Internet of Things doesn't have to mean enterprise security nightmares

Within IoT, 'security has to live at the level of the API, to stay fully within the control of devices' manufacturers and vendors.'

When it comes to the Internet of Things, enterprises are leaving themselves wide open to security problems. Connected products, services and sensors have a lot of potential, but there is risk. Fortunately, this risk can be managed at the API level.

National Gallery of Art Photo by Joe McKendrick
Photo: Joe McKendrick

That's the word from Mark O'Neill, vice president of Innovation at Axway. In a recent post in Service Technology Magazine, he urges IT managers to start paying more attention to security when it comes to the Internet of Things (IoT).  "Each smart device and connected app gathers data, and each smart device and connected application risks exposing this data," O'Neill says. "Companies promising amazing experiences through their IoT-connected products and services must back those promises up with unsurpassed security."

Consider the implications to a supply chain well-populated with sensors and intelligent devices, he continues. "Businesses leave valuable data open to exposure and risk supply chain disruptions if they do not address security when they use barcodes, RFID and GPS technology to track supply chain status, and when they Internet-enable functions that traditionally only operate behind the firewall."

The time has passed when "manufacturers can hide their APIs and hope that hackers do not locate and manipulate them," he states.

There are ways to mitigate these risks -- API gateways and API portals are proactive measures can help lock down device security, O'Neill says. "Security has to live at the level of the API," he says. This keeps security "fully within the control of devices' manufacturers and vendors, which in the world of the IoT is the safest place for security to reside... The APIs can be the point from which companies enforce their privacy and security policies."

API gateways "enable APIs to receive virtual patches, a form of upstream security that prevents malicious traffic from reaching APIs without disrupting devices' functionality. Virtual patches work without changing APIs' source code and they manage risks quickly."

API portals "let developers see how devices are using their APIs over time," says O'Neill. Such information enables organizations to produce audit trails, which can be used to "help in investigations of API attacks and to ensure compliance with industry regulations." Such auditable data trails are a must in industries such as healthcare, he adds. In addition, "businesses increasingly use APIs for B2B collaboration and data exchange, and in these cases audit trails for APIs can function as tracking methods for people accessing information."

With API gateways and portals in place, "device manufacturers and app developers can rest assured that their platforms can hold customer data securely, encrypting it within devices, and remain open to security patches and updates," he says. "Also crucial to IoT success, these security fixes can be applied to APIs without interrupting the function of the devices they control."