As companies transform digitally, their networks evolve to support IoT (internet of things), multi-cloud and virtualized environments, as well as their complex workflows. Many companies use products, tools and applications from different OEMs, making security management complex because it is compartmentalized.
The low level of technology integration across these complex client environments does not provide accurate and complete visibility into events within the attack surface.
Hidden cameras or recording pen warns us of threats that are even more complex to identify. Clustered security systems do not share any threat information and struggle to quickly and automatically handle sophisticated and dynamic threats.
An open ecosystem that closely integrates security solutions promotes collaboration between them. In this way, companies can meet the security challenges of an expanding attack surface.
Create an open ecosystem?
The major Internet players often make the "trust bet" by offering open APIs, accessible from the Web. These APIs allow other actors, companies or independent developers to innovate by exploiting them, and to invent new business models.
Examples include the following platforms: Google Maps API, Facebook Graph API, SalesForce AppExchange, Twitter API, etc. And closer to home, there are ecosystems from French actors: Mappy API, Netvibes UWA, Nabaztag API, etc.
This approach allows the creation of a fertile ecosystem, both for the company that makes the APIs available and for those who operate them. This provision makes it possible in particular to:
- Create direct income, by invoicing them. Example: Google Maps becomes paid for more than 1M transactions per year.
- Expand a community, and therefore recruit users. Example: thanks to the applications derived from its platform, Twitter has reached 200M users and is a major player on the Web.
- To bring out new uses for its platform and therefore evolve its revenue model. Example: In 2009, Apple found that application developers wanted to sell not only applications, but also content for their applications. The AppStore model has therefore evolved to incorporate this possibility.
Here are 5 things to know about the open ecosystem in IT:
- Securing the ecosystem of connected objects may seem like a nightmare, but it is a necessity.
You can't do without connected objects if you want to grow your business and not securing them will make you vulnerable (and responsible) to data hacking and cyber attacks.
Companies have learned the importance of security for connected objects over the past decade.
In 2014, for example, the Iranian nuclear project was hacked using malicious computer software called STUXNET. The attack was aimed at sabotaging uranium enrichment facilities in Iran by targeting automatons for extracting nuclear materials.
In early 2018, with Cambridge Analytica hacking into millions of Facebook accounts to manipulate American voters.
More recently, a casino has been hacked using a thermometer in its aquarium, connected to its intranet network.
In fact, a quick search on the Internet will tell you that most people are concerned about cyber attacks on their smart devices and fear that they will lose personal information and money as a result.
If you are looking to protect your company's network from risks, here are some ways you can find useful.
- Put the connected devices in their own network:
Take a proactive approach and segment all connected devices behind a firewall. Then block incoming traffic so that people inside your network can't attack you.
- Use multi-factor authentication to protect your passwords:
Avoid using common words as passwords. Instead, focus on longer passwords that may be difficult to guess, but easy to remember. Hackers using a dictionary attack must spend more time on longer combinatorial passwords.
If possible, use multi-factor authentication involving biometric data or another device receiving a second-level code to add an additional layer of security for hackers to waste their time.
- Remember to disable the features when you are not using them:
When you are not using a device, remember to turn it off. This way, you will protect yourself better.
In fact, if something doesn't need a connection, make sure it doesn't connect to your network at all. For example, a large LCD TV in the main entrance that simply displays your company logo does not need to be connected at all. It can execute the image from a CD or USB stick.
- Close automatic WiFi connections:
A number of connected devices are programmed to automatically connect to a sufficiently powerful network, usually an SSID not protected by a password.
In order to preserve the security of your connected ecosystem, it is advisable to ensure that this is not allowed by your network or devices. An open WiFi network can do a lot of harm, it's almost like an open safe in a bank without a guard or staff to watch over "visitors".
- Always update your firmware and software:
You update your phone's operating system as soon as a new one is available, so why don't you update your connected devices?
If your connected devices do not support firmware and software updates, replace them with compatible devices. Make sure they are always updated and corrected to protect you from the latest or most popular worms or hackers.
- The 3 ecosystem models
Marc Andreessen (former founder of Netscape) distinguishes 3 types of open platforms:
Level 1 "Access API": these platforms allow the use of business processing without providing a human/machine interface. Examples: book search at Amazon, geocoding at Mappy.
Level 2 "Plug-In API": These platforms allow you to integrate an application into the supplier's interface. Example: Facebook applications, Netvibes Widgets.
Level 3 "Runtime Environment": These platforms provide not only an API, an interface, but also an execution environment. Example: AppExchange applications or the iPhone.
It is clear that the API provider's investment is increasing from level 1 to level 3. It is therefore common to start at level 1, before considering higher levels.
- The tooling for developers
The success of an open ecosystem is highly dependent on the enthusiasm of developers. To win them over, it is crucial to provide them with a language that is easy to learn and, if possible, productivity tools.
On the language side, there is a broad consensus around REST/JavaScript APIs, which are easy to use and adapted to developers who are unfamiliar with object languages. Examples: Google API, Yahoo, Mappy, etc. Providing simple language is particularly recommended for new entrants who do not have the persuasive power of Apple (which has managed to convince thousands of developers to train in ObjectiveC...).
As far as tools are concerned, we can distinguish 3 levels of offers:
Level 1 "zero tools": developers write their code in the environment of their choice, then use the platform to test it. Example: Google Maps API.
Level 2 "IDE": we provide a development environment, often in the form of an Eclipse PlugIn, to give developers some productivity: syntax highlighting, autocompletion, publication button, etc. Example: Flash Builder.
Level 3 "Emulator": in addition to the development environment, an emulator is provided to developers. Examples: Google App Engine, iPhone.
Here again, level 3 represents a much larger investment than level 1 or 2.
- The launch of the community
The publication of clear, easy-to-use documentation and reusable code examples is essential to satisfy developers. Community animation also involves the implementation of discussion forums and other participatory tools (e. g. ZenDesk).
It can be interesting to cling to an existing community rather than create one from scratch. For example, Android has recruited from Java communities.
Finally, it is classic to organize a competition with prizes to initiate the community movement. See, for example, the Android Developer Challenge.
A last point is essential: the API access model. Some platforms require prior registration for their use (this was the case for Google Maps until May 2010). Other platforms even go so far as to validate the applications developed (this is the case of the very controversial validation by Apple of iPhone applications).
I think that imposing the minimum constraints on developers is a very positive sign, capable of creating a climate of trust and broadening the community. Moderation after the event seems to me to be the best practice.
- How to get started?
It is relatively easy to start with a level 1 platform / tooling.
It will then be possible to increase in power iteratively to a 2/3 level platform and more advanced tools.
We suggest a few ideas for each sector of activity:
Bank: open the list of operations of each customer by securing them via the OAuth protocol
Telecom operators and energy suppliers: open up each customer's consumption stocks by securing them via OAuth
Media & culture: open television/radio programmes/museums/movie theatres
Industrial: open product catalogues
Administration: open public data in the same way as data.gov
Junaid Ali Qureshi is a ecommerce entrepreneur with a passion for emerging tech marketing and ecommerce development. Some of his current ventures include Progos Tech (ecommerce development company), Elabelz.com, Titan Tech and Smart Marketing.