This guest post comes from Mark O’Neill. Mark is a frequent speaker and blogger on APIs and security. He is the co-founder and CTO at Vordel, now part of Axway. In his new role as VP Innovation, he manages Axway’s Identity and API Management strategy, including the API Server for connecting APIs to Cloud and Mobile. Mark can be followed on his blog at www.soatothecloud.com and twitter @themarkoneill
According to estimates by the Organization for Economic Co-operation and Development, in 2022 the average household with two teenage children will own roughly 50 Internet-connected devices, up from approximately ten today. Conservative estimates put the number of connected devices currently at approximately 12 billion, with the number due to grow to 50 billion by 2020, according to a separate Cisco study. Therefore, while the trend known as the Internet of things (IoT) isn’t a new idea, with each new Wifi-enabled thermostat and each new car dashboard touchscreen, it is steadily becoming a reality. The results include enhancements to consumer experiences, improved operations for enterprises, as well as the creation of new revenue channels for traditional industries and the spawning of new business models.
The term “Internet of Things” (IoT) was coined approximately 15 years ago by RFID technology pioneer Kevin Ashton and refers to how Internet traffic is increasingly based on a system-to-system or an application-to-application approach as opposed to involving humans. While we’re at the early stages of broad IoT implementation, engineers today are linking objects as diverse as smartphones, cars, and household appliances to sensors, each other and the Internet. This growth coincides with another growth area: the growth of Web APIs for integration. Web APIs are the underlying technology enabling IoT. This article will explore why organizations require API management as part of an IoT strategy and will provide some best practices for implementing an API management strategy for IoT.
Today, certain vertical industries, particularly the automotive, home automation and utility sectors, are early adopters in the IoT space. For example, a utility consumer can use a mobile app to view details about their energy usage and pricing, as well as view the temperature of their home, using information sent from their thermostat out to a Web API in the Cloud. A car owner can use a mobile app to remotely lock/unlock their vehicle and activate the air-conditioning five minutes before they sit in. Within the transportation industry, an organization can remotely monitor its fleet to ensure its drivers are not driving longer than permitted. Connected cars, smart meters and home automation appliances all use Web APIs to provide information to the consumer and manufacturer, enabling them to interact with the service provider. This trend is growing to the point that cars, smart meters, and other sensors will soon outnumber mobile apps as API consumers.
Understandably, any organization considering an IoT strategy will have concerns regarding security and data privacy. Organizations can address these concerns by implementing an API management strategy to provide the business with API monitoring and visibility capabilities, as well as an audit trail detailing how its APIs are being used. An effective IoT strategy will also have clear API management policies in place to address privacy and security issues, with the ability to authorize mobile app users, implement security protocols, and track the large volumes of data associated with this process.
Without effective API management, an organization’s APIs could potentially become sabotaged or compromised, damaging the brand’s reputation and exposing its users to potential criminal attack. With IoT, the dangers are even greater, when you consider the risk to cars or homes. For example, if a rogue user accessed an automotive firm’s API, the unauthorized person could have the ability to remotely unlock or lock a car – without the owner’s permission. This scenario could herald the blending of car crime with cybercrime – a frightening scenario. To avoid this exposure, the organization would need to have clear policies around who can access the API and define who has permission to remotely lock and unlock the car, using identity standards such as OAuth. In short, if an organization does not have an effective API management strategy it lacks visibility into how its APIs are being used and therefore puts its business and its users at risk.
Privacy is another area of concern particularly around the exchange of data. Privacy regulations have not yet caught up with the changing technology landscape, particularly in the area of data privacy and location. Consider the scenario of someone driving a car from Germany to Austria and then Switzerland. Within the IoT context, the car is effectively a moving data center. Therefore, an organization needs to be able to manage the exchange and processing of data where a user’s device (the car) is using APIs from different regulatory jurisdictions with differing data privacy policies. At the moment, there are no firm regulations around privacy within the IoT space resulting in a “Wild West” atmosphere which is open for abuse. To maintain regulatory compliance, organizations should follow prior policies and practices while implementing their own API management safeguards.
It’s clear that APIs are a critical part of the brave new world of IoT. These APIs must be managed to achieve optimal results. While the security of APIs is vital, the API management strategy should also focus on equally important elements including monitoring, analytics, governance, custom reports, developer enablement and policy management. In summary, when implementing an API management strategy an enterprise should ensure the chosen solution provides sufficient levels of visibility and sophisticated diagnostic analysis of its APIs.
The Web APIs used in IoT may be used on-premises or in the cloud. Most often however, there is a hybrid approach combining on-premise with cloud. Therefore it is important for an organization to understand if a vendor’s API management products will work with both cloud based offerings such as Amazon, as well as on-premise solutions, with the ability to link an organization’s APIs into its internal systems and network. It is also critical to provide developers with access to an API catalog or registry. In the new world of Web APIs, the lightweight API catalog has replaced heavyweight and restrictive UDDI registries used in the former world of SOA.
If an organization attempts to build its own API management infrastructure in an ad hoc approach, they may overlook important pieces of the process, such as monitoring, thus lacking full visibility into how the APIs are being used. Organizations that adopt a more structured approach to their API management strategy, via an API management platform, are at an advantage. In fact they are often surprised to receive previously unavailable information, regarding how their APIs are being used, who uses them, and when they are used.
To conclude, it’s clear that APIs are indeed a great enabler of IoT strategies. It’s also clear the IoT is here to stay with consumers increasingly expecting to use Internet-connected devices. As such, organizations need a way offer an IoT strategy in conjunction with effective API management. To avoid data security breaches, privacy issues and ultimately a loss of business, I would encourage all organizations to adopt an API management strategy aligned with their IoT deployments.