The ERA of API in the World of IoT

Jing Zhang-Lee

November, 2015

API: The Nerve of Internet of Things

Network

Transportation

Smart Home

Healthcare

Industrial

Surveillance

Wearable

API

API

API

API

API

API

Services

Taste of IoT APIsConnect devices and cloud/web-based services

3

Evrythng

• Digital identity & profile for physical object

• Make products smart, interactive & traceable

• Crypto-secure API tokens

Fitbit

• Wireless wearable sensors• Health tracking and

trending• OAuth2 for API

authentication & user authorization

GroveStream

s

• Environmental monitoring sensor technology

• Data stream analytics• RESTful API

Zatar

• IaaS detects and connects devices to internet

• Enable social media functions on IoT devices

• REST and JSON-based API

Xively

• PaaS integrates physical devices with business systems to gain business insights

• RESTful API

ThingSpeak

• Open data platform for IoT data collection, processing and analysis

• Open API

A Paradigm Shift: API-Centric Organization

4

Governance

API Lifecycle

MgmtCloud

Integration

Activity Analytics

Developer

Experience

Multi-channel Delivery

Secure Services

SLA & Usage

Throttling

Enabling API-Centric: Processes & Tools

5

Agility, Responsiveness & Convenience

Secure Testing

Integration Service

Developer Portal

API Gatewa

y

API Curate

DevOp

Top 5 API Security Considerations

6

• API design patterns• Security reference architecture & design patterns

Design Pattern

• Authentication & granular authorization• Access policy governance• Adaptive access control

Access Control

• Input validation & output encoding• Content filtering & exception handling• Data sanitization

Secure Coding

• Session identifiers protection• Session lifecycle – instantiation, usage, timeout, etc.• Secure token service

Session Management

• API access request logging• Access attempt monitoring for brute force & lateral

attacks• Analytics & actions

Monitoring

API Security Model At a Glance

7

Integration Service

• API Orchestration• Data transformation

Access Management

• Authentication• Authorization• Access Policy

Mgmt

API Gateway

• API creation, virtualization & adminitration

• API firewall• SLA & Usage monitoring• Secure session

management

Monitoring

• Activity logging• Monitoring alerts

Intelligence

• Access intelligence• Threat intelligence

Adaptive Access

• Behavior analysis• Risk profiling

Services

Mobile ClientWeb Client Developer