APIs key to security of internet of things, says Axway

The internet of things has raised security and privacy concerns, but there is a way to take control, says data management firm Axway.

The internet of things (IoT), where objects can exchange data without human interaction, has raised security and privacy concerns, but there is a way to take control, according to data management firm Axway.

Gartner predicts that there will be 30 billion connected objects in 2020, each with its own IP address, which is worrying from a security and privacy point of view.

Providers of platforms, devices, data and applications are becoming increasingly concerned with the channels and devices through which potentially sensitive data flows.

A key way to gain control of that data is through management of application programming interfaces (APIs), according to Mark O’Neil, vice-president of innovation at Axway.

APIs are fast becoming popular for business-to-business integration by enabling applications to request data from each other, he told Computer Weekly.

“This is a much more lightweight way of enabling integration than before, that is easier to deploy and is more mobile friendly,” he said.

O’Neil believes APIs will also be the main way interactions between objects connected to the internet will be enabled, and therefore management and control of those APIs will be key to enabling data security.

The internet of things in action

“IoT is typically seen as forward looking, but the future is already here because there are aready a lot of IP-enabled devices around that many people are just not aware of yet,” he said.

This is particularly true in the energy sector, with the introduction of smart meters, and the automotive sector, where many new vehicles are equipped with data transmission capabilities.

“We are also seeing vehicles that allow remote control, and include things such as sending alerts if the boot is opened while the car is in ‘valet mode’ and monitoring linked to fleet management systems,” said O’Neil.

The functionality enabled by the IoT is typically viewed in a positive light, he said, but privacy could fast become an issue because it is often not clear who owns the data.

The IoT introduces a new scenario where devices are constantly connected to the internet, potentially sending large volumes of data, and security models need to adapt accordingly, said O’Neil.

The IoT introduces a new scenario where devices are constantly connected to the internet, and security models need to adapt accordingly

Mark O’Neil, Axway

“In the case of fitness tracking devices that record data related to jogging sessions, for example, it is not clear whether the service provider or the user owns that data,” he said.  

But in this case, an API management system could be used to enforce privacy controls to ensure that no identity is linked to the data stored by the service provider, for example.

Similarly, sophisticated identity controls could be enforced to ensure that only a car’s owner and other designated drivers are able to access remote controls for that vehicle.

O’Neil said already some car rental firms are using Axway’s API management systems acquired from Vordel to enable customers to associate their Bluetooth devices with a vehicle, as well as to ensure those devices are disassociated at the end of the rental period.

Manufacturers must provide clear APIs

But, for the API management approach to security to work in this new era of IP-enabled objects, O’Neil said manufacturers must be provide clear APIs.

API functionality

According to Axway, API management software tools typically provide the following functions:

  1. Automate and control connections between an API and the applications that use it
  2. Ensure consistency between multiple API implementations and versions
  3. Monitor traffic from individual apps
  4. Provide memory management and caching mechanisms to improve application performance
  5. Protect the API from misuse by wrapping it in security procedures and policies

“In the past we have seen manufacturers attempt to do security by obscurity by not specifying an API, but we have found that even in devices where there is no obvious API, there is always an underlying control mechanism,” he said.

Rather than trying to hide control mechanisms, O’Neil said manufacturers should be upfront and document APIs so that controls can be applied.

“Manufacturers should not wait for someone to discover their hidden APIs that can be reverse-engineered to give some control over those systems,” he said.

APIs he said, provide a control point which can be monitored to create an audit trail and where controls can be applied to enforce enterprise privacy and security policies based on business and industry compliance requirements.

Read more on Privacy and data protection