By Rami Essaid
The data security landscape is scary enough as it is, and things are about to get much more intimidating for businesses. The emerging Internet of Things (IoT), in which countless objects will be connected via sensors and the Internet, is creating new opportunities for hackers and other bad actors to exploit systems and steal data or otherwise wreak havoc.
Among the key enablers of the IoT are the application programming interfaces (APIs) that will help connect devices, assets, products and other “things” to the Internet. And APIs present their own set of security vulnerabilities that organizations need to address to keep their own IoT environments as secure as possible.
This is no small task when you consider the projected scope of the IoT. Research firm Gartner Inc. in November 2015 estimated that some 6.4 billion connected things will be in use worldwide in 2016, up 30% from 2015. This year 5.5 million new things will get connected every day, Gartner says, and the total number of connected things is predicted to reach 20.8 billion by 2020.
The IoT will reach into virtually every industry—it’s already having a large impact on sectors such as industrial manufacturing, automotive, utilities and municipal governments—and affect many aspects of everyday life. Smart homes will potentially include dozens of connected objects such as appliances, thermostats, light bulbs and security systems, and smart cities could have millions of connected components such as traffic lights, parking meters, office parks, shopping malls and various other entities.
With the IoT, we're moving away from the world of self-encapsulated applications, whether it's physical applications or applications that are downloadable on your computer, or Web applications. In the past half-decade we've seen the growth of APIs and more and more companies are moving toward making everything into an API. But what we saw 10 or 15 years ago, when Web sites were becoming more and more mainstream, is that developers never really thought about securing their Web sites. Then we saw the advent of Web application firewalls, and still today developers typically don't think about security as they're writing things.
Now that developers are having to write APIs for IoT, the same holds true. They're not thinking about security, and this potentially puts lots of corporate data at risk. Clearly, the security risks of APIs are not always well understood or even acknowledged by organizations, and much work needs to be done if enterprises are to be prepared for the data security risks of the IoT.
Lack of API Security Coverage and Accountability
According to an Ovum April 2016 survey of 100 companies in a variety of industries in North America, Europe, and Asia-Pacific,sponsored by my firm Distil Networks, 83% of the respondents are at least concerned with the issue of API security. A majority are using some form of API management platform, and most of the platforms in use provide some level of security capability.
However, there’s a lack of blanket coverage of all aspects of API security by all platforms. With the growing popularity of "public"APIs—those that are exposed to developers outside the company that owns the APIs—come security risks, the Ovum report says. That’s because their very popularity makes them a target for cybercriminals.
The survey also finds a lack of consistency in the way that security is incorporated into API development. Nearly one-third of APIsgo through a specification process without being looked at by organizations’ IT security teams. And 30% of APIs continue through the development stage without IT security providing thoughts or comments. About one in five of the APIs actually go live without any input from security professionals.
The message for IT and security executives is obvious, Ovum says: they need to understand how API security is being managed within their organizations. APIs that lack adequate security increase an enterprise's attack surface, exposing application structure and data to hackers and other intruders.
Ensuring API Security
The report recommends that if organizations expose, or plan to expose, APIs to enable developers at partner firms to harness functionality contained within their software, they should consider an API management platform to exercise control over that process.
“However, beyond the basic security of key management for the API development process, you need to interrogate your APImanagement technology supplier, whether internal to your organization or a third-party vendor, as to its security features,” the report says. “Can it protect you from an automated scraping attack in which malicious bots pull down online content and data within minutes directly from your APIs?”
Companies can choose from a variety of security tools to enhance API security within the context of IoT. For example, they can use Secure Sockets Layer (SSL) to establish an encrypted link between a Web server and a browser. They can also deploy user authentication tools that create unique identifiers.
Regardless of the technologies used, developers and security personnel need to collaborate on API security, or at least determine who holds the ultimate responsibility for security. That means determining at what point in the development process the security of the API needs to be factored in. Regardless of when this happens, IT and security leaders clearly need to have a better handle on how API security is being managed.
Examples from the last few years of Web-enabled services that have been compromised, such as Tinder and Snapchat, indicate a weakness in API security. These types of breaches are likely to accelerate as IoT adoption continues in so many industries.
FBI Sounds the Alarm Bell on IoT Security
If you think security concerns about the IoT are being driven by vendors, consider what the FBI warned in a public notice posted in September 2015. The bureau noted that criminals can use IoT devices to remotely facilitate attacks on other systems, send malicious and spam e-mails, steal personal information or interfere with physical safety. Examples of possible incidents the FBI mentioned include cyber criminals taking advantage of security oversights in closed circuit television, such as security cameras used by private businesses or built-in cameras on baby monitors used in homes and day care centers; exploiting unsecured wireless connections for automated devices, such as security systems, garage doors, thermostats and lighting, to gain access to home or business networks and collect personal information or remotely monitor the owner’s habits and network traffic; and gaining access to unprotected devices used in home health care, such as those used to collect and transmit personal monitoring data or time-dispense medicines.
Given the serious threats, companies need to be much more proactive in their approach to the security of APIs if they expect to deliver IoT services that ensure the protection of data.
About Rami Essaid
Rami Essaid is the CEO and Co-founder of Distil Networks, the first easy and accurate way to identify and police malicious website traffic, blocking 99.9% of bad bots without impacting legitimate users.