This post is part of Lob’s series of interviews with developers, technical strategists, and business leaders who are innovating, solving problems, and building tools for the fast-evolving world of operational APIs. Each post shares actionable tips to apply to your own projects, products, marketing campaigns, and logistical operations. Sign up for our blog newsletter to get these leaders’ insights delivered directly to your inbox!
Delving into the intersection of APIs and security, we spoke to Pat Wilbur, CTO at Hologram, an expert in building security infrastructure for the Internet of Things.
How have you seen APIs evolve over time?
Pat: Here’s what’s interesting to me. The world wide web, especially when it involves the Internet of Things (IoT) is a decentralized model. If you think about the web “forefathers,” this digital layer was created to be a web for everything to have a pure relationship with everything else. The idea is that any one thing should be able to talk to any other thing.
APIs, especially when designed well, allow pretty much any one thing to connect to any other thing in a way that eases technical labor. Instead of having to write a specialty program or piece of specialty software–essentially two nodes connected to a third node, you can hook them up directly to one another.
From a high level, what excites me most about APIs is that as this web grows and you add IoT to it, APIs will weave together that fabric. Practically speaking, why that matters is you can make one piece of information somewhere, you can take that information, you can transfer it somewhere else, but you can actually take one object or real world item and have it interact with another real world item. Physical items can interact with other physical items in the world around us, digitally.
What are some creative ways uses of APIs in the world of IoT?
Pat: One of the most interesting use cases for APIs, for me, is transportation.
Many public transit systems actually have an API for you to be able to pull information about where their trains or buses are, at any moment in time. Think: connected trains and connected buses. From this data, operators can make more intelligent decisions for how to route people.
Somebody pulling up a map application can try to find the fastest way to get from one place to another. Basically that mapping application routes people via these mobile assets that are being tracked. These mobile asset APIs then in turn provide the information necessary to optimize those routes. We see other examples of open APIs in the form of weather stations and other types of sensor data.
In the future, we’ll see more creative applications of APIs that include data, insights, and feedback for real-time decision-making.
As APIs become an operational pillar for organizations, what are some vulnerabilities that engineers will want to consider?
Pat: We still have an unsolved problem in the area of authentication, identification, and sharing authentication. When you have a public API, it may be acting on behalf of a person, a user, or another system. There needs to be a way to very dynamically authenticate without possibly sharing sensitive information to a third-party API. At the end of the day, once you authenticate with a third-party, you lose some control over your information. As the environments around us become more connected, our information is going to be traveling farther, faster.
Systems need to be context-aware in the sense that people need to have a degree of control over what information enters that connected system and where that data ends up. Context awareness also means creating automated systems for threat detection, that engage in two-way dialogue with users.
What should the developer community be vigilant about?
Pat: Anyone building an API needs to take security into account as a core product feature. There need to be clear security and authentication frameworks that grow in acceptance among API-builders. You don’t want to make a mistake that others could have foreseen or may have made before.
The open source community will also play a major role in building bridges between independent developers, private companies, and public sector organizations like governments. This need will bring together intelligent engineering minds, worldwide.
In the future of the API economy, UX and security will go hand-in-hand. We shouldn’t just allow data transfers to take place. That’s where the idea of the “context layer” comes in as a foundation for API security.
Using the data you’re gathering, you can extrapolate whether an action makes sense for a particular user—similar to a fraud detection algorithm.
The Bottom Line
Security is a moving target for almost every developer and organization today. It’s critical to choose a partner that outsmarts potential vulnerabilities, ahead of time.