluminous data they generate; integrate and orchestrate the flow of that data; and manage, analyze and present it as usable information to the people who need it to make better decisions, as well as intelligently automate operations.The Azure IoT Suite includes messaging hub services, stream analytics, storage and data visualization, and Shared Access Signatures for IoT devices. The integration of recently acquired IoT platform startup Solair should complement these existing assets nicely. Microsoft has been relatively quiet on specific IoT security capabilities in the past, making it a high-probability suitor in the segment.

• 

  Nokia recently unveiled its IoT platform, Intelligent Management Platform for All Connected Things (IMPACT), as well as a smart home gateway. The company, still digesting the acquisition of Alcatel-Lucent and its extensive enterprise product portfolio, clearly views network operators (carriers) as the channel to market for IoT and its portfolio and platform offering (primarily device and service management) is clearly meant to solve large-scale device deployment scenarios envisioned by carriers in the IoT segment.

  In April, Nokia purchased consumer IoT specialist Withings in a move that seems out of step with its carrier and now enterprise market focuses (it had previously divested most of its consumer offerings). The company’s portfolio features device authentication and authorization capabilities and Alcatel-Lucent brought enterprise security offerings, but a holistic IoT security strategy has not yet been presented. It’s likely that Nokia could fill specific portfolio gaps in the coming year.

• Oracle has an impressive product portfolio to bring to bear in the IoT arena, ranging from its IoT application enablement platform to its mobile device network management suite and Java embedded technologies for endpoints. It also has considerable strength in analytics, the raison d’être for IoT deployments, as well as its own cloud and server offerings.The downside of the breadth of the company’s portfolio is that there is no single story or integrated service for systemic security, which makes it a potential serial shopper of network- and cloud-based IoT security startups, as well as gateway security firms once Oracle’s position on edge gateways becomes clearer.

• Siemens boasts extensive experience in OT and has a complex partnership strategy with IT firms such as Intel, IBM and SAP. The company positions itself as an IoT supplier (focusing on digital transformation rather than the specific ‘technology for technology’s sake’) and features legacy expertise in vertical integration and systemic security; however, it will need to partner or acquire in order to secure a multi-vendor IoT environment. We anticipate that as it flexes its IT muscles to become a stand-alone IoT services provider (versus requiring partners for IT/OT convergence), Siemens will seek to augment its existing capabilities by purchasing one or more IoT security vendors in this vertical.

Outlook

By no means exhaustive, the table [here] illustrates the gaps in the portfolios of a subset of major players. The market is dynamic, with Intel rumored to be considering spinning off or selling its McAfee security unit, as well as Dell doing the same as part of the planned divestiture of its software business (which includes the Quest family of identity, access and database management assets as well as the former SonicWall and SuperMassive enterprise network security systems). The first steps in approaching the coming large IoT deployments will inevitably involve a complex mesh of partnerships and alliances, but we expect that large technology firms will increasingly look to build or acquire capabilities to help them overcome early IoT sales obstacles.