APIs and security in the IoT era

11 December 2015

The explosive growth in the number of connected devices is a real challenge that is stretching the traditional infrastructure to its limits.

While technology companies like Imagination are busy building the next wave of IoT-ready hardware architectures, software development is another area of particular interest.

Analysts are still debating how the consumer and industrial IoT markets will evolve but everyone agrees that two crucial requirements will determine the success of IoT in the long run: API management and security.


APIs were initially conceived to define a simple way for software to interact with hardware. Over time, APIs evolved to do more than simple hardware programming by adding more functionality and standardising development in rapidly-evolving markets. For example, the Mozilla Foundation created the WebAPI specification to help developers quickly create mobile applications using HTML5.

It is becoming clear that the next evolution of APIs will happen inside the IoT market. IoT APIs hold the key to unlocking the potential of next-generation hardware and connecting devices to the cloud in a smart, more efficient way. Initially influenced by the mobile revolution, IoT APIs are evolving to become a lightweight and user-friendly interface for developers to combine and connect multiple devices, and solve new and interesting workflows. 

As more devices are connected to the Net, however, certain recurring problems must be solved. We can either continue to address these over and over again, or we can develop common solutions and frameworks to the everyday challenges introduced by the IoT. An important part of solving these problems is addressed at the API layer. If we can make APIs interoperable, secure, scalable, well-documented, and discoverable, we have come a long way in solving many of the difficulties brought about by the IoT. We also need to find reusable ways of building secure and persistent, real-time communication between these cloud-based services and the little devices running on the IoT.

A new nonprofit consortium trying to solve the challenges of APIs for IoT is the AllSeen Alliance. With a stated mission to “enable and drive the widespread adoption of products, systems and services that support the Internet of Everything with an open, universal development framework supported by a vibrant ecosystem and thriving technical community”, the AllSeen Alliance is one of the broadest cross-industry groups trying to motivate companies to work together in an open forum.

The Thread Group is another example of how companies are working to solve IoT-related challenges. Presided by Chris Boross, the Thread Group is built around simplicity, security and efficiency. Thread aims to “build a technology that uses and combines the best of what’s out there and create a networking protocol that can help the Internet of Things realise its potential for years to come.”

Standardisation and regulation are clearly important in the development of new industries, especially one so fragmented as the IoT. Yet companies looking to push APIs in the IoT market must get serious about security. 


It’s not just about managing the privacy of personal data in the cloud that is a major concern. Security extends to concepts like safety since the things we will connect (cars, appliances, defence systems) have the potential to experience critical or even fatal issues. We’ve all seen the dangerous consequences of data and system breaches, from losing control of a hacked car driving on the highway to broken baby monitors used to spy on children. With each report, every player in the value chain begins to worry more about the integrity and safety of their data and their customers’ data, and as a result about the overall viability of their business in the long term.

One of the best practices recommended by the FTC is “security by design,” building security into an IoT product early in the design process and at each stage of development and this can begin in the embedded system.

Traditional embedded systems are largely closed systems, so security has been a fairly straightforward challenge. Static-based approaches have been generally effective, but these approaches are generally CPU-centric, binary (with one secure zone / one non-secure zone), and are complicated to implement. They won’t scale to address the sophisticated types of applications and services being enabled by next-generation connected devices and the cloud. A more scalable and cost-effective approach is required.

The answer is building multi-domain security into the SoC. Such an approach enables multi-tenant services to work on shared hardware, with isolation provided by hardware assisted virtualisation. Virtualisation allows for data and execution related to one service to be protected from another. By creating multiple secure domains, each application or operating system can operate independently and reliably in its own separate, trusted environment. This means a compromise affecting one service has no impact to the other.

Such a multi-domain separation-based architecture also eases development and deployment of applications and services. With this approach, developers will be able to securely develop and debug code in a virtualised environment, and operators and other service providers can configure devices for provisioning of services in the field.

Imagine a sensor hub in a home. With multi-domain security, virtualised containers can provide the ability to upgrade each sensor individually – be it home security, door and window actuators, lighting control, appliance management, smart meter aggregation and relay, and more. The system can be designed so that manufacturers and operators can later send software updates to the device, and utility companies can query the device for status – all over the air, and with no possible way for the others to be compromised or to access the other data in the system.

Importantly, such a system can enable separation of networking stacks – Wi-Fi and 6LoWPAN (for example) from the applications running in the other containers. The separation-based approach enables each to be isolated so that certifications remain uncompromised, while keeping power and area to a minimum through integration.

To keep the IoT ecosystem thriving, we need to create and apply portable tools at the foundation level for security. These include trusted hypervisors, secure messaging channels, security firewalls and more – all built for a multi-domain architecture. The open source prpl Foundation is taking this as its mandate with support from leading companies in the ecosystem, and is progressing this through its Security PEG (prpl Engineering Group). Through an approach called OpenSecurity, the prpl Security PEG is creating open standards and APIs that will help ensure a free and open market for everyone in the IoT value chain, while ensuring security of data and information.

This approach doesn’t address ownership of personal data or other privacy issues and we can’t stop hackers from practicing their craft. Yet with a multi-domain approach to embedded security, we can limit the effects of the hackers by isolating their hacks. We can let the IoT industry develop organically and robustly through the work of a wide range of innovators and technologies.

Contact Details and Archive...

Print this page | E-mail this page