Story image

Interview: MuleSoft discusses the security risks in IoT

26 Jul 18

The Internet of Things (IoT) is quickly making a name for itself as being one of the most promising technological advancements of this century.  Devices, sensors, people, and technology are all converging on the internet, all of which make up IoT.

But with this technology rapidly becoming ubiquitous in business and in the home, the security of those ‘things’ has been subject to intense scrutiny. Vulnerabilities, flaws, and poorly-designed systems are left exposed and subject to cyber attacks, breaches, and in some cases they can lead to death.

We talked to MuleSoft CTO Uri Sarid about how secure IoT really is.

What are some of the trends emerging in IoT and IoT security?

For those looking to take advantage of IoT, a trend that’s commonly emerging is that IoT is as much about integration as it is about the internet. The explosion of IoT devices promises to simplify our lives and protect us from otherwise imminent failures such as unforeseen mechanical errors or running out of stock during peak shopping periods.

However, the challenge many organisations face as they look to create a new generation of connected experiences is that they must integrate IoT technology with new and existing systems. Many enterprises are failing to join the dots in a quick and cost-effective manner.

As this trend continues, we’re seeing a rising interest in application networks as a way of mastering the "Integration of Things". With this approach, organisations use APIs to allow different IoT systems and data to talk to each other and to existing enterprise and SaaS systems, creating a seamless flow of information from one source to another.

Integration thereby takes place in an effective but also controlled manner, extracting the value from the physical “things” while simultaneously providing greater visibility, enabling device upgrades (e.g. security patches) and rationalising software and hardware versions.

What are some of the security risks of IoT?

Security and authentication are emerging as top concerns around IoT deployments and integrations. The same bridges between the physical and the software worlds on which IoT brings value can also bring new threat vectors: unauthorized virtual access can become unauthorized physical access, and software breach can result in massive physical damage. 

New exploits are turning up regularly, whether it’s demonstrations of hacking into connected cars or real, large-scale and successful attacks on broadly-adopted consumer technologies like smart TVs. However, by taking an API-led approach, which defines methods for connecting and exposing assets using APIs, it is possible to introduce fundamentally deeper security and visibility into the the flow of data and control signals.  

In IoT's current state is it for hackers to take advantage of it?

The proliferation of new endpoints has made organisations more vulnerable to hackers. External data sources, cloud platforms and mobile devices all provide valuable services, but they also create new potential avenues for intrusion. Each and every endpoint is a potential door into an organisation's IT systems and data, and hackers only need to open one to wreak havoc.

Many organisations take the approach of trying to lock down all potential entry points, believing an impervious perimeter will protect their IT infrastructure from harm. However this approach is no longer practical as businesses need to link systems with those of partners and suppliers, as well as opening some applications to customers. Entire lock down simply won’t work. This approach also makes it very difficult for an organisation to be agile and take advantage of new opportunities as they emerge.

A much better and more flexible approach is to make use of layers of well-managed APIs. Written and deployed correctly, APIs act like fortified, monitored gates by only allowing traffic through that meets strict criteria. They also ensure users can only gain access to the applications and data for which they have been pre-approved.

In your opinion, what's the best way to secure IoT?

The best way to secure the IoT is by taking an API-led approach. By connecting and exposing assets using APIs, it is possible to introduce fundamentally deeper security and visibility into the flow of data. With this approach, access to IoT devices or their controllers can be done through strategically designed and productised APIs, to provide a well-defined “surface area” for every component in the ecosystem of IoT devices.

What emerges is an application network, which allows for the concept of “security by design.” Every IoT asset is given a defined door through an API, where distinct security requirements can be set. And rather than creating a large and static monolithic application inside the IoT asset, the logic and integration to other systems is distributed outside the asset behind several APIs.

This enables experts to set automated controls and enforce best practices to manage who has access to IoT-enabled systems, what data they have access to and what authentication is required, among other options. By adding this segmentation for users, an enterprise can substantially limit the number of attack vectors and privileged escalations, and create a more secure IoT ecosystem, and ensure it has the trust of its customers, employees, and stakeholders.

You mentioned that 'exposing IoT offers the best protection' - could you go into further detail?

While it may seem counterintuitive, the visibility APIs provide is critical to minimising the vulnerabilities created by IoT devices. IoT devices add new entry points to organisational networks, increasing the ways in which bad actors can enter.

IoT connections must be made visible to security providers, who can help manage them and secure this network of connections. In the same way that motion-triggered searchlights that illuminate late night intruders can help make a property more secure, it’s much easier to protect an IoT ecosystem if security communities have clear visibility across every device, controller and sensor and can see any attempt to gain access.

Using blockchain to ensure regulatory compliance
“Data privacy regulations such as the GDPR require you to put better safeguards in place to protect customer data, and to prove you’ve done it."
A10 aims to secure Kubernetes container environments
The solution aims to provide teams deploying microservices applications with an automated way to integrate enterprise-grade security with comprehensive application visibility and analytics.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
One Identity a Visionary in Magic Quad for PAM
One Identity was recognised in the Gartner Magic Quadrant for Privileged Access Management for completeness of vision and ability to execute.
Gartner names newcomer Exabeam a leader in SIEM
The vendor landscape for SIEM is evolving, with recent entrants bringing technologies optimised for analytics use cases.
52mil users affected by Google+’s second data breach
Google+ APIs will be shut down within the next 90 days, and the consumer platform will be disabled in April 2019 instead of August 2019 as originally planned.
Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.
Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.