Ben Dickson
More posts from Ben Dickson
The Internet of Things (IoT) is one of the fastest-growing sectors of the tech industry. Yet the way IoT is evolving raises serious concerns: There are too many complexities, moving parts, diversities and competing trends and technologies that must be managed when developing IoT solutions.
Many of these concerns tend to get overlooked as manufacturers rush to ship new products to market, and, therefore, too much proprietary code is being used in IoT products.
As a result, products sold to consumers contain severe security holes and cannot adapt to the changes that will overcome their environment and ecosystem in the months and years to come.
One practical approach that could help deal with the complexities of IoT would be the use of the concept of “separation of concerns” and “abstraction” in order to create solutions that can deal with security issues and diversities at different levels, while also being flexible in the face of constant changes.
How abstraction helps deal with complexity
In the seminal book, “Object-Oriented Analysis and Design with Applications,” Grady Booch, a pioneer in software engineering, explains how to deal with complexities in software development through the use of techniques such as decomposition (breaking complex problems into smaller pieces) and abstraction (ignoring the inessential details of things and dealing with the generalized interface of the model). These concepts have been at the heart of successful programming-in-the-large for years, and can also become the basis of creating successful and scalable IoT solutions.
By isolating the functional and infrastructural aspects of IoT, we can help developers avoid reinventing the wheel for every product and instead focus on main functionalities — while making sure critical aspects such as security are handled correctly. Here are some practical examples of how this can happen.
Abstraction at software structure level
The advent of object-oriented programming (OOP) minimized the “representational gap,” allowing programmers to create software components that mapped to actual objects and concepts in the problem domain. This is an idea that is easily implemented in the software domain, but gets trickier when you’re dealing with IoT systems distributed across networks of devices that vary in hardware and software underpinnings.
The Open Distributed Object Framework (OpenDOF) is an adaptation of OOP for distributed systems. Programmers focus on developing IoT solutions at an abstraction level that represents devices, while the framework handles the mechanics of communications and security. By separating the connectivity and security of IoT from its logic and functionality, OpenDOF allows the two aspects to evolve and change without breaking each other.
“An application programmer should not need to know or care about where functionality is actually provided,” says Bryant Eastham, President of OpenDOF Project. “A good abstraction layer, securely providing separation of concerns, is critical to any IoT API.”
At its core, OpenDOF is a set of libraries that allows developers to create interface and object modules representing actual devices, register instances of those devices and allow controlled access and discovery through the use of authentication servers. Objects can exist independently and interact with each other without being affected by implementation details and changes that take place over time.
Abstractions also address security issues by restricting device communications to a finite set of public contacts, and preventing devices from “touching each others’ private parts,” as the OOP jargon goes.
OpenDOF’s flexibility makes it deployable across a wide range of IoT devices, programming languages and transports. As Eastham explains, a minimal secure implementation of the framework “can run with no OS, no memory management, and in less than 64KB of code.” It can also dynamically adapt to different network settings, including “peer-to-peer as well as local gateways and cloud deployments, all seamless to the application,” Eastham adds.
Tech giant Panasonic has already adopted OpenDOF on several projects and has published the Cloud Service Toolkit, which is an OpenDOF-compatible large-scale cloud solution.
Abstraction at device-identity level
With IoT ecosystems potentially accounting for thousands and millions of devices, device identification and authentication becomes key in preventing malicious man-in-the-middle, key compromise and identity-spoofing attacks. Yet, meeting these requirements present some challenges in the IoT world, including the vast differences of device capabilities in implementing different key-exchange and Public Key Infrastructure (PKI) standards.
GlobalSign, a tech firm providing trusted identity and security solutions, has addressed this problem by offering device identification and authentication as a cloud-based service, enabling IoT developers to focus on their core competencies and integrate security into their IoT systems regardless of the underlying capabilities of their devices.
“Identity is key for building trust in any internet environment, and will only become more important as the IoT starts to take off into some real deployment stages,” says Lancen LaChance, Vice President, IoT Identity Solutions for GlobalSign.
GlobalSign’s PKI solutions are designed to scale with manufacturers’ needs based on the velocity, variety and volume of their IoT platforms, and can manage the identities of millions of devices. GlobalSign has partnered with hardware manufacturer Infineon to produce HSMs (hardware security modules) compatible with its cloud service, which provide safe storage of keys and implementation of security and identification on the device side.
The delivery of easily attachable security modules and services by tech firms that have experience in network and device security provides IoT developers with an opportunity to improve production and security in parallel.
LaChance suggests that when it comes to IoT security, implementations should stand on “the shoulder of giants” and leverage proven and widely deployed approaches as much as possible. While it’s true that minimal devices impact solution design, LaChance highlights that PKI is possible to deploy even in many constrained environments leveraging alternative algorithms and key sizes.
Abstraction at device-communication level
IoT systems are communication-intensive. Every second that passes, thousands and millions of messages are being exchanged between devices and sent to servers for storage, analytics and reporting purposes. These messages pass over a multitude of transports and protocols before reaching their destination, and there are no real standards to work with, which makes the development environment much more challenging.
Moreover, IoT developers usually come from an embedded systems programming background with little or no experience in handling connected systems and large databases, thus they must create ad hoc solutions that are hard to develop, cannot adapt to changes that take place in their environments and lead to serious security issues.
“Many of these challenges can be addressed by abstracting to cloud-based services,” explains Natasha Tamaskar, Vice President and Head of Cloud and Mobile Strategy and Ecosystem for Kandy, a communications-platform-as-a-service (CPaaS) that provides secure transmission, storage and sharing of data between device and cloud. The platform can be scaled for a wide range of products through API calls and SDKs. Having an easy-to-use and secure device communication API can save IoT developers a lot of headaches and help them focus on functionality.
Relying on a specialized cloud platform is also important from a security perspective, Tamaskar explains. “Purpose-built API architecture lends itself to security,” she says, detailing how Kandy is designed to enhance IoT communication security through application isolation, giving API-only access to data and using end-to-end encryption to prevent man-in-the-middle attacks between the device and cloud. Its underlying role and authentication mechanisms also control subscriber access to API calls.
Kandy has already found many use cases in IoT, including wearables, healthcare products and patient diagnostics and control systems.
Abstraction at platform level
This is one of the most holistic approaches to meeting IoT development challenges, in which communications, security and storage are abstracted into flexible components that can evolve and change without affecting the core logic of the running software. Having a reliable and unified platform that puts the pieces of the IoT puzzle together will allow developers to focus on logic and functionality.
Joe Britt, co-founder and CEO of tech startup Afero, explains how his company’s flagship platform achieves this goal. “In IoT, there is tremendous dynamic range in device capabilities,” says Britt. “At the low end we have devices with very small micro controllers and little storage while at the high end, we have things with substantial computing resources and complex software.”
Afero is a combination of hardware, software, development tools and cloud services that provide an end-to-end platform for IoT devices. It has been crafted to deal with the many diversities of IoT transparently. “Across this spectrum there is a desire to have reliable and secure connectivity. Afero was designed to help with new product development whether it leveraged a legacy design or a greenfield design,” says Britt.
Afero has also been created with a focus on security, which is one of the top concerns of IoT. Instead of using direct connections — which happen to be one of the main channels attackers use to gain unauthorized access to a device’s memory space and data — device communications are abstracted through Afero’s cloud service.
The Afero Profile Editor (APE) offers an intuitive user interface that enables developers to register devices and define the attributes to expose to outside clients.
“The developer focuses on what information to present as cloud APIs and a user interface,” Britt explains. “The rest is handled by the Afero platform.” This includes finding the path to the cloud and establishing secure communications, which is achieved through a combination of encryption protocols. Afero has also been equipped with features to prevent pattern recognition and replay attacks, two types of hacks that do not require decryption keys and are very common in IoT systems that have long-running sessions.
Afero is already being used by healthcare IT provider Infocom and toy maker giant BANDAI NAMCO Studios.
Final thoughts
Abstraction and separation of concerns have proven their worth time and again in dealing with and breaking down complexities and inconsistencies in very large and distributed systems. These are concepts that have distinct and important use cases in the volatile and constantly changing landscape of the IoT industry, and their application can help it go smoothly through its growing stages.
Comment