Welcome!

@ThingsExpo Authors: Elizabeth White, Nate Vickery, Yeshim Deniz, Pat Romanski, Liz McMillan

Related Topics: @ThingsExpo, Cloud Security, @BigDataExpo

@ThingsExpo: Blog Feed Post

Gating the IoT | @ThingsExpo #IoT #M2M #API #Security

There are twice as many 'things' in the house as the average 3.14 people per household in the US in 2015

Your car. My toaster. Our lights. The neighbor’s thermostat.

With an average of 7.8 connected devices per home, according to recent surveys, there are twice as many “things” in the house as the average 3.14 people per household in the US in 2015.

And all of them are “talking.” Not all talk to each other, yet, though the foundation for that is clearly laid out. But all of them talk to apps which talk to them over the Internet.

When you or I interact with that app, we do so via HTTP (hopefully secured). Whether it’s via a native mobile app that uses APIs or a modern web app is irrelevant; it is safe to say that both do so via HTTP.

But when things report in, it’s not so clear that they do so using HTTP. Oh, some do, certainly. But as the form factor for these things decreases it becomes increasingly difficult to manage power and compute in a way that’s supportive of heavier frameworks and protocols, like HTTP. That’s why IoT specific protocols have emerged. Protocols like MQTT (MQ Telemetry Transport) and AMQP (Advanced Message Queuing Protocol) that eliminate reliance on HTTP (but remain TCP/IP based) and even those like CoAP (Constrained Application Protocol – RFC 7252), which seek to minimize the impact of HTTP by optimizing a subset specifically for machine-to-machine (M2M) communications.

Publish/subscribe (usually simplified to pub/sub for brevity) models are nothing new in the world of applications. Message queuing is one of the ways that applications have always shared data, long before the days of the Internet became popular. Back then we implemented using C/C++. Then Java took the world (and the Internet) by storm and we learned how to use JMS (Java Message Service).

All pub/sub based protocols can be distilled down to a single, underlying concept: messages are “routed” based on “topics”.

This should sound familiar to those of you who have to “route” URIs. Page routing, app routing, content switching. We call it many different things but ultimately, it’s the same concept. Given a unique identifier in the application layer, requests are routed to the designated endpoint. With pub/sub protocols that is a message broker. For URIs, it’s generally an app or API hosted on a web server.

The difference with IoT protocols is that they are not HTTP-based, for the most part. They ride atop TCP/IP but are purposefully designed to be lightweight. This means that the (growing) data originating from the 7.8 devices in your home is being transported via something other than HTTP.

The thing is that the receiver (the message broker) needs to be scaled and secured, too. One of the complications, as it were, is that “things” like to have persistent connections. That’s because communication is bidirectional and asynchronous. Setting up connections via TCP is well-understood, and it’s a laborious chore that consumes CPU cycles that introduce latency into the equation. Latency that today’s consumers don’t tolerate. A persistent connection enables things to constantly communicate if necessary, and to receive updates with the immediacy that is not only desirable to some consumers, but necessary for others (industrial IoT relies on immediacy). This puts pressure on brokers in terms of capacity, because every connection counts against their total capacity to handle things. That generally means some sort of load balancing-capable proxy in front of the brokers to ensure messages are delivered to their destination. Devices generate a lot of data, after all, and they’re expected to work 24/7.

That, in turn, puts pressure on security ops to ensure that every connection counts. You don’t want to waste resources on a connection to a thing that isn’t valid. You don’t want to use up CPU cycle processing messages that aren’t valid.

While most attacks today have focused on harnessing the power of millions (literally millions) of compromised devices around the Internet, like any public-facing service, the IoT message brokers in the data center (cloud or on-prem) are vulnerable to attack, and in particular, to DoS attacks. That’s because they rely on the concept of topics as a core processing trigger. Topics might include “house/temperature” or “/house/temperature/alerts” or simply “house/#”. Those topics inform the message broker what to do and how to handle the data.

But what happens if it receives a topic it doesn’t understand? And what if that happens a lot. Like, more than the broker can handle?

Exactly. Resources are needlessly consumed and the broker might become overwhelmed and unable to process legitimate messages. It’s the same old story – exhaust the endpoint and deny service.

So like most web-based, public-facing services, an IoT broker – whether speaking MQTT or CoAP or some other pub/sub protocol – needs some level of protection against malicious attempts to confuse and confound it. Hence, you’re going to need to gate the IoT.

This is where I note that this will be an emerging market. Like XML and SOA and APIs before it, there will be IoT gateways. They will be built with the premise of protecting and scaling message brokers, and they will speak the language of the IoT. To do that, however, the gateway will need to speak “secure” protocols, too, like TLS. Inbound data might be malicious, but it’s hard to tell under all those encryption. Gateways, then, will need to the visibility to peer inside messages and inspect topics to ensure validity before passing them on to message brokers.

We might not call them IoT gateways. We might call them IoT proxies, or tack on a specific protocol and call them MQTT proxies or gateways. But at the end of the day they will operate on the same principles that have long defended and scaled the protocols that enable communication over the Internet. Whatever they are called, these solutions will need to be able to “speak” the language of IoT, namely protocols like MQTT, CoAP, and AMQP. That’s because they must be able to understand how to identify topics and execute logic to determine the validity of those topics, to prevent brokers from needlessly wasting precious resources on processing and dealing with those that are not legitimate, and may in fact be malicious.

If we’ve learned anything from the application and messaging protocols of the past, it’s that they can and will be manipulated and exploited for nefarious purposes. Whether it’s to exfiltrate data or to cause a denial of service, attackers will be targeting the systems on which this rapidly growing market of IoT is dependent. An ounce of prevention is still worth a pound of cure.

Stay safe out there.

Read the original blog entry...

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.

@ThingsExpo Stories
"We've been engaging with a lot of customers including Panasonic, we've been involved with Cisco and now we're working with the U.S. government - the Department of Homeland Security," explained Peter Jung, Chief Product Officer at Pulzze Systems, in this SYS-CON.tv interview at @ThingsExpo, held June 6-8, 2017, at the Javits Center in New York City, NY.
SYS-CON Events announced today that Calligo, an innovative cloud service provider offering mid-sized companies the highest levels of data privacy and security, has been named "Bronze Sponsor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Calligo offers unparalleled application performance guarantees, commercial flexibility and a personalised support service from its globally located cloud plat...
"We are focused on SAP running in the clouds, to make this super easy because we believe in the tremendous value of those powerful worlds - SAP and the cloud," explained Frank Stienhans, CTO of Ocean9, Inc., in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Internet of @ThingsExpo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devic...
"The Striim platform is a full end-to-end streaming integration and analytics platform that is middleware that covers a lot of different use cases," explained Steve Wilkes, Founder and CTO at Striim, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We provide IoT solutions. We provide the most compatible solutions for many applications. Our solutions are industry agnostic and also protocol agnostic," explained Richard Han, Head of Sales and Marketing and Engineering at Systena America, in this SYS-CON.tv interview at @ThingsExpo, held June 6-8, 2017, at the Javits Center in New York City, NY.
SYS-CON Events announced today that DXWorldExpo has been named “Global Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Digital Transformation is the key issue driving the global enterprise IT business. Digital Transformation is most prominent among Global 2000 enterprises and government institutions.
SYS-CON Events announced today that Datera, that offers a radically new data management architecture, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Datera is transforming the traditional datacenter model through modern cloud simplicity. The technology industry is at another major inflection point. The rise of mobile, the Internet of Things, data storage and Big...
DX World EXPO, LLC., a Lighthouse Point, Florida-based startup trade show producer and the creator of "DXWorldEXPO® - Digital Transformation Conference & Expo" has announced its executive management team. The team is headed by Levent Selamoglu, who has been named CEO. "Now is the time for a truly global DX event, to bring together the leading minds from the technology world in a conversation about Digital Transformation," he said in making the announcement.
"MobiDev is a Ukraine-based software development company. We do mobile development, and we're specialists in that. But we do full stack software development for entrepreneurs, for emerging companies, and for enterprise ventures," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
While the focus and objectives of IoT initiatives are many and diverse, they all share a few common attributes, and one of those is the network. Commonly, that network includes the Internet, over which there isn't any real control for performance and availability. Or is there? The current state of the art for Big Data analytics, as applied to network telemetry, offers new opportunities for improving and assuring operational integrity. In his session at @ThingsExpo, Jim Frey, Vice President of S...
SYS-CON Events announced today that DXWorldExpo has been named “Global Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Digital Transformation is the key issue driving the global enterprise IT business. Digital Transformation is most prominent among Global 2000 enterprises and government institutions.
In his opening keynote at 20th Cloud Expo, Michael Maximilien, Research Scientist, Architect, and Engineer at IBM, discussed the full potential of the cloud and social data requires artificial intelligence. By mixing Cloud Foundry and the rich set of Watson services, IBM's Bluemix is the best cloud operating system for enterprises today, providing rapid development and deployment of applications that can take advantage of the rich catalog of Watson services to help drive insights from the vast t...
SYS-CON Events announced today that EnterpriseTech has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. EnterpriseTech is a professional resource for news and intelligence covering the migration of high-end technologies into the enterprise and business-IT industry, with a special focus on high-tech solutions in new product development, workload management, increased effic...
SYS-CON Events announced today that Massive Networks, that helps your business operate seamlessly with fast, reliable, and secure internet and network solutions, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. As a premier telecommunications provider, Massive Networks is headquartered out of Louisville, Colorado. With years of experience under their belt, their team of...
SYS-CON Events announced today that Cloud Academy named "Bronze Sponsor" of 21st International Cloud Expo which will take place October 31 - November 2, 2017 at the Santa Clara Convention Center in Santa Clara, CA. Cloud Academy is the industry’s most innovative, vendor-neutral cloud technology training platform. Cloud Academy provides continuous learning solutions for individuals and enterprise teams for Amazon Web Services, Microsoft Azure, Google Cloud Platform, and the most popular cloud com...
SYS-CON Events announced today that Cloudistics, an on-premises cloud computing company, has been named “Bronze Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Cloudistics delivers a complete public cloud experience with composable on-premises infrastructures to medium and large enterprises. Its software-defined technology natively converges network, storage, compute, virtualization, and ...
SYS-CON Events announced today that CHEETAH Training & Innovation will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct. 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CHEETAH Training & Innovation is a cloud consulting and IT training firm specializing in improving clients cloud strategies and infrastructures for medium to large companies.
SYS-CON Events announced today that Datanami has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Datanami is a communication channel dedicated to providing insight, analysis and up-to-the-minute information about emerging trends and solutions in Big Data. The publication sheds light on all cutting-edge technologies including networking, storage and applications, and thei...
The current age of digital transformation means that IT organizations must adapt their toolset to cover all digital experiences, beyond just the end users’. Today’s businesses can no longer focus solely on the digital interactions they manage with employees or customers; they must now contend with non-traditional factors. Whether it's the power of brand to make or break a company, the need to monitor across all locations 24/7, or the ability to proactively resolve issues, companies must adapt to...