Upload
baldric-henry
View
214
Download
0
Embed Size (px)
Citation preview
The ERA of API in the World of IoT
Jing Zhang-Lee
November, 2015
API: The Nerve of Internet of Things
Network
Transportation
Smart Home
Healthcare
Industrial
Surveillance
Wearable
API
API
API
API
API
API
Services
Taste of IoT APIsConnect devices and cloud/web-based services
3
Evrythng
• Digital identity & profile for physical object
• Make products smart, interactive & traceable
• Crypto-secure API tokens
Fitbit
• Wireless wearable sensors• Health tracking and
trending• OAuth2 for API
authentication & user authorization
GroveStream
s
• Environmental monitoring sensor technology
• Data stream analytics• RESTful API
Zatar
• IaaS detects and connects devices to internet
• Enable social media functions on IoT devices
• REST and JSON-based API
Xively
• PaaS integrates physical devices with business systems to gain business insights
• RESTful API
ThingSpeak
• Open data platform for IoT data collection, processing and analysis
• Open API
A Paradigm Shift: API-Centric Organization
4
Governance
API Lifecycle
MgmtCloud
Integration
Activity Analytics
Developer
Experience
Multi-channel Delivery
Secure Services
SLA & Usage
Throttling
Enabling API-Centric: Processes & Tools
5
Agility, Responsiveness & Convenience
Secure Testing
Integration Service
Developer Portal
API Gatewa
y
API Curate
DevOp
Top 5 API Security Considerations
6
• API design patterns• Security reference architecture & design patterns
Design Pattern
• Authentication & granular authorization• Access policy governance• Adaptive access control
Access Control
• Input validation & output encoding• Content filtering & exception handling• Data sanitization
Secure Coding
• Session identifiers protection• Session lifecycle – instantiation, usage, timeout, etc.• Secure token service
Session Management
• API access request logging• Access attempt monitoring for brute force & lateral
attacks• Analytics & actions
Monitoring
API Security Model At a Glance
7
Integration Service
• API Orchestration• Data transformation
Access Management
• Authentication• Authorization• Access Policy
Mgmt
API Gateway
• API creation, virtualization & adminitration
• API firewall• SLA & Usage monitoring• Secure session
management
Monitoring
• Activity logging• Monitoring alerts
Intelligence
• Access intelligence• Threat intelligence
Adaptive Access
• Behavior analysis• Risk profiling
Services
Mobile ClientWeb Client Developer