How often do you think about the electric motors in your life? Not much, I suspect, but you’re surrounded by thousands of them. They’re in your home, moving air and water around. They’re in your car, your office building, making printers put images onto paper and elevators and garage doors go up and down. A century ago, they were a marvel of technology. Today, we barely even notice their existence, despite the fact they are everywhere. The same thing is now happening with Internet-connected smart devices and wearables.

With every passing year, an immense “Internet of Things” (IoT) is forming all around us. It’s also called the “Internet of Everything” (IoE), which is probably more accurate. What isn’t getting connected to the Net these days? The numbers are certainly impressive: Research from Intel predicts that smart devices connected to the Internet will grow from about 2 billion in 2006 to more than 200 billion by 2020. These devices include smart thermostats, smartphones, all kinds of devices inside cars and appliances, worn on our bodies, sensors buried deep in the earth and orbiting in outer space – about 26 for every person on the planet…

If you work in enterprise IT security as I do, these numbers might be making you anxious. We have enough challenges on our hands keeping a couple of thousandservers and desktop PCs secure. Now, we have to worry about billions of devices that may or may not be accessing our data and back-end systems?  Say it ain’t so!  But, it is so. If we’re smart, we’ll be thinking now about the Security implications this new wave of smart connected devices brings to our work and our lives.

One reason not to sink into a complete panic is that a smart device in the IoT is basically just another client – albeit one that generally lacks a human user. Many of the current security policies and practices we use to mitigate risk for external clients can also be applied to IoT devices. However, when you actually look at the uncertain security profiles of these smart devices, combined with the way they connect to the enterprise, you might give yourself permission to enjoy a complete panic.

Many smart devices and mobiles apps are connecting to the enterprise through a new generation of application programming interfaces (APIs). These APIs use open standards like HTTP and Representational State Transfer (REST) to communicate with back-end databases and enterprise applications, such as ERP and CRM. Many companies now use APIs to expose their data and systems to smart phones and myriad other IoT type devices. There are some great business reasons to do this, but it’s a little scary. For a CSO, getting the memo that says, “Hey, guess what!  Our ERP system is now open to queries from 4 billion mobile apps!” is a bit of an eye opener.

The security profession is not being complacent about this type of new, IoT-based risk, but it is new territory for many of us. The API management software company Akana recently conducted a survey of Enterprise Security Managers on the topic of API security and came away with some interesting findings. For example, Akana found that while API security was high on the agenda, with most companies actively implementing controls for APIs, a striking 60% of respondents indicated that they did not have processes in place to check if the API consumer (e.g. a mobile app) was handling the data and API securely. In these cases, enterprise data that makes its way onto a mobile device may not be secure at all.

Additionally, the survey found that 40% of the respondents were not implementing API “rate limiting,” a security countermeasure that limits the number of times a device can query an enterprise API. The notorious 2014 social messaging app, where thousands of customer files were compromised because of un-throttled API access, could have been contained if they had limited the rate at which their APIs could be invoked. Gibson Security explained how this vulnerability exposed this social giant to API risk in an interesting, though fairly technical post that’s worth a read.

The Akana study – and other findings like it – reveals that enterprise security managers have more work to do to ensure that corporate information assets are not vulnerable to threats born by smart devices. One of the big issues, however, is how little we actually know about the various devices themselves. As several observers have commented regarding the Volkswagen emissions software episode, we often have no idea about how the code is written for software running devices in our cars or even implanted in our bodies. There is an alarming level of opacity in much smart device software in the IoT. Compounding this reality is the sheer number of device types and the staggering install base.

There is much work to be done, and CenturyLink is ready to assist in developing an effective security strategy that can help you gain the advantages of the IoT without increasing your risk exposure in the process. Part of what we do for IoT security challenges is to work with you closely on assessing your security policy as it relates to this new class of external devices. We can collaborate on the development and implementation of new countermeasures and controls that mitigate the threats posed by these exciting new technologies. We also have the ability to build security into the totality of your IT universe, protecting your networks, applications, endpoints and infrastructure from IoT-born threats. Our goal is to enable your enterprise to be resilient in the face of today’s ever-changing set of security risks.

To speak with a CenturyLink security professional about security issues with the IoT, please contact us.

This article was originally posted to Forbes Voice on October 23, 2015.  

The post Welcome To The IoT — Please Check Your Security At The Door appeared first on ThinkGig.