This guest post comes from Mark O’Neill, Vice President, Innovation for API and Identity Management at Axway. Mark was founder and CTO at Vordel, a leader of REST and Web Services Security that was acquired by Axway in 2012. Mark is author of the book Web Services Security and contributing author of Hardening Network Security, both published by McGraw-Hill/Osborne Media. He provides guidance on REST and Web Services Security to Fortune 100 and Global 500 firms and is a frequent speaker at key industry events such as the RSA Security Conference and Oracle Open World.
The Internet of Things started 2014 with a bang, stealing the spotlight at the 2014 International CES, where a number of shiny new cloud-connected devices and appliances were showcased, like the Kolibree connected-toothbrush and the new Audi A3, with its Audi Connect telematics system.
There is no doubt that we are about to enter a new era of connectivity. In fact, 2014 will be the year when many non-tech brands connect their products to mobile apps and cloud services via web APIs.
But awaiting those brands is a Pandora’s Box of security, privacy, and regulatory concerns.
When thinking about the Internet of Things, you must think not only about the device, but also about the data it’s sending and receiving. Consider a sensor in a connected car. That sensor may be sending location information, vehicle speed, and diagnostics data. Or consider a fitness tracking wristband – it may also be sending physiological data, which has clear privacy implications.
How is this data being exchanged? Via APIs.
When examining API security, there are a couple of fundamentals that need to be on every checklist, including privacy, availability (e.g., prevention of denial-of-service), data validation and protection against malicious payloads.
Clearly, wearable health and fitness-tracking devices generate data that is related to a person’s body and location, which raises privacy concerns. Even smart meters create privacy concerns, as electricity usage data can show work-life patterns and make it simple to ascertain whether someone is home or not. End-users (consumers) may not be aware of the volume of private or sensitive data that is being generated on their behalf by the devices they’re wearing, driving, or operating.
So how can privacy rules be applied to this data? The answer lies within the APIs used as the conduit for this data. By encrypting sensitive data at the API level, privacy rules can be applied. In practice, this includes encrypting PII (Personally Identifiable Information) sent by Internet of Things devices, or redacting or removing private data. An API gateway provides the enforcement point for applying these security rules.
Availability is another key checklist item for the Internet of Things. If a device loses its connection to the APIs it uses to send and receive data, it becomes “headless” and essentially useless. If a connected car sensor is unable to transmit car-diagnostic information, then this information is not available to the end user’s mobile app, or to the manufacturer.
To ensure availability and prevent a single client monopolizing the API, quotas should be enforced via an API gateway. Complementing the API gateway is an API portal, which provides information about these quotas, allows developers to see how devices are using their APIs, and ensures that the underlying APIs cannot be compromised.
It’s important to ensure the security of the data being sent to and from devices, and to detect and remove any malicious content. In this respect, many known threats must be blocked, as well as new, specific attacks directed against the device itself. This area is still the “Wild West,” both for the device manufacturers and for the attackers who may be tempted to capitalize on unknown vulnerabilities in new devices. Data sanitation, data validation, and protection against “data clogging” attacks (e.g., gigantic payloads, recursive structures) must be provided. It’s only a matter of time before we see the first zero-day attack against a connected car. Manufacturers and service providers need to start putting safeguards in place now, to ensure the safety and security of their customers’ data.
The Internet of Things will inevitably raise new security challenges and APIs will continue to be at the center of protection and management of emerging devices. And for a full list of factors to consider, check out my article from late last year.
So before you enter this brave new world, ask yourself the question, have you covered off on this checklist and does your Internet of Things strategy incorporate the necessary security precautions to protect your API?