API Security and IoT – not a black or white problem
Rami Essaid, Distil Networks
The networks that support the Internet of Things (IoT) rely on connections between a huge number of different devices, platforms and tools in order to function. The basic building blocks within these applications are the application programming interfaces (APIs) that are used to make the IoT work, writes Rami Essaid, the chief executive at Distil Networks.
However, many apps don’t think about the security of these APIs. At the most, the APIs can be turned off, interrupting the service. But to truly ensure security in the IoT environment, companies need to think about their API strategies in much more detail, and they can take some valuable lessons from the IT security industry.
It’s clear that the emerging IoT—which involves the connection of countless objects and sensors to the Internet—is a potential mine field of security risks. Hackers with nefarious intentions and other bad actors can use IoT not only to break into corporate networks and systems, but to hack their way into buildings, homes, medical devices, cars, traffic control systems and other “things.”
When it comes to IoT, we’re talking about an enormous playing field. Research firm Gartner in a November 2015 report forecast that 6.4 billion connected things will be in use around the world this year. That’s a 30% increase from 2015. Each day, 5.5 million new things are connected, the firm says, and by 2020 the number of connected things is expected to total 20.8 billion.
Because APIs are an integral part of IoT applications, securing APIs is a key step to providing overall security of the IoT. APIs help connect the devices, products, facilities, assets and other IoT objects. They present their own security vulnerabilities that developers and security executives must address in order to keep IoT environments safe from attack.
The IoT involves moving away from self-encapsulated applications. Over the past five years or so we have seen a growing number of APIs, and increasingly organizations are shifting toward making everything into an API.
When Web sites were first becoming mainstream, developers never really gave much thought to securing the sites. With the advent of Web application firewalls, sites can be made more secure through putting a wrapper around the infrastructure to reduce the potential for attacks. However, even to this day developers in many cases still don’t make security as much of a priority when they’re creating applications.
This lack of focus applies to the developers who are writing APIs for IoT initiatives as well. Because they don’t focus on security, this creates potential security risks for any organisation and individual using IoT applications or IoT-connected things.
Industry research shows that organisations are worried about API security. For example, Ovum in April 2016 surveyed 100 companies in a variety of industries in North America, Europe, and Asia-Pacific, and 83% of the respondents said they are concerned with the issue of API security. A majority of these organizations are using some type of API management platform, and most of the platforms they are using provide some level of security.
Still, the growing popularity of APIs that are exposed to developers outside the company that owns the APIs brings additional security risks, according to the Ovum report. The reason is that their popularity makes them more likely targets for attack.
The Ovum research also reports a lack of consistency in the way security is incorporated into API development as nearly one-third of APIs move through a specification process without being examined by organisations’ IT security teams. One third of APIs advance through development without input from IT security, and about one in five go live without any input from security professionals whatsoever.
The Ovum report recommends that if enterprises plan to expose APIs to enable developers at partner firms to harness the functionality contained within their software, they should consider deploying an API management platform to exercise control over the process.
Organizations can also select from a range of security technologies to improve API security. These include Secure Sockets Layer to create an encrypted link between a Web server and a browser, and user authentication applications that create unique identifiers. This approach can help companies spot suspect patterns in access to APIs, and protect against these attacks, rather than having to turn off all access to prevent an issue. Just like most security threats, it’s important that security does not affect productivity for the services that rely on items like APIs.
As IoT projects begin to take shape – and ideally even before that happens – corporate IT, security and operations executives need to understand how API security is being managed within their organisations. Security teams need to help create awareness and understanding among stakeholders about the security risks of APIs in general and as part of their IoT projects. On the other side, developers should factor in security to their approaches from the start as well.
Failure to do so can put organisations at risk, particularly as more IoT applications are rolled out and more things are connected. As the role of APIs becomes more critical to businesses, keeping these systems secure will become critical too.