Internet of Things doesn't have to mean enterprise security nightmares

Internet of Things doesn't have to mean enterprise security nightmares

Summary: Within IoT, 'security has to live at the level of the API, to stay fully within the control of devices' manufacturers and vendors.'

SHARE:
1

When it comes to the Internet of Things, enterprises are leaving themselves wide open to security problems. Connected products, services and sensors have a lot of potential, but there is risk. Fortunately, this risk can be managed at the API level.

National Gallery of Art Photo by Joe McKendrick
Photo: Joe McKendrick

That's the word from Mark O'Neill, vice president of Innovation at Axway. In a recent post in Service Technology Magazine, he urges IT managers to start paying more attention to security when it comes to the Internet of Things (IoT).  "Each smart device and connected app gathers data, and each smart device and connected application risks exposing this data," O'Neill says. "Companies promising amazing experiences through their IoT-connected products and services must back those promises up with unsurpassed security."

Consider the implications to a supply chain well-populated with sensors and intelligent devices, he continues. "Businesses leave valuable data open to exposure and risk supply chain disruptions if they do not address security when they use barcodes, RFID and GPS technology to track supply chain status, and when they Internet-enable functions that traditionally only operate behind the firewall."

The time has passed when "manufacturers can hide their APIs and hope that hackers do not locate and manipulate them," he states.

There are ways to mitigate these risks -- API gateways and API portals are proactive measures can help lock down device security, O'Neill says. "Security has to live at the level of the API," he says. This keeps security "fully within the control of devices' manufacturers and vendors, which in the world of the IoT is the safest place for security to reside... The APIs can be the point from which companies enforce their privacy and security policies."

API gateways "enable APIs to receive virtual patches, a form of upstream security that prevents malicious traffic from reaching APIs without disrupting devices' functionality. Virtual patches work without changing APIs' source code and they manage risks quickly."

API portals "let developers see how devices are using their APIs over time," says O'Neill. Such information enables organizations to produce audit trails, which can be used to "help in investigations of API attacks and to ensure compliance with industry regulations." Such auditable data trails are a must in industries such as healthcare, he adds. In addition, "businesses increasingly use APIs for B2B collaboration and data exchange, and in these cases audit trails for APIs can function as tracking methods for people accessing information."

With API gateways and portals in place, "device manufacturers and app developers can rest assured that their platforms can hold customer data securely, encrypting it within devices, and remain open to security patches and updates," he says. "Also crucial to IoT success, these security fixes can be applied to APIs without interrupting the function of the devices they control."

Topics: Security, IT Priorities

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • API is very useful in implementing this

    I agree that "When it comes to the Internet of Things, enterprises are leaving themselves wide open to security problems.”

    The “Internet of Things” scares me since many IoT devices are not built to with security in mind. I would be extremely concerned if my car was hacked while driving or a medical device was manipulated. This can be much worse than the concerning identity theft.

    I think that we need to take a proactive approach to this large scale problem and apply granular data centric security.

    Modern granular data protection, like data tokenization, is very cost effective and should not only be used for compliance with regulations like PCI DSS for payment data.

    Recent studies reported that data tokenization can cut security incidents by 50 % also for personal data. This can help prevent identity theft.

    API is very useful in implementing this.

    Ulf Mattsson, CTO Protegrity
    ulf.mattsson@...