TL;DR: IoT device numbers are projected to rise from 9.7 billion in 2020 to more than 29 billion by 2030, while the article argues that encryption, authentication, and testing are now essential to keep connected devices and their data resilient, according to GlobalSign. The governance challenge is no longer device growth itself but proving identity, limiting trust, and managing access at scale.
NHIMG editorial — based on content published by GlobalSign: a guide to the Internet of Things, its use cases, and security considerations
By the numbers:
- The number of IoT devices will grow from 9.7 billion in 2020 to more than 29 billion by 2030.
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
Q: What makes IoT devices difficult to govern like normal endpoints?
A: IoT devices are difficult to govern because they often rely on embedded credentials, fixed certificates, and long-lived trust relationships that are hard to rotate or revoke at scale.
Q: How should organisations secure IoT devices before deploying them at scale?
A: Organisations should treat IoT onboarding like identity onboarding.
Q: What do teams get wrong about IoT certificate management?
A: Teams often treat certificates as a deployment step instead of a lifecycle control.
Practitioner guidance
- Build a device identity inventory Create a live inventory of every connected device, certificate, and remote access path so you can see which identities are active, stale, or duplicated.
- Enforce certificate lifecycle controls Automate certificate issuance, renewal, and revocation for IoT devices, and require short-lived trust where the platform allows it.
- Separate operational and management channels Keep telemetry flows, administrative access, and firmware update paths distinct so compromise of one channel does not expose the others.
What's in the full article
GlobalSign's full article covers the operational detail this post intentionally leaves for the source:
- The article's full list of IoT application areas across homes, cities, vehicles, healthcare, agriculture, retail, and industrial systems.
- The vendor's explanation of IoT fundamentals and history, including how connected devices collect and exchange data.
- The specific security measures the article recommends for connected devices, including encryption, authentication, and penetration testing.
- The vendor's framing of IoT certificates and related services for protecting connected objects and data.
👉 Read GlobalSign's guide to IoT security, use cases, and device protection →
IoT security gaps: what identity and access controls are missing?
Explore further
IoT security is now an identity governance problem, not just a device hardening problem. Connected devices create their own credential estates, and those estates need provisioning, rotation, monitoring, and offboarding discipline. The article correctly points to encryption and authentication, but the deeper issue is whether each device has a bounded trust relationship that can be managed over time. In that sense, IoT governance overlaps directly with non-human identity control, especially where certificates and API-style device access are involved.
A question worth separating out:
Q: Which controls matter most when IoT devices are retired or replaced?
A: The critical controls are inventory accuracy, certificate revocation, decommissioning validation, and removal of any stored secrets or remote access paths linked to the old device. Retired devices should not retain network trust or authentication authority, because reuse and cloning are common sources of residual access in IoT environments.
👉 Read our full editorial: IoT security gaps are widening as device populations scale