There are a few different areas to protect:
It would almost always be over a secure, encrypted connection. It would be very strange for it to not be. We can do anything from as simple as a static, pre-shared token that could be sent as part of the API request, to various types of key or certificate-based calculated tokens, to VPNs. For API we could set up VPNs between the party that wanted to access the API and our system. That’s kind of a continuum from a static secret token to VPNs – running the gamut from simple to sophisticated.
IoT – like any technology – is not necessarily inherently secure. But when you design a solution, you design it with security in mind. And that means using best practices, it means putting in an appropriate level of security for the data for the application in question, it means making sure that all of the components that are used in the solution can be secured. And so, not only is security something that was built into Prism from the ground-up, it’s an inherent part of the architecture, but we also – as part of any solution design – will incorporate security best practices and ensure that third-party components are either also incorporating those best practices or that appropriate modifications can be made to bring them up to that standard.
This answer differs based on how secure something needs to be. One of the facts in the security world is the more secure something is, the more of a pain it is for the user. Meaning, the idea is to match the level of security to whatever it is you’re trying to secure. So on one end of the spectrum, it could be as simple as a username and password. Maybe we don’t even enforce password complexity or rotation because the level of security that is needed doesn’t warrant doing anything more. But then as you increase the needed level of security, we start adding other things in like password length and complexity enforcement, two-factor authentication using text messaging with a code (like most banking apps), or authentication by push notification (where you have an app on your phone and we’re sending a push notification to that app and then the app will use biometrics (fingerprint, face recognition, whatever) or another local method on the smartphone to authenticate that it’s really you.
The same is true for third-party APIs that could be anything as simple as a secret token to something as complex as an X.509 security certificate, or methods where we exchange keys separately and then we generate a unique token for every new request. It can be made super secure, but the more secure it is, the more of a pain it is for the third party, so appropriate balance is important here, too.