The Security Taxonomy for the Internet of Things (IoT)


The Security Taxonomy for the Internet of Things (IoT) shall follow the approach and principles described in section “Approach and Principles”. Additionally, most aspects described for the “Office or Enterprise IT” are also true for the Internet of Things (IoT). Hence, the general structure with the pyramid and the Taxonomy with technology and ITSM areas are reused. However, the IT architecture is different for IoT. That’s why this part has significantly been modified. The result is shown in Figure 2.

Figure 2: The ZOIS Security Taxonomy for IoT

The ZOIS Security Taxonomy for IoT may also be usable for Operational Technology (OT). The Taxonomy provides an area called “Operations Platform” which is essential in this environment since it provides real-time OT services such as abnormal event detection, automation, control and optimization. Such a platform is connected to a real-time service bus to which all the sensors, actuators and more complex subsystems are connected to. But details are not discussed in this paper.

Compared to the Taxonomy for “standard IT” this Zero Outage Security Taxonomy has the following six new or different areas. They are located in the lower left in Figure 2 and belong to the clusters “Edge” and “Connect”:

  • Architecture and Device Attestation (ADA),
  • Operations platform (OPL),
  • Things and Thick Endpoints (TTE),
  • Edge and Field Area Networks (FAN),
  • Nodes and Gateways (NGW), and
  • Core Networks (CON).

This view on IoT has reduced several architectural approaches[6] to a common denominator.

The ZOIS Security Taxonomy for IoT comprises six areas which are specific for IoT (see above and refer to the amber rectangle in Figure 3).

Figure 3: IoT specific clusters (amber) in the ZOIS Security Taxonomy for IoT

The six areas represent and describe the following entities:

Architecture and Device Attestation (ADA)

IoT systems differ with respect to the Things and Thick Endpoints (TTE) being used and the way they are connected with each other and with the applications and cloud infrastructures supporting the business the IoT system is made for. Hence, a security measure requests a description of the IoT system’s architecture or composition. Typical questions are: What type of Things and Thick Endpoints (TTE) can be onboarded? How are they connected? A very essential security question is: What are the rules and conditions for Things and Thick Endpoints (TTE) to become part of the IoT system? For one group of Things and Thick Endpoints (TTE), the “device attestation” comprises full Identity Management (IdM) including their registration and the creation, maintenance and retirement of digital identities. For another group of Things and Thick Endpoints (TTE), authentication is performed by Nodes and Gateways (NGW) “on behalf” of the Things and Thick Endpoints (TTE) so that “device attestation” (and IdM) refers to those devices acting as proxies for the things.

Operations platform (OPL)

An Operations platform is a data center environment with small or medium complexity providing computing services which aggregates and/or preprocesses data from Things and Thick Endpoints (TTE). That includes e.g. the collection, normalizing, storage, and computation of data. Other services include managing Things and Thick Endpoints (TTE). The computation services of data can be real-time (as mostly required for Operational IT, OT). The platform can also provide control functions and perform event detection and analysis. In an OT environment the tasks of the platform can be very complex since it controls production processes by controlling a variety of detectors and actuators. In IoT systems this part may not exist, and its functionality is fully provided by Nodes and Gateways (NGW).

Things and Thick Endpoints (TTE)

These are de-centrally distributed components and devices such as sensors, actuators, cameras, controllers, home appliances, cars, medical equipment, machines, robots, production facilities, SCADA, PLC and so on. This may comprise systems with a very limited, medium or even high computing capacity.[7] Many devices, however, are Embedded Systems[8] which are (a) IT systems (b) designed for a specific purpose and not freely programmable, (c) limited with respect to computing power, size, performance, power consumption, costs or the like and (d) interacting with their environments.

Edge and Field Area Networks (FAN)

This comprises networks that connect Things and Thick Endpoints (TTE) with one another, with an Operations platform (OPL), with Nodes and Gateways (NGW), or even directly with Core Networks (CON). In this way, the Things and Thick Endpoints (TTE) get connected to the IT services provided from within a data center (“Applications and cloud”, refer to Figure 2). Wired and wireless networks are used. In Operational Technology (OT), high-speed systems are used for the real-time service bus.

Nodes and Gateways (NGW)

These devices act as intermediaries between the Things and Thick Endpoints (TTE) and the IT services provided from within a data center (“Applications and cloud”, refer to Figure 2). Nodes and Gateways (NGW) usually reside between the Edge and Field networks (FAN) and the Core Networks (CON). They provide connectivity but also security services (such as authentication) and maybe also management services.

Core Networks (CON)

These networks connect the IoT “Edge” (left in Figure 2) with “Applications and cloud” (right in Figure 2). Often the Internet is used.

All other elements on the lower right of the Taxonomy (refer to Figure 2) are used to deliver IT services for IoT businesses. The technical structure of this computing environment is not specific to IoT applications and equal to the one of office or enterprise IT. The upper half in Figure 2 has also not considerably been changed compared to the original Taxonomy[9] shown in Figure 1 (amber rectangle). This part will be explained in section “Details of areas in other clusters (upper half)“.

The lower right in the Taxonomy (refer to amber rectangle in Figure 4) comprises the elements in a data center required to deliver IT services, namely the business applications for which the IoT systems is built for.

Figure 4: The cluster Applications and cloud (amber) in the Taxonomy for IoT

The central areas in this clusters are arranged in three columns. From left to right they contain: a) the interface between the outer IoT environment (Section “Details of IoT specific Areas“) and the IT services provided from within the data center, b) the primary IT stack with networks, computer systems and applications including middleware, and c) a secondary “IT stack” comprising support systems, database and storage, and cloud and image management systems. On top of those, there are two areas on identity management (for normal users and for privileged users). Below this, there are the areas with the administration infrastructure (used by privileged users to access components in the data center) and the physical data center itself.

Hence, there are 12 areas in total:

Data Center Security (DCS) covers physical and environmental security aspects of a data center. It does not include IT security equipment except for that relating to entrance control, surveillance of the premises etc.
Corporate Provider Access (CPA) comprises all network and IT elements between the WAN (outside the data center), called Core Networks (CON), and the Data Center Networks (DCN) (in the data center). E.g., it also contains equipment required to protect the provider’s computing periphery and to provide e.g. VPN capabilities. This includes firewalls, VPN gateways and IDS/IPS.
Gateway and Central Services (GCS) (on the data center’s side) comprises elements above the sole connection (CPA). This includes communication and collaboration services, LDAP and other directory and authentication services, SSO and federation services, proxies and WAF.
Data Center Networks (DCN) comprises all networks and network equipment within the data center that is used to connect Computer Systems (to each other, to the data center’s external interface, and with Storage) as well as to connect operations personnel (administrators) to Computer Systems, Storage and Operations Support equipment.
Computer Systems Security (CSS) cover all parts of the IT stack except user applications, centralized storage and middleware such as runtime environments and data bases. Computer Systems comprise physical computers with operating systems and system virtualization software such as hypervisors.
Application and Application Management Security (AMS) is all software that produces the primary IT services for users and businesses. It does not include platforms and infrastructure services. Applications sit on top of Computer Systems (CSS). Middleware such as runtime environments (e.g. .NET) is also included except for Data Base Management Systems.

Operations Support Security (OSS) covers procedures, tool sets and utilities that are used by operations personnel (administrators) for basic data center operations. This includes software for systems management, IT asset and life-cycle management, IT service management as well as for service availability and performance management.
Virtual Machine and Software Image Management (VMM) comprise procedures, tool sets and utilities that are used by operations personnel (administrators) to deploy, start, stop, move and otherwise manage Virtual Machines that run on Computer Systems. User self-service portals or applications are also included. This area also covers tool sets and utilities that are used to generate and configure software images (engineering of images) and for archiving as well as the inventory of these images. The description shall also cover today’s technologies such as containers etc.

Administration Network Security (ANS) is all networks and other equipment that allow operations personnel (administrators, privileged users) to connect to the data center and its components remotely in order to perform management and maintenance tasks. This includes network security plus jump servers and centrally provided services such as authentication services.
Provider Identity Management (PIM) comprises all procedures and regulations, systems and services that are used to create and manage the digital identities including rights and other attributes for operations personnel (administrators, privileged users).
User identity Management (UIM) comprises all procedures and regulations, systems and services that are used to create and manage the digital identities including rights and other attributes for users.

The last two areas about Identity Management have relations to the IoT cluster on the left. There are similarities to the area Architecture and Device Attestation (ADA) which is also about Identity Management (but for things and devices). Both Provider Identity Management (PIM) and User identity Management (UIM) can also be used to manage digital identities for users accessing devices and platforms in the cluster “Edge”. Such relationships are to be described in Architecture and Device Attestation (ADA).

The upper half of the Taxonomy contains areas relating to IT Service Management (ITSM) and central security services. Refer to the amber rectangle in Figure 5. It has been slightly modified compared to the ESARIS Taxonomy for office IT or enterprise IT.

It is important to understand that there are dependencies between the areas in the upper half and those in the lower. The topic “log management” is a good example. It is located in the upper half of the Taxonomy to ensure that managing logs for IT security is implemented and performed following a global perspective as part of Security Information and Event Management (SIEM). However, local logging is the basis for this and needs still to be implemented or enabled in the technologies described in the lower half of the Taxonomy. Hence, both halves will touch upon the logging topic and define security measures accordingly.

Figure 5: Clusters about ITSM and central security services (amber) in the Taxonomy

The eight areas in the cluster “Service Management” relate to life-cycle issues and general aspects of operations security. The Orchestration, Attainment and Validation (ORA) standard provide a governance model and describes how different parties (vendors etc.) are orchestrated and how their contributions are combined to provide an integral secure whole. Security acceptance and validation testing plays a major role here. Activities concentrate on the plan-build-phases but also extend to the run-phase. System Development Life-Cycle (SDL) describes requirements for software being developed and systems being set-up by the provider and used for IT service provisioning. Systems Acquisition and Contracting (SAC) describes specific requirements for systems and services being purchased from vendors for the purpose of IT service provisioning. The Change and Problem Management (CPM) standard describes how new requirements are met and realized and how possible problems are managed, possibly in cooperation with the user organization (corporate end-user, customer). Changes may be initiated by customers or may be required as the result of vulnerabilities being identified or security incidents that have occurred. The four remaining standards refer to general aspects of operations security: Asset and Configuration Management (ACM), Hardening, Provisioning and Maintenance (HPM), Security Patch Management (SPM) and Business Continuity Management (BCM).

There are four areas that belong to the cluster “Evidence and Customer Relation”: The Customer Communication and Security (CCS) standard provides more details on how the IT Service Provider works, interacts and communicates with its customers (user organizations, corporate end-users). Vulnerability Assessment and Mitigation Planning (VAM) refers to all related activities like design reviews, security testing, regular scanning, CERT services and related evaluation of impact and planning of corrective actions. Logging, Monitoring and Security Reporting (LMR) concerns log management and analysis, monitoring of systems, measurement and information provisioning to customers. In Incident Handling and Forensics (IHF), practices are described to handle (security) incidents in IT production and potentially together with the user organization. It also describes investigations of log data and systems to find evidence of suspicious, malicious and fraudulent action.

The cluster “Risk Management and Certification” has only two areas: Certification and 3rd Party Assurance (CTP) describes the general approach of the IT Service Provider to certifications and how third-party assurance, gained through audits and assessments, is planned, conducted and integrated into the provider’s business strategy and communication. The Risk Management (RMP) standard describes the procedures of making decisions on the implementation of security measures.

Some text of the sections “Details of areas in other clusters (lower half)” and “Details of areas in other clusters (upper half)” was taken from the ESARIS textbook.[10]

Important Editorial note:

  • A later version of this document will contain or refer to security specifications for each area in the ZOIS Security Taxonomy for IoT.



[6] Anthony Sabella, Rik Irons-Mclean, Marcelo Yannuzzi: Orchestrating and Automating Security for the Internet of Things, Delivering Advanced Security Capabilities from Edge to Cloud for IoT; Cisco Press, 2018, 968 pages, ISBN 978-1-5714-503-2 [4]
[7] Eberhard von Faber and Walter Sedlacek: Using Game Theory to Improve IT Security in the Internet of Things, The Idea of a Durability Date or: What happens if nobody cares?; published on in November 2018 [5]
[8] Frank Vahid and Tony Givargis: Embedded Systems, A unified Hardware/Software Introduction; John Wiley & Sons, Inc., 2002 [6]
[9] Eberhard von Faber and Wolfgang Behnsen: Secure ICT Service Provisioning for Cloud, Mobile and Beyond, ESARIS: The Answer to the Demands of Industrialized IT Production Balancing Between Buyers and Providers, 2017, ISBN- 978-3-658-16481-2 [7]
[10] Eberhard von Faber and Wolfgang Behnsen: Secure ICT Service Provisioning for Cloud, Mobile and Beyond, ESARIS: The Answer to the Demands of Industrialized IT Production Balancing Between Buyers and Providers, 2017, ISBN- 978-3-658-16481-2 [7]