It’s no secret that the adoption of IoT is rapidly growing across industries. In my last post, I discussed IoT security strategies rooted in blockchain, an evolving topic I find important and oftentimes overlooked. In the grander scheme of things, the emergence of blockchain technology is just one of the many ways that IoT devices can be protected. Successful IoT security architecture will require multiple control layers. In this post, I’d like to take a look at IoT security processes and hone in on another step that businesses can take to better protect connected devices and customer data from attacks and breaches.
This may come as a shock to some people, but the epicenter of some of the largest most recent IoT security blunders started with a poorly secured application program interface (API). An API is defined as a set of routines, protocols and tools for building software applications. Here’s a quick example of how poorly secured APIs can negatively impact an organization through the eyes of Nissan. It was recently discovered that the Nissan Leaf, the world’s best-selling electric car, was vulnerable to hackers who could obtain private information about a vehicle’s operations and travels and even control key vehicle functions. This info was uncovered when a Nissan Leaf owner noticed that the request to the API endpoint didn’t require any authentication other than the easily hacker-accessible Vehicle Identification Number (or VIN), giving an attacker the ability to control functions of someone else’s car extremely easily. That’s not a very exciting feature for one’s new car.
In situations like this, something as crucial as securing an API endpoint was overlooked and in turn put drivers at risk of getting their vehicles hacked. With the proliferations of devices and emergence of new device types across industries, it is far too easy for businesses to overlook API security when implementing IoT devices, but the reality is that an improperly secured API can cause major headaches and can introduce serious vulnerabilities into the products. With the growth of connected devices, device interaction through APIs is one of the primary use cases for APIs — and one that will grow exponentially over the coming years according to IBM. Further, 44% of API providers in 2016 said IoT would drive the most API growth in the next two years. With the continued rise of IoT devices in use, business leaders must make secure API management a central part of their security strategies. Otherwise, they risk the safety and security of their organization’s connected devices and customers’ data.
This threat spans the B2C industry and B2B enterprises as we move into a future where EVERYTHING will be connected. In this overly connected world, a unified approach to IoT device security is inherent. But, there are many disjoint or incomplete API management solutions in the market that are contributing to security issues with API and connected devices.
Yet, with all these risks and looming IoT security hurdles, there are several steps that organizations’ decision-makers can follow in order to maintain device security and device data security through APIs:
- Integrate a full API lifecycle management tool. Thinking about APIs as part of a digital security strategy is a newer concept for some organizations (case in point, companies like Nissan), and for some it might not be. But too many companies overlook the very simple, critical first step to API security: managing the full API lifecycle. The API development processes — between API design to creation to runtime to product management and to API governance — must be approached in a holistic manner with a security mindset. Rather than each developer, department or solution create their own API governance and security strategies, corporate API security policies and best practices must be enforced. Implement strong authentication and authorization for access to connected devices.
- Implement wide security policies. IoT software architectures, protocols and standards vary based on use cases and devices. Ensure the API management solution supports the required variety of architectures from on-premises to cloud to hybrid, and treats the IoT protocols as a first-class citizen. The IoT data from disparate sets of devices in motion must be protected via secured APIs.
- Monitor for proper API version management. With the proliferation of IoT devices and different firmware versions, the potential for multiple versions of APIs to proliferate is an inherent risk. Best practice requires all IoT devices to be upgraded to the most recent firmware and a single or highly limited number of API versions should be utilized. New versions or equivalent APIs with similar capability can lead to explosion in number of APIs and aging. Evaluating the available APIs and version management to retire old or duplicative APIs need to be implemented via an enterprise API audit process.
Having a strong hold on the full API lifecycle results in many positive impacts on a business implementing IoT technologies. For example, security where customers aren’t vulnerable and their data is safe when using connected devices or business services. Or the ability to scale and improve device functionality based on how customers are using connected devices (something organizations sometimes overlook). Organizations that want to focus their efforts on the IoT market can’t afford to overlook the importance of API management and security, especially as IoT evolves toward greater autonomy.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.