The IBM Advantage for Implementing the CSCC Cloud … · The IBM Advantage for Implementing the...
39
The IBM Advantage for Implementing the CSCC Cloud Customer Reference Architecture for Internet of Things (IoT) Introduc)on This paper describes how you can use IBM products and services to support the best practices for architecting Internet of Things (IoT) solutions provided in the Cloud Customer Introduction 1 .................................................................................................................................................................. Functional Requirements 3 ....................................................................................................................................... Non-functional Requirements 3 .............................................................................................................................. Cloud Customer Reference Architecture for IoT 4 ........................................................................................... Components of a Cloud RA for IoT 6 ...................................................................................................................... User Layer 7 ........................................................................................................................................................ Proximity Network 7 ............................................................................................................................................... Public Network 9 ....................................................................................................................................................... Provider Cloud 11 ..................................................................................................................................................... Enterprise Network 16 ........................................................................................................................................... Security 17 ................................................................................................................................................................... IoT Governance 20 .................................................................................................................................................... The Complete Picture 21 ............................................................................................................................................ IBM Product Support for IoT Solutions using Cloud Solutions 22 ....................................................... Scenarios 23 ..................................................................................................................................................................... Scenario 1. Smart Homes Insurance Scenario 23 ........................................................................................ Scenario 2. Connected Care Analytics 25 ........................................................................................................ Scenario 3. Smart Home Connected Appliance Scenario 28 .................................................................. Scenario 4. Real-time Motor Monitoring 30 .................................................................................................. Scenario 5. Industrie 4.0/Industrial IoT 32 ................................................................................................... IoT Development 34 ..................................................................................................................................................... Deployment Considerations 34 ............................................................................................................................... Common Criteria for Cloud Environments 35 .............................................................................................. Hybrid cloud and IoT 37 ........................................................................................................................................ Summary of Key Considerations 38 ....................................................................................................................... Conclusion 39 .................................................................................................................................................................. Acknowledgements 39 ................................................................................................................................................ References 39 ..................................................................................................................................................................
Transcript of The IBM Advantage for Implementing the CSCC Cloud … · The IBM Advantage for Implementing the...
TheIBMAdvantageforImplementingtheCSCCCloudCustomerReferenceArchitectureforInternetofThings(IoT)
Introduc)on
ThispaperdescribeshowyoucanuseIBMproductsandservicestosupportthebestpracticesforarchitectingInternetofThings(IoT)solutionsprovidedintheCloudCustomer
Introduction 1..................................................................................................................................................................FunctionalRequirements 3.......................................................................................................................................Non-functionalRequirements 3..............................................................................................................................CloudCustomerReferenceArchitectureforIoT 4...........................................................................................ComponentsofaCloudRAforIoT 6......................................................................................................................UserLayer 7........................................................................................................................................................ProximityNetwork 7...............................................................................................................................................PublicNetwork 9.......................................................................................................................................................ProviderCloud 11.....................................................................................................................................................EnterpriseNetwork 16...........................................................................................................................................Security 17...................................................................................................................................................................IoTGovernance 20....................................................................................................................................................
TheCompletePicture 21............................................................................................................................................IBMProductSupportforIoTSolutionsusingCloudSolutions 22.......................................................
Scenarios 23.....................................................................................................................................................................Scenario1.SmartHomesInsuranceScenario 23........................................................................................Scenario2.ConnectedCareAnalytics 25........................................................................................................Scenario3.SmartHomeConnectedApplianceScenario 28..................................................................Scenario4.Real-timeMotorMonitoring 30..................................................................................................Scenario5.Industrie4.0/IndustrialIoT 32...................................................................................................
IoTDevelopment 34.....................................................................................................................................................DeploymentConsiderations 34...............................................................................................................................CommonCriteriaforCloudEnvironments 35..............................................................................................HybridcloudandIoT 37........................................................................................................................................
SummaryofKeyConsiderations 38.......................................................................................................................Conclusion 39..................................................................................................................................................................Acknowledgements 39................................................................................................................................................References 39..................................................................................................................................................................
ArchitectureforIoT[1]publishedbytheCloudStandardsCustomerCouncil(CSCC).
YoucanusethearchitecturalcomponentsdescribedintheCSCCpapertobuildIoTsolutionsusingcloudcomputingcomponents.ThesecomponentscanbemappedtoarangeofIoTdevicesanddistributedIoTsystemsappropriatetothenatureofthephysicalentitiesmonitoredandcontrolledbythesystem.WealsoincluderecommendationsforusingIBMproductsandservicestodeployandmanageIoTsystemsthatalignwiththearchitecturede_inedintheCSCCpaper.
BeforewelookattheactualarchitectureforanIoTsolution,let’stakealookatsomeofthefactorsthataredrivingtheneedformoreIoTsolutions.
FourkeytechnologyshiftsaredrivingtheneedforIoTsystems.Theseshiftsare:• Availabilityofmore,lessexpensiveandwidelyinstallableIoTdevices• Advancedanalytics,whichcanderiveactionableinsightsfrommassesofdevicedata• Cloudcomputingasagrowthengineforbusiness• Newwaysforbusinessestoengagewithcustomers
GrowthopportunitiesprovidedbyIoTandinsightfromIoTdataacrosstheenterprisecangivecompaniesinanyindustryacompetitiveadvantage.IoThelpscompaniesrealizegreaterinnovation,moreeffectiveoperations,andincreasedcustomerandemployeeengagement.
Innovation• UsedirectfeedbackfromproductsinstrumentedwithIoTsensorstodriven
innovationinproductdevelopment• ApplyIBM'sstrengthinadvancedanalyticsandcognitiveinsightstodrivenew
businessopportunitiesfromreal-worldmeasurements• Bemorecompetitivethroughbetterbusinessengagementbyincorporating
cognitiveinsights,weather,analytics,security,anddatastreamingcapabilitiesintosolutions
• Gaincompetitiveadvantageovercompetitorsbybeing_irsttomarketusingtechniquessuchascognitivepersonalizationofconnectedproducts
• Employremotemonitoringofequipmentinthe_ieldtochangeserviceandsupportfrombeingreactivetobeingproactive-enablingnewbusinessmodelsofsellingequipmentasaservice
Operations• Enhanceoperationsbyapplyingreal-timeresponsivenesstooptimizeasset
productivityandincreaseoperationalef_iciency• UseIoTdataandcognitiveinsightstooptimizetheuseofresources(worker,energy,
expertise)• Providesaferworkenvironments;byconnectingsensorsinworkenviromentsand
onworkerstodetectandaddresshazardousconditions• Transform automotive industries by gathering data from vehicle sensors, combine
this data with other data sources for real-time analysis, and provide actionable insights for bothdriversandforserviceandsupport
• Improvecollaborationacrossoperations,maintenance,reliability,andengineering,supportingandcontributingtooperationalexcellence
• Enableorganizationstogetbetterinsightsfromtheirassetstoensureperformanceandimproveassociatedprocessestothoseassetstosense,communicate,andself-diagnoseissuesofintelligentassetsandequipmentsotheycanoptimizetheir
performanceandreduceunnecessarydowntime
Customerandemployeeengagement• Provideequipmentmanufacturerstheopportunitytoengageandform
relationshipswiththeenduserbyinstrumentingequipment,creatingabusinessmodelthatdrivesconsumerengagementandlowers_ieldservicecosts
• Allowinsurerstoprovidemorevaluetopolicyholdersbyofferingproactiveprotectionoftheirassetswithnoti_icationsofpotentialproblems,reducingclaims,managingrisk,andimprovingcustomersatisfaction,embracingthefuturewithintelligenthome,auto,business
• Digitizetheretailstoreexperiencetoyielddetailedinformationandanalyticsaboutcustomervisits,includingdemographicsandconversionsforoptimizedchanneldistribution,inventory,andcampaigns
Func)onalRequirements• Easy-to-use,secureapplications• AbilitytoaddnewIoTdevicestothesystemwithminimaleffort• Useropt-intosharepersonalinformationincludinglocation• Smarthomesequippedwiththenetworkofsensors,interconnecteddevices,and
gateways• CloudIoTplatformwithrobustdevicemanagement,dataidentityservices,and
analytics• Enterprisenetwork,containingexistingenterpriseapplications,services,anddata• Systemshouldprovideoperationalalertandnoti_icationsupportformedical
devices• Deviceregistrationanduserauthenticationtoprovideauthenticationservicesthat
directlybindanidentity(forexample,user,mobiledevice,vehicle,application)toitsdigitalidentity
• Reportingandanalyticscapabilitiestocreatekeyperformanceindicators(forexample,dashboards,graphs,andchartstoviewrisk,compliance,andauditmetricsbyavarietyofparameters,analytictoolswithissuetracking,andreportingfunctionalitywithgraphicaldashboards)
• Real-timealertsformaintenanceandsecuritymonitoring• Plug-and-playinteroperabilitybetweenIoTdeviceswiththeadoptionofopen
standards• Straightforwardintegrationwithrelateddatafeedssuchasweatherinformation
Non-func)onalRequirementsTocreateaneffectiveIoTsystem,youmustaccountfornon-functionalrequirementslikesecurityandriskmanagement,scalability,RAS,andmobilesupport.
Securityandriskmanagement[2][3]• Ensureprotectionofpersonaldata• Protectionoftheenvironmentcommunicatingwiththedevice;networksneedtobe
protectedtopreventhackersfrom_indingawaytointerceptnetwork• Supportforauthentication(device,system/application,anduser),authorization,
auditing,administration,encryption/decryption,dataintegrity,andkeymanagement,andmanagingidentityandcryptographickeyinformation
• Alldevicesintheenvironmentmustbemanagedandmaintained,anddevices,gateways,routers,andotherinfrastructuremustberegularlyupdatedtoapplyall
securitypatchesand_ixes• Abilitytodetect,respond,resist,andrecoverfromattacks• Transactionalintegrityforprocurement,purchase,andsupply-chainprocesses,
includingmanufacturinganddelivery;preventintroductionofincorrectdataorprogramcodes;ensurethephysicalsecurityoftheproductionenvironmentwheredevicesandsystemsaremanufactured
Safety• ForIoTsystemsthathaveactuatorsoperatingonreal-worldthings,safetyisa
primaryconsiderationandsystemsmustbedesignedtofailsafeandtoensurethesafetyofhumansandequipment
ScalabilityThenumberofconcurrentdevicesandusersconnectingtotheIoTplatformmustbescalable.Thesolutionplatformmustscaletosupportthenextgenerationofdevicesandtoanticipateanewergenerationofconnecteddevicesthatwillfurnishhigherresolutionofdatastreams
Reliability,availability,andserviceability(RAS)HighavailabilityandresiliencyofcloudIoTinfrastructureandenterpriseenvironments
MobilesupportTheIoTdevicemustprovideagatewaytoenablemobilecomputingdevicessuchasmobilephonesandtabletstoserveasgatewaystothecloud-basedanalyticsplatform.Clearlydifferentiatebetweenamobiledevicethat’sactingasanIoTorgatewaydevicefromonethat’ssimplyauserinterfaceprovider(userinput/outputdevice)inanIoTsolution.
CloudCustomerReferenceArchitectureforIoT
Figure1showstheelementsthatmaybeneededforanyIoTsolution.
� Figure1.ElementsofIoTsystems
IBMoffersasolutionformostelementsshownabove,otherthandevicesandIoTgatewaysintheproximitylayer.Arangeofdevicesisavailable,eachsuitedtoaparticularIoTusecase.IBMsolutionsareabletoconnecttothesedevicestobuildtheoverallsystem.
TheIBMWatsonIoT™platformdeliversanumberofthecapabilitiesintheprovidercloud,includingthedeviceregistry,deviceidentityservice,anddevicemanagement.IBMWatsonIoTincombinationwithIBMBluemix®providesforAPImanagement,IoTtransformationandconnectivity,andnecessaryservices,plusthemeansofprovidingapplicationlogic.WatsonIoTgoesfurtherandsuppliesservicesforanalytics,visualization,andprocessmanagement.Alsoavailablearetransformationandconnectivitycomponentsthatconnectfromtheprovider’scloudsystemtoexistingenterprisenetworkassetssuchasenterprisedatastoresandexistingenterpriseapplications.
Myriadanalyticscapabilitiesareavailable,includingApacheSpark,SPSS®predictiveanalytics,Watson(cognitive)APIs,IBMWatsonIoT™PlatformAnalyticsReal-TimeInsights,BigInsights®forApacheHadoopservice,GeospatialAnalyticsservice,andtheStreamingAnalyticsservice.Thetransformationandconnectivitycomponentsconnectfromtheprovidercloudsystemstoexistingenterprisenetworkassets,suchasenterprisedatastoresandexistingenterpriseapplications.
IBMprebuiltSaaSapplicationscanaddressspeci_icoperationalorbusinesscapabilitiesusedwithmanytypesofIoTsystemsorsensors,including:
• Facilitiesandrealestateoptimization(TRIRIGA®)• Enterpriseassetmanagement(Maximo®)• Predictivemaintenanceandquality(IBMPMQ)• Continuousengineering(Rational®suite)
Aseriesofsecurityservicesareavailable,includingIBMSingleSign-On,IBMSecurityAccessManager,IBMSecurityDirectoryServer(IDandaccessmanagement),QRadar®(monitoring),IBMSecurityAppScan(testing),andIBMSecureKeyLifecycleManager(keymanagement).Forthedevelopmentlifecycle:IBMDevOpsServices,IBMcontinuousengineering(CE),IBMUrbanCode®,andmore.IBMalsohasofferingsintermsofpeercloudservicesthatcanbeusedbyIoTsystems–notablytheWeatherChannelservice,whichcanprovidestreamsofrelevantweatherinformation,oftenvitalwhendealingwithphysicalentities.
ComputationandstorageforIoTcanbedoneinmanyplaces–device,gateway,cloudordatacenter-hostedenvironments.Typicalcommunications_lowisoftenviadevice/gateway,to/fromcloudandcanalsooccurbetweenpeersystems(devices)and/orgateways.
ComponentsofaCloudRAforIoTFigure2showsthecapabilitiesandrelationshipsforsupportingIoTusingcloudcomputing.
�
Figure2.CloudcomponentsforIoT
ThecloudcomponentsofanIoTarchitecturearepositionedwithinathree-tierarchitecturepatterncomprisingedge,platform,andenterprisetiers,asdescribedintheIndustrialInternetConsortiumReferenceArchitecture[4].
Theedgetierincludesproximityandpublicnetworkswheredataiscollectedfromdevicesandtransmittedtodevices.Data_lowsthroughtheIoTgatewayoroptionallydirectlytoor
fromthedevicethenthroughedgeservicesintothecloudproviderviaIoTtransformationandconnectivity.
Theplatformtieristheprovidercloud,whichreceives,processes,andanalyzesdata_lowsbothin_lightandatrestfromtheedgetierandprovidesAPImanagementandvisualization.Italsoprovidesthecapabilitytoinitiatecontrolcommandsfromtheenterprisenetworktothepublicnetwork.
Theenterprisetierisrepresentedbytheenterprisenetworkandincludesenterprisedata,anenterpriseuserdirectory,andenterpriseapplications.Thedata_lowtoandfromtheenterprisenetworktakesplaceviaatransformationandconnectivitycomponent.Thedatacollectedfromstructuredandnon-structureddatasources,includingreal-timedatafromstreamcomputing,canbestoredintheenterprisedata.IoTsystemsneedapplicationlogicandcontrollogicinahierarchyoflocations,dependingonthetimescalesanddatasetsthatareneededtoinformdecisions.Somecodemayexecutedirectlyinthedevicesattheveryedgeofthenetworkor,alternatively,intheIoTgatewaysclosetothedevices.Othercodeexecutescentrallyintheprovidercloudservicesorintheenterprisenetwork.
WhencodeexecutesintheIoTgatewaysorthedevices,it’ssometimesreferredtoas“edgecomputing.”It’salsosometimesreferredtoas“fogcomputing”tocontrastwithcentralized“cloudcomputing.”Sometimesfogcomputingcancontainoneormorelayersbelowthecloudthateachcouldpotentiallyprovidecapabilitiesforavarietyofserviceslikeanalytics.Thisdesignallowsfor_lexibilityinhowconnectivityandservicesaredesignedforoptimizationandresiliency.
IoTgovernanceandsecuritysubsystemsspanallelementsofthearchitecturetoensurecontrolsandpoliciesforalldataandapplicationsarede_inedandenabledacrossthesystem.Complianceistrackedtoensurecontrolsaredeliveringtheexpectedresults.
Theremainderofthissectiondescribesthevariouscomponentsindetail.
UserLayerTherearetwotypesofusersinthislayer—theIoTuserandtheend-userapplication.
• IoTUser:TheIoTuserisapersonoranautomatedsystemthatmakesuseofend-userapplicationstoachieveagoal.TheIoTuserisoneofthemainbene_iciariesoftheIoTsolution.
• End-userApplication:Adomain-speci_icordevice-speci_icapplicationthatanIoTusermayuseonsmartphones,tablets,PCsor on specialized IoT devices, including control panels.
ProximityNetworkTheProximityNetworkismadeupofthephysicalentity,device,andIoTGateway.
PhysicalEn)tyThephysicalentityisthereal-worldobjectthatissubjecttosensormeasurementsandactuatorbehavior.Itisthe“thing”intheInternetofThings.Thisarchitecturedistinguishes
betweenthephysicalentitiesandtheITdevicesthatsensethemoractonthem.Forexample,thethingcanbetheocean,andthedeviceobservingitisawatertemperaturethermometer.Anotherexampleisadepotshippingparcels:Theparcelsarethephysicalentities,andtherearedeviceswithsensorsthatobserveandidentifyeachparcel(forexample,viaRFIDtagsorviabarcodereaders).TheRFIDtagreaderisonethingandtheparcelsaresomethingcompletelydifferent–theidentityoftheparcelisthephysicalentityhere.
DeviceContainssensor(s)oractuator(s)plusanetworkconnectionthatenablesinteractionwiththewiderIoTsystem.Therearecaseswherethedeviceisalsothephysicalentitybeingmonitoredbythesensors,suchasanaccelerometerinsideasmartphone.
Keycapabilitiesofadeviceinclude:
• Sensor/Actuator–Thesensorandactuatorsensesandactsonphysicalentities.Asensorisacomponentthatsensesormeasurescertaincharacteristicsoftherealworldandconvertsthemintoadigitalrepresentation.Anactuatorisacomponentthatacceptsadigitalcommandtoactonaphysicalentityinsomeway.
• Agent–Providesremotemanagementcapabilitiesforthedevice,supportingadevicemanagementprotocolthatcanbeusedbythedevicemanagementserviceorIoTmanagementsystem.
• Firmware–Softwarethatprovidescontrol,monitoring,anddatamanipulationofengineeredproductsandsystems.The_irmwarecontainedindevicessuchasconsumerelectronicsprovidesthelow-levelcontrolprogramforthedevices.
• Networkconnection–ProvidestheconnectionfromthedevicetotheIoTsystem.ThisisoftenalocalnetworkthatconnectsthedevicewithanIoTgateway–lowpowerandlowrangeinmanycasestoreducethepowerdemandsonthedevice.However,therearecaseswherethenetworkconnectionisdirecttothepublicnetworkandnoIoTgatewayisrequired.InIoTsystems,awiderangeofalternativecommunicationmechanismsareusedandincludelocalareanetworkingusinglow-power,low-rangemethods,suchasBluetooth,BluetoothLowEnergy(BTLE),andotherstoreducethepowerdemandsonthedevice.ItmayalsoincludelocalareanetworkingusingWiFi,orwideareanetworkingusing2G,3G,and4GLTE.
• Userinterface–Allowsuserstointeractwithapplications,agents,sensors,andactuators.Thiscomponentisoptionalsincesomedeviceshavenouserinterfaceandallinteractionstakeplacefromremoteapplicationsoverthenetwork).
IoTGateway
Thegatewayisameansforconnectingoneormoredevicestothepublicnetwork(typicallytheinternet).Becausethegatewayisessentiallyadecouplingelement,othercapabilitiesarealsoavailable.Often,deviceshavelimitednetworkconnectivityduetoanumberofreasons,includingthelimitationofpoweronthedevice,whichcanrestrictthedevicetousingalow-powerlocalnetwork.ThelocalnetworkenablesdevicestocommunicatewithalocalIoTgateway,whichisthenabletocommunicatewiththepublicnetwork.TheIoTgatewayoftenhasothercapabilities,includingtheabilityto_ilterandintelligentlyreacttodata,theabilitytosendandreceive
dataorcommandstoandfromtheinternet,andtheabilitytorunapplicationorservicelogiclocally(processingdataandexecutingcontrollogicwithouttheneedtocommunicatetoacentrallocation).Itcanalsoprovideoperationalef_iciencybyallowingmultipledevicestoshareacommonconnection.
Keycapabilitiesinthisdomaininclude:
• Applicationlogic-Providesdomain-speci_icorIoTsolution-speci_iclogicthatrunsontheIoTgateway.ForIoTsystemswithactuatorsthatactonphysicalentities,asigni_icantcapabilityoftheapplicationlogicistheprovisionofcontrollogic,whichmakesdecisionsonhowtheactuatorsshouldoperate,giveninputfromsensorsanddataofotherkinds,eitherheldlocallyorheldcentrally.
• Analytics-Providesanalyticscapabilitylocallyratherthanintheprovidercloud.
• Agent-AllowsmanagementoftheIoTgatewayitselfandcanalsoenablemanagementoftheattacheddevicesbyprovidingaconnectiontotheprovidercloudlayer'sdevicemanagementserviceviathedevicemanagementprotocol.
• Devicedatastore-Storesdatalocally.Devicesmaygeneratealargeamountofdatainrealtime,soitmayneedtobestoredlocallyratherthanbeingtransmittedtoacentrallocation.DatainthedevicedatastorecanbeusedbytheapplicationlogicandanalyticscapabilityintheIoTgateway.
IBMCapabili+esforIoTGatewayIBMdoesnotbuildgatewayhardware,andpartnerswithgatewaymanufacturers,suchasCiscoSystemsInc.,toprovidedirectdeviceconnectivity.IBMEdgeAnalyticsAgentrunsonthosegatewaystoprovideavarietyofcapabilities,includingconnectivitytotheWatsonIoTcloudplatformandtheabilitytorunanalyticsonthegatewaysthemselvesto_ilterandsummarizedata,takelocalactions,andforwardeventsandasubsetofthedatatothecloud.Youcangloballycon_iguretheagent,updateitfromacloudenvironment,andcacheitscon_igurationandanalyticsatthegatewaysothatitcancontinuetoprovideitsfunctionsevenwhendisconnectedfromthecloud.Thisisespeciallyimportantinenvironmentswithintermittentconnectivity.
PublicNetwork
PeerCloudThepeercloudisathird-partycloudsystemthatprovidesservicestobringdataandcapabilitiestotheIoTplatform.PeercloudsforIoTmaycontributetothedataintheIoTsystemandmayalsoprovidesomeofthecapabilitiesde_inedinthisIoTarchitecture.
ItislikelythatlargerIoTsystems,suchasthoseinvolvedinsmartcities,actuallyinvolvethecombinationofaseriesofsmallerIoTsystems,eachaddressingpartofthesolution.Thesesystemsofsystemsinvolveconnectionsbetweenmultiplepeercloudsystems,eachofwhichmayhaveIoTdevicesandassociatedapplicationsandservices.Connectingtheseindividualsystemscanenablelarger,morecomprehensivesolutions.
EdgeServices
Servicesneededtoallowdatato_lowsafelyfromtheInternetintotheprovidercloudandintotheenterprise.Edgeservicesalsosupportend-userapplications.
Keycapabilitiesinthisdomaininclude:
• DomainNameSystemServer-ResolvestheURLforaparticularwebresourcetotheIPaddressofthesystemorservicethatcandeliverthatresource.
• ContentDeliveryNetworks(CDN)-Supportend-userapplicationsbyprovidinggeographicallydistributedsystemsofserversdeployedtominimizetheresponsetimeforservingresourcestogeographicallydistributedusers,ensuringthatcontentishighlyavailableandprovidedtouserswithminimumlatency.Whichserversareengagedwilldependonserverproximitytotheuserandwherethecontentisstoredorcached.
• Firewall-Controlscommunicationaccesstoorfromasystem,permittingonlytraf_icmeetingasetofpoliciestoproceedandblockinganytraf_icthatdoesnotmeetthepolicies.Firewallscanbeimplementedasseparatededicatedhardware,orasacomponentinothernetworkinghardwaresuchasaload-balancerorrouterorasintegralsoftwaretoanoperatingsystem.
• Loadbalancers-Providesdistributionofnetworkorapplicationtraf_icacrossmanyresources(suchascomputers,processors,storage,ornetworklinks)tomaximizethroughput,minimizeresponsetime,increasecapacity,andincreasereliabilityofapplications.Loadbalancerscanbalanceloadslocallyandglobally.Loadbalancersshouldbehighlyavailablewithoutasinglepointoffailure.Loadbalancersaresometimesintegratedaspartoftheprovidercloudanalyticalsystemcomponentslikestreamprocessing,dataintegration,andrepositories.
IBMCapabili+esforEdgeServicesThesecapabilitiesarewelldocumentedinIBMAdvantagesupportingtheWebApplicationHostingReferenceArchitecture.
IBMBluemixsupportsservicesforDNS,_irewalls,loadbalancing,andCDN.IBMSecurityNetworkProtectionisanext-generationintrusionpreventionsystemthatcanbeusedtomonitornetworktraf_icandprovideprotectionfromhiddensecurityvulnerabilities.Finally,IBMDataPower®providesloadbalancingandSSLtermination.Ithelpsquicklysecure,integrate,control,andoptimizeaccesstoarangeofworkloadsthroughasingle,extensible,DMZ-readygateway.
TheIBMVPNserviceprovidesasecureIP-layerconnectivitybetweenyouron-premisesdatacenterandyourBluemixcloud.ItleveragestheInternetProtocolSecurity(IPsec)suiteforprotectingIPcommunicationbetweenendpointsresidingonyourprivatesubnets.AnIPsec-compatibleVPNgatewayisrequiredinyouron-premisesdatacenterforestablishingsecureconnectivitywithIBMVPNservice.
ProviderCloud
TheProviderCloudprovidescoreIoTapplicationsandassociatedservices,includingstorageofdevicedata,analytics,processmanagementfortheIoTsystem,datavisualizations,andhostingcomponentsfordevicemanagement,includingadeviceregistry. Keycapabilitiesinthisdomaininclude:
• IoTtransformationandconnectivity• Applicationlogic• Visualization• Analytics• Processmanagement• Devicedatastore• APImanagement• Devicemanagement• Deviceregistry• Deviceidentityservice• Transformationandconnectivity
Acloud-computingenvironmentprovidesscalabilityandelasticitytocopewithvaryingdatavolume,velocity,andrelatedprocessingrequirements.Experimentationanditerationusingdifferentcloudservicecon_igurationsisagoodwaytoevolvetheIoTsystem,withoutupfrontcapitalinvestment.
IoTTransforma)onandConnec)vityThiscapabilityenablessecureconnectivitytoandfromIoTdevices.ThiscomponentmustbeabletohandleandperhapstransformhighvolumesofmessagesandquicklyroutethemtotherightcomponentsintheIoTsolution.
Keycapabilitiesinthisdomaininclude:
• Secureconnectivity-Providessecuredconnectivity,whichauthenticatesandauthorizesaccesstotheprovidercloud.
• Scalablemessaging–EnablesmessagingfromandtoIoTdevices.Scalabilityofthemessagingcomponentisessentialtosupporthighdatavolumeapplicationsandapplicationswithhighlyvariabledatarates.
• Scalabletransformation–providestransformationofdeviceIoTdatabeforeitgetstoprovidercloudlayer,toprovideaformmoresuitableforprocessingandanalysis.Thismayincludedecodingmessagesthatareencrypted,translatingacompressedformattedmessage,andnormalizingmessagesfromvaryingdevices.
IBMCapabili+esforIoTTransforma+onandConnec+vityTheIBMWatsonIoTPlatformcanbeusedtoprovideIoTtransformationandconnectivity.Thismanagedserviceprovidessecureconnectivityfordevices,allowingthemtoconnecteitherdirectlyorthroughagateway.Datafromthedevicescanberetrievedandanalyzedinrealtime,andapplicationlogiccanalsousetheplatformtoquerythecurrentstateofadevice.
TheIBMWatsonIoTplatformletsyouperformthefollowingtasks:
• Createandmanageapplications• Create,connect,andmanagedevices• Extenddevicemanagementwithcustomactions• Createandmanagegateways• Retrievedevicedata
DevicescanconnecttotheIBMWatsonIoTplatformusingeitherHTTPortheMQTTmessagingprotocol.Providedtoolkitshelpyoudevelopdevice_irmwareorapplicationsoftwarethatusestheplatform.Watsonsupportsthefollowinglanguageenvironments:
• Python• Node.js• Java™• C#• EmbeddedC• mBedC++
Applica)onLogicThecoreapplicationcomponentstypicallycoordinatethehandlingofIoTdevicedata,theexecutionofotherservicesandsupportingend-userapplications.Anevent-basedprogrammingmodelwithtrigger,action,andrulesisoftenagoodwaytowriteIoTapplicationlogic.Applicationlogiccanincludework_lowandmayalsoincludecontrollogic,whichdetermineshowtouseactuatorstoaffectphysicalentities.
IBMcapabili+esforapplica+onlogicApplicationlogiccanbewritteninmanylanguages.Inparticular,IBMBluemixprovidesruntimesforCloudFoundryapplicationswritteninNode.js,Java(WebSphere®LibertyPro_ile),Swift,Python,andGo.Node-REDisatooltodevelopNode.jsapplications,andOpenWhiskisaruntimeenvironmentdesignedexplicitlyforevent-drivenapplicationdevelopment.BothareparticularlywellsuitedtoIoT.
Visualiza)onVisualiza(onenablesuserstoexploreandinteractwithdatafromthedatarepositories,actionableinsightapplications,orenterpriseapplications.Visualizationcapabilitiesincludeend-userUI,adminUI,anddashboardassub-components.
Keycapabilitiesinthisdomaininclude:
• End-userUI–Allowsuserstointeractwithenterpriseapplications,analyticsresults,andthelike.Thisalsoincludesinternalorcustomer-facingmobileuserinterfaces.
• AdminUI-Enablesadministratorstoaccessmetrics,operationaldata,andvariouslogs.
• Dashboard-Allowuserstoviewvariousreports.AdminUIanddashboardareinternal-facinguserinterfaces.
IBMcapabili+esforvisualiza+onTheIBMWatsonIoTplatformprovidesvisualizationdashboards.Otherproductsorservices,includingembeddedreporting,SPSS,Cognos,andthelikealsoprovidevisualization.
Analy)csAnalyticsisthediscoveryandcommunicationofmeaningfulpatternsofinformationfoundinIoTdata,todescribe,predict,andimprovebusinessperformance.
Keycapabilitiesinthisdomaininclude:
• AnalyticsDataRepository-Supportslegacy,new,andstreamingsources,enterpriseapplications,enterprisedata,cleanseddataandreferencedata,aswellasoutputfromstreaminganalytics.Capabilitiesincludeexplorationandarchiving(forstoring,exploringandaugmentinglargedatasetsusingawidevarietyoftools);deepanalyticsandmodeling(applicationofstatisticalmodelstoyieldinformationfromlargedatasetscomprisedofunstructuredandweakly-structuredelements);interactiveanalysisandreporting(toolstoanswerbusinessandoperationsquestionsoverInternetscaledatasets);datacataloging(resultsfromdiscoveryandITdatacurationcreateaconsolidatedviewofinformationre_lectedinacatalog).SeeHowIBMLeadsinBuildingBigDataandAnalyticsSolutionsintheCloud[5]formoreinformationonbigdataandanalyticsreferencearchitecturesforusingcloudcomputing.
• Cognitive–Thesecapabilitiescreateanintelligentsystemthatlearnsatscale,reasonswithpurpose,analysestopredict,prescribe,anddiscoverfrommassivedatasetsofinterconnectedphysical,social,enterpriseandotherentities,andclosestheloopwithmachine-generatedadvice,assistance,andactions,inamannerthatself-learnsandadapts,forenablingaugmentedhumanintelligencethroughman/machinecollaborations.
• ActionableInsight-Insightsthatultimatelydriveactionsthatmaybeusedbybusinessapplicationsfromdatacollected,processed,andstoredinthedatarepositories.Capabilitiesincludeanalytics-basedandoperationaldecisionmanagement,discoveryandexplorationacrossavarietyofsourcestoprovidebusinessuserswithnewvisibilityintobusinessperformance,predictiveanalytics(extractsinformationfromexistingdatasetstodeterminethecurrentstate,identifypatterns,andpredictfuturetrends),analysisandreporting(reportsofoperationalandwarehousedatatobusinessstakeholdersandregulatorswherebigdatatypicallyincreasesthescopeanddepthofavailabledata),contentanalytics(enablesbusinessestogaininsightandunderstandingfromtheirstructuredandunstructuredcontent),planningandforecasting(enablesfasterandmoreef_icientdevelopmentofplans,budgets,andforecastsbycreating,comparingandevaluatingbusinessscenarios).
• StreamingComputing-Acceptsandprocessesinrealtimelargevolumesofhighlydynamic,time-sensitivecontinuousdatastreamsfromavarietyofinputssuchassensor-basedmonitoringdevices,messagingsystems,and_inancialmarketfeeds.Capabilitiesincludereal-timeanalyticalprocessing,whichappliesanalyticprocessinganddecision-makingtoin-motionandtransientdatawithminimal
latency,anddataaugmentation,which_iltersanddivertsin-motiondatatodatawarehousesfordeeperbackgroundanalysis).
IBMcapabili+esforanaly+csToolsavailabletodevelopandrunanalyticsapplicationsincludeSparkasaService,SparkStreaming,SPSSPredictiveAnalytics,WatsonAPIs,IBMWatsonIoTReal-TimeInsights,BigInsightsforApacheHadoopservice,GeospatialAnalyticsservice,andStreamingAnalyticsservice.FordetailedinformationabouthowIBMsupportsotheranalyticsservices,seetheIBMAdvantageforCSCCCloudCustomerRAforAnalytics.
ProcessManagementProcessmanagementinvolvesplanning,developing,deploying,andmonitoringtheperformanceofabusinessprocess.
IBMcapabili+esforprocessmanagementTheMaximoAssetManagementservicesupportsbusinessprocessestomanagealltypesofassets,includingplant,production,infrastructure,facilities,transportation,andcommunications.IBMTRIRIGAprovidesstrategicfacilitiesplanning,implementation,andmanagementcapabilities.
DeviceDataStoreThedevicedatastorestoresdatafromtheIoTdevicessothedatacanbeintegratedwithprocessesandapplicationsthatarepartoftheIoTsystem.Devicesmaygeneratealargeamountofdatainrealtime,requiringthedevicedatastoretobeelasticandscalable.
IBMcapabili+esforedgeservicesIBMObjectStoreprovidescost-effectivestorageforlargevolumesofdataproducedbyIoTapplications.Ifmorerapidaccesstothedataisrequired,solutionscanchoosebetweenrelationaldatabasessuchasdashDB®,ornoSQLdatastoressuchasCloudant®orMongoDB.Forintensiveanalytics,theBigInsightsforApacheHadoopserviceincludesanembeddedHBasedatabase.
APIManagementAPIManagementcapabilitiespublishcatalogsandupdatesAPIsinavarietyofdeploymentenvironments.Enablesdevelopersandenduserstorapidlyassemblesolutionsthroughdiscoveryandreuseofexistingdata,analytics,andservices.
IBMcapabili+esforAPImanagementIBMAPIConnectprovidesstreamlinedcontrolacrosstheAPIlifecycleandalsoenablesbusinessestogaindeepinsightsaroundAPIconsumptionfromitsbuilt-inanalytics.
DeviceManagementDeviceManagementcapabilitiesprovideanef_icientwaytomanagedevicessecurelyandreliablyfromthecloudplatform.Devicemanagementcontainsdeviceprovisioning,remoteadministration,softwareupdating,remotecontrolofdevices,andmonitoringdevices.Devicemanagementmaycommunicatewithmanagementagentsondevicesusingmanagementprotocols,aswellascommunicatewithmanagementsystemsfortheIoTsolutions.
IBMcapabili+esfordevicemanagementTheIBMWatsonIoTplatformsupportsdevicemanagementandallowsforthecreationofcustomizedcommandsetstomeettheneedsofthespeci_icapplication.
DeviceRegistryTheDeviceRegistrystoresinformationaboutdevicesthattheIoTsystemmayread,communicatewith,control,provision,ormanage.DevicesmayneedtoberegisteredbeforetheycanconnecttoandorbemanagedbytheIoTsystem.IoTdeploymentsmayhavealargenumberofdevices,soscalabilityoftheregistryisimportant.
IBMcapabili+esfordeviceregistryTheIBMWatsonIoTplatformcanbeusedasthedeviceregistry.
DeviceIden)tyServiceTheDeviceIdentityServiceensuresthatdevicesaresecurelyidenti_iedbeforebeinggrantedaccesstotheIoTsystemsandapplications.
IBMcapabili+esforiden+tyservicesInIoTsystems,deviceidenti_icationhelpsaddressthreatsfromfakeserversorfakedevices.TheIBMWatsonIoTplatformcanbeusedasthedeviceidentityservice.
Transforma)onandConnec)vityTransformationandConnectivityservicesenablesecureconnectionstoenterprisesystemsandtheabilityto_ilter,aggregate,ormodifydataoritsformatasitmovesbetweencloudandIoTsystemscomponentsandenterprisesystems(typicallysystemsofrecord).WithintheIoTreferencearchitecture,thetransformationandconnectivitycomponentsitsbetweenthecloudproviderandenterprisenetwork.However,inahybridcloudmodeltheselinesmightbecomeblurred.
Keycapabilitiesinthisdomaininclude:
• EnterpriseSecureConnectivity-Integrateswithenterprisedatasecuritysystemstoauthenticateandauthorizeaccesstoenterprisesystems
• Transformation-Transformsdatagoingtoandfromenterprisesystems
• Enterprisedataconnectivity-Enablesprovidercloudcomponentstoconnectsecurelytoenterprisedata.ExamplesincludeVPNandgatewaytunnels
IBMCapabili+esforTransforma+onandConnec+vityTheIBMBluemixSecureGatewayservicebringshybridintegrationcapabilitiestoyourBluemixenvironment.ThegatewayprovidessecureconnectivityfromBluemixtootherapplicationsanddatasourcesrunningon-premisesorinotherclouds.Aremoteclientisprovidedtoenablesecureconnectivity.
EnterpriseNetworkTheEnterpriseNetworkhostsanumberofbusiness-speci_icenterpriseapplicationsthatdelivercriticalbusinesssolutionsalongwithsupportingelementslikeenterprisedata.Typically,enterpriseapplicationshavesourcesofdatathatareextractedandintegratedwithservicesprovidedbythecloudprovider.Analysisisperformedinthecloud-computingenvironment,withoutputconsumedbytheenterpriseapplications.
Systemsofrecorddatahavegenerallymaturedovertimeandarehighlytrusted.Theyremainaprimaryelementinreportingandpredictiveanalyticssolutions.Systemsofrecorddataincludetransactionaldataaboutorfrombusinessinteractionsthatadheretoasequenceofrelatedprocesses(_inancialorlogistical).Thisdatacancomefromreferencedata,masterdatarepositories,andapplicationdatausedbyorproducedbyenterpriseapplicationsfunctionallyoroperationally.Typically,thedatahasbeenimprovedoraugmentedtoaddvalueanddriveinsight.Enterprisedatamaybeinputintotheanalysisprocessthroughdataintegrationordirectlytothedatarepositoriesasappropriate.
EnterpriseUserDirectoryStoresuserinformationtosupportauthentication,authorization,orpro_iledata.Thesecurityservicesandedgeservicesusethistocontrolaccesstotheenterprisenetwork,enterpriseservices,orenterprisespeci_iccloudproviderservices.
IBMCapabili+esforEnterpriseUserDirectoryIBMDirectoryServer_illsthisimportantfunction.
EnterpriseDataIncludesmetadataaboutthedata,aswellassystemsofrecordforenterpriseapplications.Enterprisedatamay_lowdirectlytodataintegrationorthedatarepositoriesprovidingafeedbackloopintheanalyticalsystemforIoT.IoTsystemsmaystoreraw,analyzed,orprocesseddatainappropriateenterprisedataelements.
Keycapabilitiesinthisdomaininclude:• Referencedata-Providecontextaboutcollecteddata.• Masterdatarepositories-Canbeupdatedwiththe
outputofanalytics,toassistwithsubsequentdatatransformation,enrichmentandcorrelation.Theycansupportanalyticsandfeedotheranalyticsmodelswhenthosemodelsexecute.
• Transactionaldata-Dataaboutorfrombusinessinteractionsthatadheretoasequenceorrelatedprocesses(_inancialorlogistical).Thisdatacancomefromreferencedata,masterdatarepositories,anddistributeddatastorage.
• Applicationdata-Datausedbyorproducedbyenterpriseapplicationsfunctionallyoroperationally.Typically,thedatahasbeenimprovedoraugmentedtoaddvalueanddriveinsight.
• Logdata-Dataaggregatedfromlog_ilesforenterpriseapplications,systems,infrastructure,security,governance,etc.
• Enterprisecontentdata-Datatosupportanyenterpriseapplication.
• Historicaldata-Datafrompastanalyticsandenterpriseapplicationsandsystems.
IBMcapabili+esforenterprisedataIBMproductswellsuitedtosupportthevolumeofenterprisedatageneratedbyIoTincludeIBMInfoSphere®MasterDataManagement(MDM),IBMDB2®,HBase,BigInsights,FileNet®,andBigSQL.
EnterpriseApplica)onsEnterpriseapplicationsconsumecloudproviderdataandanalyticstoproduceresultsthataddressbusinessgoalsandobjectives.EnterpriseapplicationscanbeupdatedfromenterprisedataorfromIoTapplications,ortheycanprovideinputandcontentforenterprisedataandIoTapplications.
Keycapabilitiesinthisdomaininclude:
• Customerexperience–Customer-facingsystemsareaprimarysystemofengagementthatdrivesnewbusinessandhelpsserviceexistingclientsatlowercost.
• Newbusinessmodels–Alternativebusinessmodelsthatfocusonlowcost,fastresponse,andgreatinteractionsareallexamplesofopportunitiesdrivenbycloudsolutions.
• Financialperformance–Financialapplicationscanbemademoreef_icientasdataisconsolidatedandreportedfasterandmoreeasily.
• Riskanalytics–Useriskanalyticstoevaluatethreatstothebusiness,suchasfraudorhacking.Elasticresourcemanagementmeansmoreprocessingpowerisavailableintimesofheightenedthreat.
• ITeconomics–UsedtostreamlineIToperationsascapitalexpendituresarereducedwhileperformanceandfeaturesareimprovedbyclouddeployments.
• Operationsandfraud–Cloudsolutionscanprovidefasteraccesstomoredata,allowingformoreaccurateanalyticsthat_lagsuspiciousactivityandofferremediationinatimelymanner.
IBMcapabili+esforenterpriseapplica+onsIBMoffersarangeofspeci_icapplicationssuitedtoenterpriserequirements,suchasIBMMaximoforassetmanagement,theIBMFraudandAbuseManagementSystem,IBMWatsonAnalytics,andIBMriskmanagementsolutions.
SecuritySecurityinIoTdeploymentsmustaddressITsecurityaswellasoperationstechnology(OT)securityelements.Thelevelofattentiontosecurityandthetopicareasaddressedvarydependingupontheapplicationenvironment,businesspattern,andriskassessment.Ariskassessmenttakesintoaccountmultiplethreatsandattacksalongwithanestimateofthepotentialcostsassociatedwithsuchattacks.
Inadditiontosecurityconsiderations,connectingITsystemswithphysicalsystemsrequiresyoutoconsiderhowtheIoTsystemmightimpactsafety.IoTsystemsmustbedesigned,deployed,andmanagedinawaywheretheoperatorscanalwaysbringthesystemtoasafeoperatingstate,evenwhendisconnectedfromcommunicationswithothersystemsthatarepartofthedeployment.Indeed,disconnectingfromcommunicationsmaybepartofthesecuritymeasuresputinplacetohelpsecuretheIoTdeployment.
Thereareseveralareasofsecuritytoconsider:• Identityandaccessmanagement• Dataprotection• Securitymonitoring,analysis,andresponse• System,application,andsolutionlifecyclemanagement
Iden)tyandAccessManagementAswithanycomputingsystem,theremustbestrongidenti_icationofallparticipatingentities–users,systems,applications,and,inthecaseofIoT,devicesandIoTgateways–throughwhichthosedevicescommunicatewiththerestofthesystem.Deviceidentityandmanagementinvolvesmultipleentities,startingwithchipanddevicemanufacturers,includingIoTplatformproviders,andalsoincludingenterpriseusersandoperatorsofthedevices.InIoTsolutions,manyoftheseentitieswillcommunicateandaddresstheIoTdevicesthroughouttheiroperationallifetime.
IBMcapabili+esforiden+tyandaccessmanagementTheIBMWatsonIoTPlatformprovidescapabilitiesforregisteringIoTdevicesandgateways,allowingforidenti_ication,authentication,andaccesscontrolofwhatdevicesandgatewayscanperforminaconnectedenvironment.Inaddition,theWatsonIoTPlatformhasfunctionsforidentifyingapplicationsthatmaycommunicatewithandusedevicesandgatewaysandinvokeWatsonIoTplatformAPIstoperformotherIoT-relatedtasks.UserauthenticationishandledthroughIBMBluemixandintegrationwithIBMSingleSign-Oncapabilities.Thisallowsforawiderangeofuser/humanauthenticationmechanisms,aswellasawiderangeofuserregistriesrangingfrompopularpublicregistriesontheInternettoclient-speci_icenterpriseorcustomer-centricregistries.
DataProtec)onDatainthedevice,in_lightthroughoutthepublicnetwork,providercloud,andenterprisenetwork,aswellasatrestinavarietyoflocationsandformatsmustbeprotectedfrominappropriateaccessanduse.Youcanusemultiplemethods,andindeed,inmanycases,youcanapplymultiplemethodssimultaneouslytoprovidedifferentlevelsofprotectionofdataagainstdifferenttypesofthreatsorisolationfromdifferententitiessupportingthesystem.Protectingcommunicationslinksmaybeusedinadditiontoindividualdata_ieldlevelencryptionorsigningdoneonthedevicetoprovidebothend-to-endandpoint-to-pointcommunicationsprotection.Dataatrestindifferentformatsmaybeencryptedatthe_ield,database,andevenwholedisk/medialeveltoprotectagainstleakageandimproperusage.Increaseddatacollectionalsoresultsinaneedtoconsiderpotentialprivacyimplications,requiringadditionalattentiontodatasegregation,redaction,andspecialhandlingrequirements.
ItisimportanttoconsiderwhetherthedatainvolvedinanIoTsystemwouldincludenotonlypersonallyidenti_iableinformation(PII)–whichimplieslegalandregulatoryobligations–butalsodatarelatedtoindividualsinsomeway.Insomecases,devicesmaybedirectlyassociatedwithindividuals,orindividualsmaybethephysicalentitiesthatarethesubjectofsensordatawhich,whilenotpersonallyidenti_iableinformation(PII),isde_initelyinformationthatmostwouldexpecttobeconsideredpersonal.Further,withenoughofthisobservedinformation,theaggregatedatacouldbeenoughtoidentifythepersonitwasgatheredfrom.WhilePIIisusuallythesubjectoflawsandregulations,theseothertypesofPIIshouldbetreatedcarefully,andtheIoTsystemmustbedesignedtogiveappropriateprotectiontothesetypesofdata.Protectionsmayinvolvewhereandhowdatacanbe
stored,theidenti_iedowneroftheinformation,andwhatdatausagerestrictionsneedtobeenforced.
Dataprotectionconsiderationscanhavearangeofimplications.Forexample,itmaybethecasethatdatacollectedbythedevicemustbestoredinthesamevicinityofthecollection,eitheronthedeviceoronanIoTgatewaythatisclosetothedeviceandcannotbetransmittedtoacentrallocationsuchastheprovidercloud.
IBMcapabili+esfordataprotec+onDataprotectionisprovidedinIBMBluemixservices,suchasCloudant,dashDB,MongoDB,andMessageHub,aswellasSpark-basedprocessingsystems.Appropriateattentiontocon_igurationandconnectionsettingsisimportantwhenconstructingthesolution.
IBMIoTsolutionsincludingIoTforElectronics,IoTforAutomotive,andIoTforInsuranceemploytheseserviceswithcarefulattentiontocon_igurationsettingssothatappropriatedataprotectionisused.
Securitymonitoring,analysis,andresponseTodetectandreacttoactiveattacksoranomalousbehaviour,everysystemmusthavebuilt-inmonitoringoftheenvironment.BecauseofthescaleofIoTsystems,bothinthenumberofdevicesaswellastheamountofinformationbeingprocessed,automatedresponsestoknownattacksandautomaticdetectionofsuspiciousbehaviourarerequired.Theseresponsesmayincludetemporaryisolation,quarantine,ortheremovalofpartsoftheIoTsystem,aswellasformalincidentresponseprocessesforaddressingvulnerabilitiesthatarediscoveredafterthesystemshavebeenputintoservice.
LikeITsecurity,thereisaneedfordisclosureofvulnerabilitiessothataffectedpartiescanappropriatelymitigatetheriskandmakechangesandupdatesinatimelymanner.Becauseattackscancomeinavarietyofdifferentforms,allattacksmustbeexpected,plannedfor,andrespondedto.Asjustoneexample,anattackmightcomeintheformofinjectionoffake,erroneous,orerraticsensordataintotheIoTsysteminanattempttosteerautomateddecision-makingpartsofthesystemtoactinadesired(bytheattacker)manner.Suchattacksmustalsobeexpected,plannedfor,andrespondedto.
IBMcapabili+esforsecuritymonitoring,analysis,andresponseIBMoffersseveralmechanismsformonitoringandanalyzingdatacommunicationstraf_icfromandbetweencomputingsystems.
IBMproductssuchasQRadarcanbeusedinconjunctionwiththeWatsonIoTPlatformandservices.Theseofferings,combined,allowformonitoring,analysis,andresponsetosituationsthatcanariseasIoTdevicesconnectwithITsystemstoconstructasolution.TheWatsonIoTPlatformprovidesdevicesmanagement,securitycon_iguration,andrisk-managementfeaturesfordeviceandgateway-speci_icmonitoringandresponse.
System,applica)on,andsolu)onlifecyclemanagement
LifecyclemanagementoftheIoTsystemiscomplex,multi-faceted,andhasrelationshipswithidentitymanagement,devicemanagement,thesupplychain,applicationandsoftwaredevelopment,throughtosystemoperationsandchangemanagementofdeployedandin-servicesystems.
Attentiontosecurityinalloftheseareasisrequiredtopreventavarietyofattacksrangingfrommaliciouscodeinsertiontoinappropriate_irmware/softwaredeployment,toeffectivecryptographickeymanagement.Code,keymaterial,andevenphysicalcomponentsmustbeveri_iedasthey_lowfromprocurementandcreationthroughtotheirinstallationintothedevices,IoTgateways,andothersystemsthatmakeuptheIoTsystem.TheIoTsystemshouldalsoprovidethecapabilitytoupdateindividualcomponentsinasecureway,bothtoaddressvulnerabilitiesandalsotoaddressfunctionalenhancementsoverthelifetimeofthesystem.
IBMCapabili+esforSystem,Applica+on,andSolu+onLifecycleManagementWhenconstructinganIoTsolutionanddesigning,building,anddeployingIoTdevicesandgatewaysasapartofthatsolution,youmustpaycarefulattentiontohowsoftwareor_irmwarewillbemanagedonthedevicesandgateways.Deviceandgatewaymanufacturersandusersshoulddeterminethemostappropriate_irmwareupdatemechanismtoemploy,includingwhat_irmware-over-the-air(FOTA)vendorstoworkwith.IBMoffersinterfacesintheWatsonIoTPlatformtosignaltoanapplicationsorsolutionswhena_irmwareupdateisnecessaryandtoobservethe_irmwarelevelsreportedbydevicesandgateways.
Validatingthatthe_irmwareandsoftwarerunningindevicesandgatewaysisasexpectedisalsoimportant.Ifcoderunninginthesesystemshasbeentamperedwithoriscorruptedinsomewaywhileinoperation,inappropriatebehaviorfromthedeviceorgatewaymayoccur.Technologiesforin-memoryscanningforunexpectedcodemodi_ications,suchasthoseprovidedbyArxan(www.arxan.com),canhelpdetectandrespondtosuchattacks.
AllinterfacesinanIoTsolutionmustbetestedforpotentialvulnerabilities.Ongoingpenetrationtestingofdevices,gateways,andallotherexternalizedpartsofthesolutionisnecessarytodetectpotentialweakspotsandtakestepstomitigatingthese.IBMAppScanSource(forstatic,source-codeanalysis)andAppScanEnterprise(fordynamic,web/HTTPinterface-basedtesting)canbeappliedtoanysoftwareorinterfaces,respectively,whichareexposedaspartofthesolution.Thiscanincludeinterfacesexposedbydevicesandgateways,evenifthoseinterfacesaremeantforlocal,isolatedadministrativeconnections.
Managingkeysindevicesandgatewayscanbechallenging.IBMSecureKeyLifecycleManagement(SKLM)offersmechanismsforperformingkeymanagementoperations.Deviceandgatewaymanufacturerscanemploytheseservicestoassistwithkeymanagementoperationsforkeysdeployedintodevicesandgateways.
IoTGovernanceAsdescribedintheIoTSecuritysection,therearemanychallengesinsecuringanIoTsolution.Oversightandproceduresmustbeusedtoensurethatwhennewvulnerabilitiesandthreatsarediscovered,thereisameansandmechanismforaddressingthesethreatsinIoTsystems.
AnimportantdifferenceinIoTsystemsdifferfromtraditionalITsystemsbecauseexploitsandfailuresinIoTsystemshavethepotentialtocauseseriousharmtohumans,property,andtheenvironment.Physicaldevicesandequipmentareusuallyinserviceformuchlongerperiodsoftimethantypicalcomputingsystemssuchasservers,PCs,tablets,andothermobiledevices.IoTequipmentisofteninstalledinlocationswherechangeorreplacementiscomplicatedduetogreatcostorinconvenience.Becauseofthesereason,IoTsystemsmustbedesignedanddeployedwithchange/update/modi_icationinmind,alongwithstronggovernancetoensurethatsuchchangeisdoneappropriately,safely,reliably,and
securely.Indeed,IoTsystemchangeislikelytobeneededlongafterdevicewarrantyperiodshaveexpiredasitiswellknownthatphysicalsystemsareoftenusedforlongperiodsoftime.
Stronggovernanceproceduresareneededtodetermineandenforcetheappropriatein-servicelifespanfordevicesandtoplannon-disruptive,securechange-oversasnewsystemsareintroducedintothesystem.IoTgovernancecomplexitiesaresimilartothecomplexitiesinhybridcloudcomputing.De_inition,planning,andoversightmightincludebothtechnicalandoperationalstaff.VisibilityintoSLAs,changemanagement,andotherpolicyandprocessareascanbeexpeditedbyselectingtoolstosimplifydatacollection,reporting,andnoti_ications.
IBMcapabili+esforIOTgovernanceManagingthesoftwarelifecycleof_irmware,software,applications,analyticsprocessing,anduserinterfacefunctionsofanIoTsolutionisacomplextask.Often,eachpieceofsoftwarethatmakesupthesolutionisbuiltusingaspeci_icsoftwaredevelopmentmethodology—oneIoTsolutioncouldbebuiltusingawiderangeofdifferentsoftwaredevelopmentmethodologiesthatwillbefollowedacrossthisspectrumofsoftwarewhichmakesupthesolution.IBMDevOpsServices,IBMContinuousEngineering(CE),andIBMContinuousLifecycleManagement(CLM)offeringsprovidea_lexiblesetoftoolsandfunctionformanagingsoftwaredevelopmentanddeploymentlifecycle.IBMUrbanCodeofferingscanalsoassistinmanagingsoftwaredeploymentsacrossdevelopment,test,andproductionenvironments,furtherassistingorganizationsinmaintainingstrongIoTgovernance.
TheProviderCloudcomponentsmayalsobesubjecttochangeovertime.Forexample,theanalyticscomponentsandtheirassociatedsoftwaremayundergoregularenhancementstoimprovetheirperformanceandreliability.AppropriategovernancemustbeinplacetoensurethatchangestothesecomponentsareunderstoodaheadoftimeandthatthechangesdonothaveanadverseimpactontheoverallIoTsystem.
TheCompletePicture
Figure3providesadetailedviewofallofthecomponents,subcomponents,andrelationshipsinacloud-basedIoTsolutionarchitecture.
� Figure3.Detailedcomponentsdiagram
IBMProductSupportforIoTSolu)onsusingCloudSolu)onsNowthatwe'vereviewedthecomponentmodelforanIoTsolutionusingcloudcomputing,let'slookathowIBMproductscanbeusedtoimplementanIoTsolution.Inprevioussections,wehighlightedIBM'send-to-endsolutionfordeployinganIoTsolutionusingcloudservices.The_igurebelowshowshowIBMcapabilitymapstospeci_iccomponentsinthereferencearchitecture.
� Figure4.IBMsupportforIoTsolutions
ScenariosNowthatyouunderstandthearchitecturalcomponentsofanIoTsolutioninthecloud,let'slookathowtouseIBMproductstoimplementcommonscenariosusingthisarchitecture.
• Scenario1.SmartHomesInsurancescenario• Scenario2.ConnectedCareAnalytics• Scenario3.SmartHomeConnectedApplianceScenario• Scenario4.Real-timeMotorMonitoring• Scenario5.Industrie4.0/IndustrialIoT
Thesescenariosreusethecomponentsthattheorganizationiscurrentlyusingintraditionaldatacenters,whichwedepictaspartoftheenterprisezoneofthearchitecture.
Scenario1.SmartHomesInsuranceScenarioFigure5illustratesthe_lowofaconnectedinsuranceserviceusecaseforIoT.
� Figure5.FlowforinsurancescenarioforIoT
Inthisexample,smarthomeswithconnecteddevicesandsensorsprovideinsurancecompaniestheabilitytoimprovetheservicetopolicyholderswhilegaininginsightintorisksinthehome.Connecteddevicesallowpolicyholderstoreceivenoti_icationofpotentialdangertothehomeandengagewiththeinsurerinamoreproactivemanner.
Byconnectinghomes,insurers,andotherservices,theconnectedinsuranceserviceuseskeycomponentsoftheIoTreferencearchitecture.Asanexample,leakdetectionsensorsandvalvescanenablethepolicyholdertomonitorwaterleaksandoffersprotectionfromresultingdamage.Thesensorsarepurchasedfrommultiplesourcesandinstalledinthehome,whichincludesconnectingthemtothedevicemaker’scloudservices.Thepolicyholderauthorizestheinsurancecloudservicetoconnecttothedevicemaker’scloudservicegrantingaccesstothedevicedata.Thedevicemakerisresponsibleforthelifecycleofthedevicesandtheinsurancecompanybene_itsfromaccesstothedatafromthesedevicesandprovidesanimprovedexperiencetoitspolicyholders.
Basicinformation_low:
1. Sensorsandactuatorsaredeployedinthehomeandattachedtothedevicemaker’scloudservice.Asanexample,thesensorscandetectwaterleakdetection,water_low,temperature,andtheactuatorscanincludeautomaticwatershutoffvalves.
2. Thehomeownerlogsintotheinsurancemobileapplicationandauthorizestheinsuranceservicetoaccessthedevicemaker’s(peer)cloudandtheirdevicedata.Themobileapplicationsendstheauthorizationtokenandinsurancecompanyidenti_iertothecloudservice.Thisinformationisusedtomaptheuser,devices,andinsurancepolicywithinthecloudservice.Thedevicecloudserviceisusedbecausethedevicemakershavealreadydeployedintotheirowncloudandownsthelife
cycleofthedeviceaswellastheuserexperiencewiththedevices.3. Theinsuranceservicereceivesauthorization,devicedetails,andtheinsuranceID
fromtheinsurancemobileapplicationandprocessesthisinseveralnodes(applicationlogic,deviceregistry,anddevicedatastore).Thedevicesareregisteredwiththedeviceregistry,anddatamappingisupdatedintheapplicationlogiccomponent.IBMBluemixLibertyorNode.jscanbeusedforprovidingtheapplicationlogic,whichcanusetheIBMIoTforInsuranceServicefromBluemix.IBMCloudant,dashDB,orObjectStoragecanbeusedfordevicedatastore.IBMWatsonIoTPlatformcanbeusedfordeviceregistry.
4. Theinsuranceserviceapplicationusestheauthorizationtokentoconnecttothedevicemaker(peer)andrequestthedata.Theapplicationiscon_iguredtopulldataonacon_iguredinterval.Inadditiontodevicedata,theapplicationcanbecon_iguredtoaccessotherdatasourcessuchasaweatherdataserviceforuseinanalysis.IBMBluemixIoTforInsuranceServiceisaBluemixservicethatcollects,manages,andanalyzesdatafromconnectedpolicyholders.IoTforInsurancehelpsprovidepersonalizedriskassessment,real-timeprotection,andpolicycostreductions.
5. Datafromdevicesandothersourcessuchastheweatherservicearecontinuallyupdatedandsenttoanalyticssystemstodetermineifapotentialriskthresholdhasbeenexceeded.Thisdataisanalyzedtodetermineifthereisapotentialfordamagetothehome(includingwaterdamage,freezepotential,etc.).Devicedatafromsensorsinconnectedhomesprovidesinsightintopotentialproblemsinthehomesuchaswaterleakorhumidity.TheWeatherCompanydataserviceonBluemixintegratesweatherdatafromTheWeatherCompanyintoBluemixapplications,anditcanretrieveweatherdataforanareaspeci_iedbygeo-coordinates.
6. Onceitisdeterminedthatthereisaproblem,usingtheanalysisfromStep5noti_icationsaresenttothehomeownerandtotheinsurancecompany.Thehomeownercanthentakeactiontorespondtothenoti_icationanddetermineifdamagehasoccurred,andtheinsurancecompanycaninitiateaclaimprocess.
7. Ifdamagehasoccurred,theinsurancebusinessprocessofclaimsmanagementisinitiated.Theinsurancebusinessprocessescanbeaccomplishedinthecloudservice,theirenterpriseapplications,ortheirmobileapplications.Thisisdependentonhowandwheretheinsurancecompanydecidestoperformthebusinesslogic.IBMReal-timeInsightsorMessageHubcanbeusedformanagingtheprocess_low.Typically,thisisdoneusingtheinsurancecompany’sexistingclaimsmanagementsystem.
Acloudarchitecturemakesthistypeofsolutioneasiertoimplementandmaintain.Asdemandincreases,moreresourcesmustbeacquired.
Scenario2.ConnectedCareAnaly)cs
Figure6illustratesthe_lowofaconnectedcaranalyticsusecaseforIoT.
� Figure6.Flowofconnectedcaranalytics
Background–Therearetwopeopleinthisscenario.A75-year-oldmaledriverhasaheartconditionandwearsaFitbittomonitorbiometricslikeheartrate.Afemaledriver,35,hasanactivelifestyleandwearsanApplewatchwhichshehasenabledtoshareinformation.Bothdriversregisterfora“BetterDrivingBehaviorProgram.”
Bothdrivershaveaknownpro_ile,createdasanenterpriserecord,thatisbasedontheirhometownlocation,drivingrecords,dailydrivingroute,speed,currentweather,roadconditions,andotherfeatures.TheserelatetoasetofKPIsthatprovidemetricsonhowtomeasuresuchfeatures.Becausethedrivershaveoptedintothebetterdrivingbehaviorprogram,wecanmonitorthedevicesthedrivershavegivenaccesstoorpermissionsfor.Thisinformationissharedbetweenthedeviceandtheproviders,thedrivers,theiremergencycontacts,anddoctor’sof_ice.
Whenthemanandwomandriveandinteractwiththeirdevicesandgadgets,theIoTframeworkpicksupalldatapoints.Theanalyticsenginebuiltforthisframeworkevaluatesanychangesindrivingbehaviorand_lagsanyanomaliesthatneedtobeactedupon.Theenginealsorecognizesinformationthatthesystemsneedtolearnaboutasitsnormalornewbehaviorthatneedstobeacteduponinthefuture.
RuntimeFlow1. Theuserregistersandcreatesapro_ileintheEnterpriseUserDirectory,andlinks
existingsocialmediaaccountstoadoctor’snetwork.IBMSecurityDirectoryServer,alightweightimplementationofLightweightDirectoryAccessProtocol(LDAP)isusedforsecurityandidentitymanagement.Itactsasafoundationfordeployingcomprehensiveidentitymanagementapplicationsandadvancedsoftware
architectures.Acustomwebormobileapplicationlogicisusedtobuildtheuserpro_ile.Theuser’srecordgetsupdatedintheEnterpriseUserDirectory.
2. Theuserconnectshisorhervehicletoadeviceregistryserviceandtoaglobalnetworkofdevicesforidenti_icationandbroadcastmessage.IBMWatsonIoTPlatformallowsregistrationofthedeviceanddevicetype,andthepayloadinformationiscon_iguredaccordinglyintheplatformfordownstreamandupstreamconsumption.Theuser’srecordgetsupdatedwiththedevicesinthedevicedatastore.TheIBMWatsonIoTPlatformboilerplatecomescon_iguredwithCloudantasaNoSQLDatabaseasaServicethatcanbeusedtostoretelemetryandothersensorinformationfromdevicesforlong-termstorageandretrieval.
3. Theuserupdateshisorheruserpreferenceslikedatacapturesetup,specialalerts,thresholds,emergencycontacts,andapplicationsettings.AsuitablewebormobileapplicationbuiltontheIBMMobileFirstplatformoracustomenterpriseapplicationthatleveragesserviceslikeNode.jsorWebSphereLibertycanbeusedfortheseuserinteractions.
4. Thedevicecapturesmotion,telemetry,andgeospatialdatabymonitoringinteractionsfroma_itnesstracker,Applewatch,andcellphoneusage.ThesetupinthestepsaboveallowstheIBMWatsonIoTtocaptureallthisinformationandinteractiontheuserhaswiththedevicesovertime.Additionalserviceslikestreaminganalyticsingest,analyze,monitor,andcorrelatedataasitarrivesfromreal-timedatasources.Viewinformationandeventsastheyunfold.
5. Viaedgeservices,theuserapplicationsendsdatafromtheInternet,likesocialmediaaccounts,orweatherandroadconditions.
6. TheIoTtransformationandconnectivityserviceenablessecureconnectivitytotheregisteredIoTdevices(likevehicles,Fitbit,Applewatch).TheIBMWatsonIoTPlatformenablesthistransformationandconnectivity.
7. Devicesfromthemaledriverrecordabnormalmedicalstressanddrivingpattern.Devicesfromthefemaledriverrecordaphonecallandanerraticdrivingpattern.Theapplicationcorrelatesinformationandevaluatesthenextbestactionduetotheanomaliesandpersistsincorporatedatastore.Bothdriversaresentappropriatealerts,andtheapplicationfollowstheescalationpathasde_inedinpreferences.CustomapplicationcodeandscenariologicisembeddedinNode.jsorWebSphereLibertyservicesthatallowdevicestosendinformationtodownstreamdatastoresandapplicationprocessingenginesforcorrelationandactions.
8. Theanalyticsengineimplementsmachinelearningandappliesheuristics,statistics,classi_iers,dimensionalreduction,andcollaborative_ilteringforanomalydetectionandremediation.Itupdatesin-memoryprocessorsforquickprocessingreal-timetransactions.IBManalytical,predictive,andmachinelearningcapabilitiesprovidedwithSparkasaServiceonBluemix,IBMDataScienceExperience,IBMSPSS,andIBMWatsonAPIscanbeusedtounderstandthebehavioroftheseinteractions,theirtrends,anomalies,outliersandforstatisticalandpredictivelearning.Of_linelearningandonlinescoringmachinelearningpredictivemodelscanbeinterjectedintothedataprocessingpipelinesforapplyingtheanalyticswhereneeded.Inaddition,thereareotheranalyticsservicesavailableonBluemixthatcanbeused.
Theseinclude:
• IBMWatsonIoTContextMappingServiceenablesyourapplicationtoanalyzemovingobjecttrajectoriesbyusingroadnetwork-basedgeospatialservices.Itprovidesreal-timequeryinterfacestoaccessroadnetworkdataandsearchservicesbyuniqueindexstructureandadvancedcachemechanisms.
• IBMWatsonIoTDriverBehaviorServiceletsyouanalyzedrivers'behaviorfromvehicleprobedataandcontextualdata.
• GeospatialAnalyticshelptrackwhendevicesenter,leave,orhangoutinde_inedregions.
9. Thetransformationandconnectivityserviceallowsforsecureconnectiontoenterprisesystemstolookupeventinformation.IBMDataPowerandIBMIntegrationBusservicesareusedforthis.
10. Theenterpriseapplicationmaintainsbusinessmodelslikecustomerexperienceandriskevaluationandisusedforlookuportransactionprocessingorpublishinganeweventrule,auditprocessing.Thisdataisloadedinmemoryforaccesstotheanalyticsengine.Enterpriseapplicationsaretypicallycustomandspeci_ictotheenterpriseandareoutsidethescopeofasingleIBMproduct.However,therearemanycapabilitiesandsolutionsprovidedbyIBMcommerce,travel,andtransportationthatallowinternalandexternaluserstoreviewbusinessoutcomes,experiences,trends,healthofprograms,salesandrevenueinformation,forexample.IBMCognosisonesuchenterpriseapplicationthatcanbeusedinsuchscenarios.
11. Thisservicemanagesprocesswork_lowandcoordinatestheREST-basedservicesusedinyourapps.IBMBluemixCarDiagnosticAPI,Real-TimeInsightsandothermicroservicesrunningonNPMorNode.jscanbeutilizedtodeployprocesswork_lows.TheIoTCarDiagnosticAPIcanhelpyoutoassessthehealthstatusofavehicle,bytranslatingOBDerrorcodesinahuman-readableform.
12. TheIoTgovernancemaintainspoliciesandterminologyofthebusinessapplicationsandrulesaroundaccessingthatinformation.IBMsecurity,audit,andgovernancecapabilitiesinQRadarSecurityIntelligenceplatformandSIEMcapabilities,alongwithGuardium®audit,compliance,andvulnerabilitycapabilities,andcapabilitiesintheinformationgovernancecatalogintheIBMInformationIntegrationSuite,provideacompletepolicy-basedsecureandcontrolledenvironment.
13. Visualizationprovidesactive,descriptivereportsanddashboardstotheuser.IBMsupportsopentechnologieslikeRave,D3,Angular,andBrunellalongwithenterpriseofferingsfromIBMCognosandWatsonAnalytics.
14. Theend-userapplicationprovidestheengagementmodelfortheuserintheformofamobileorwebapplication.IBMMobileFirstmobileorcustommobileorweb-basedapplicationscanbeusedtosurfacevarioususagemetricstoendusersortoprovideaninteractiveenvironment.IBMAPIConnectservicecansurfacetheseservicestomanyusers.
Scenario3.SmartHomeConnectedApplianceScenarioAmanufactureranditsecosystempartnerscanprovideend-userremotecontrolandbettercustomersupportforconnectedappliancesforsmarthomes
Figure7illustratesthe_lowofaconnectedapplianceandsmarthomesscenarioforIoT.
� Figure7.Flowforasmarthomeconnectedappliancescenario
1. Asmartphoneappusedbytheapplianceownerregistersthecustomer’sownershipandprovidestheenduserwiththeabilitytocontroltheappliance.TheIBMIoTforElectronicsservice(availableinBluemix)providesasamplemobileapplication.ThismakesuseoftheMobileCloudAccessservicethatisalsoavailableinBluemix.
2. Customerregistrationdetailsarerecordedinthemanufacturer’ssystemsofrecord.TheBluemixSecureGatewayservicecanprovideconnectiontothesystemofrecord.
3. Theapplianceisregisteredinthecloudprovider’sregistry,andappropriatesecuritypermissionsareestablished.TheIoTforElectronicsserviceprovidesownerregistrationservices,andtheWatsonIoTPlatformprovidesaregistryoftheactualdevices.
4. Whileinthehouse,theendusercanusethesmartphoneapptocheckthestatusoftheapplianceandcansendcommandstotheappliance,forexampletoadjustatemperaturesetting.Inthiscase,theappconnectsdirectlytotheappliance.TheIoTforElectronicssampleapplicationshowshowtodothis.
5. Devicesembeddedintheappliancesenddatatotheappandrespondtoitscommands.TheIBMWatsonIoTPlatformsendsdatatotheapp.
6. Theappcancommunicatewiththecloudprovidertoofferthesamecapabilities
whentheuserisnotphysicallyinthehouse.Inthiscase,thedevicealsocommunicateswiththecloudproviderandcommunicationshappensviatheIBMWatsonIoTPlatform.
7. Applicationlogiccanbeusedtoin_luenceorcontroltheapplianceaswell,forexampleawasher/dryermightnotstartimmediately,butmightdelaytogetabetterenergyrate.ApplicationscouldbewrittenusingaBluemixruntime,forexampletheNode.jsCloudFoundryruntime.
8. Usageandoperationaldatacanbecollectedfromthedevicesintheapplianceandstoredinadevicedatastore.IBMWatsonIoTPlatformcanstoredatadirectlyintheBluemixCloudantNoSQLDBservice,butotherstorageservicescanbeusedinstead.
9. Thisdatacanbeanalyzed,eitherinrealtimeorretrospectively,forexamplefor:• Preventivemaintenance• Understandingwhatfeaturesareusedfromappliance(forfuture
marketingorcrossselling)• Forrental/leaseoftheappliance(payasyougo)
TheIBMPredictiveMaintenancesolutioncanbeusedforpreventivemaintenance.Youcangainusageinsightsbycollectingthedevicedatainabigdatastoreandrunninganalyticsapplicationsagainstit.
10. Third-partyecosystemproviderscanconnectinviaAPImanagementtoofferfurtherservices,forexamplesellingaccessoriesorconsumables(e.g.,soap).APImanagementcanbeprovidedusingIBMAPIConnectforBluemix.
Scenario4.Real-)meMotorMonitoringThissamplesolutionmonitorsatorquemotorinrealtimeonashop_loor,andtheapplicationnoti_iesthetechnicianautomaticallyincaseofanyvariancefromstandardoperatingparameters.ThisWatsonIoTcloudnativeapplicationisintegratedwithMaximoassetmanagementsystemtominimizeoperationalchanges.TherearealsoBluemixAPIsusedfornoti_icationandSMSalerts.TheIBMpredictivemaintenancecloudserviceenablesoperations,manufacturing,production,andmaintenancepersonnelinasset-intensiveindustriestousepredictiveanalyticstoimproveassetavailability,increasethroughput,minimizeunplannedoutages,andreducemaintenancecosts.
Thisarchitectureoffersthecapabilitytodeveloppredictivemodelstoanalyzeassetperformancedatainrealtime,calculateassethealthscores,andpredictpotentialassetfailure.PleaserefertoIBMCloudArchitectureCenterforadditionaldetailsonthisWatsonIoTsolution.
Figure8illustratesthe_lowofthereal-timemotormonitoringscenarioforIoT.
� Figure8.Flowforreal-timemotormonitoring
1. Auserinteractswithamachine(physicalentity).Inthisscenario,theinteractioniswithaservomotorviasensortomonitoritsperformanceattributestoenablepreventivemaintenance.
2. IBMIoTGatewayreceivesthedatafromtheIoT-enabledtorquemotorandisconvertedintoMQTTformat.
3. TheMQTTdatafromtheIoTgatewayisreceivedbyedgeservicesthatareenabledbyBluemixAPImanagementframework,whichthereal-timeinsightapplicationuses.
4. APImanagementenablesthebi-directionalconnectivityintotheIoT-enableddevicefromtheBluemixapplication.
5. TheAPIsandtheIoTdevicesareauthenticatedusingIoTfoundationAPIsinBluemix.TheseAPIsareenabledbyAPImanagementanddeviceregistrytoensuresensorandAPIauthentication.
6. APIanddeviceauthorizationpassesthereceiveddatatothePMQapplicationviaadeviceidentityservice.
7. Theapplicationlogicchecksforexceptions,boundaryconditions,andotheranomaliesinrealtime.
8. ViaTransformationandConnectivityservices,thework_lowintegrateswithMaximoandnoti_iesservicerepresentativesforreal-timepredictivemaintenance.
9. TheIBMcloudplatformandWatsonIoTAPIscompletethebusinessprocessautomationandoperationsintegration.Thisenablesnewbusinessmodels,whichhelpstoimproveoperationalef_iciency.
Scenario5.Industrie4.0/IndustrialIoTIndustrie4.0/IndustrialIoTfocusprimarilyonbusinessscenariosintegratingvertically(frommachinestocloud),horizontally(amongsupplynetworks),oralongthelifecycleoftheproduct.Giventhefocusonintegratingtheoperationaltechnology(OT)layerwiththeITlayerinamanufacturingcontext,IndustrialIoTrepresentsaspecialcaseofthegeneralIoTreferencearchitecture.Thisisduetothenatureofitsclosedenvironmentwithsomespeci_icrequirements,threelayers(edge,plant,cloud/enterprise),aswellastheimportanceofthe_lexibilityoffunctionaldeploymentamongthethreelayers,whichisastrongdifferentiationofIBM’sIndustrie4.0approach.
Notethatthethree-layerapproachresultsfromtheneedfortheindividualfactory(or"plant")tocontinueoperationevenifexternalconnectionstoenterpriseandcloudsystemsshouldfail–stoppingtheproductionlinesforanexternalconnectionfailureisunacceptable.Thisthree-layerapproachalsooccursinotherIoTscenariossuchassmartbuildings,wherealocalentitymustcontinueoperatingsmoothlyevenifconnectivitytocentralizedITsystemsfails.
Thisscenariofromautomotivemanufacturingmonitorsproductionequipmentandtoolsforvariousperformancemetricsandperformsanalyticsonthisdatabothattheedge(applyingtheemergingedgeanalyticsarchitecture)onaCiscoEdgedeviceandattheenterpriselayer,aspartoftheIBMIoTplatform.Theequipmentinthisexample,whichincludesrobots(usedforwelding)andhandlingequipment(conveyors,palletizers),isalreadyinstrumentedandisbeingmonitoredbyeitherOmronorFanucprogrammablecontrollers.
Othertoolsanddevicesareinvolvedintheoperationaswell.AwelderattachmentisconnectedviatheFanuccontroller,andimage-processingequipment(beingusedforinspectingwelds)isattachedviatheCiscoedgedevice.RFIDisusedinthisexampleforidentifyingpalletsandWIP;RFIDisalsointegratedviatheCiscoEdgedevice.
� Figure9.Industrie4.0/IndustrialIoTarchitecture
Backgroundofthereferencearchitecture:DevicesandproductionmachinesassociatedwithproductionoperationsaretypicallymanagedbyexistingDCS/SCADAsystems,whichcanbeintegratedbyindustryprotocolssuchasPro_ibus,OPC,MODBUS,etc.SomenewerequipmentisembeddingtechnologythatallowsittocommunicatewiththeoutsideworldthroughITprotocolssuchasMQTT.
Attheedge,gatewaysaretypicallyusedtointegratewiththeexistingsystemsandequipmentandarealsobecomingmorecapableofrunningedgeanalytics,applyingrules,andevenstoringdatalocallytosupportoperationsattheedge.Itisquitepossiblethattheedgewillcompletelyhandleaninteractionwithequipmentwithnoinvolvementoftheplantorenterpriselayers.Inothercases,theinformationfromtheedgewill_lowupthroughtheplantortotheenterprisewhereplantandenterpriseanalyticswillbeperformedinasimilarway.Theedgeandplantneedtobeabletooperateasastand-aloneunitfromtheenterprise,sosomecapabilitiesoftheplatformneedtobeinboththeplantandtheenterprise.
Informationfromintelligentdevicesandproductionmachinescanbecommunicatedupthroughthelayers(withappropriate_ilteringandaggregationalongtheway).Itisalsopossibleforinformationfromthedevicesandmachinestobecommunicateddirectlytotheplantorenterpriselayers,assumingthedevicesandmachineshavethatcapability(forexample,throughembeddedtechnology).
Thestepsinvolvedinthisexampleareasfollows:
1. Informationiscollectedfromtheequipmentandtoolsinitiallybyprogrammablecontrollersconnectedtotheequipmentthroughproprietaryequipmentinterfaces.ThecontrollersinthisexamplehaveanembeddedpieceofsoftwarecalleddeviceWISE(fromTelit)thatcanbecon_iguredtopasscontrolleranddevicedatatotheupperlayersofthearchitectureviastandardITprotocolslikeMQTTandMQ(orviaJDBCwritestoadatabase)periodically,orbasedonconditions.Theinformationcanalsobetransformed(mediated)asneededbeforeitispassedon.Thesamecomponent,deviceWISE,isusedforthesamepurposewithintheCiscoEdge(IoTGateway)device.
2. AnalyticsareperformedontheoutboundinformationintheOT/IThub(inthisexampleisrealizedbyaCiscoEdgedevicethatisembeddedwithIBMEdgeAnalyticsAgent(partoftheIBMIoTGateway).DependingontheresultoftheEdgeAnalytics,commanddataissentbackdowntotheequipment.Thisisthereverseofthe_lowintotheedgeandusestheDSbrokeranddeviceWISEtoissuethecommandandtransformitintothespeci_icprotocolanddataneededbytheequipment,inthecaseoftheImageProcessororRFIDattachedequipment,orthecontroller,inthecaseofequipmentandtoolsmanagedbytheFanucorOmron.
3. TheDSBrokercomponentoftheCiscoEdgecontrollerforwardsevents,basedoncon_iguration,tothePlantServiceBus,which,inthisexample,istheIBMWatsonIoTPlatformrunningonBluemix.Insomecases,whereplantdataisnotallowedtoleavethepremisesforexample,thePlantServiceBusmightinsteadberealizedbytheIBMIntegrationBus(IIB)ManufacturingPackwiththeIBMIoTPlatformrunninginthecloudattheenterpriselevel.
4. Operationaldataiscollectedattheplantlevel(afternormalizingandcleansing)tosupportplant-levelanalyticsaspartoftheshop_looranalyticsloop.Aninformationmodel,basedontheISA-95industrystandard,isusedtosupporttheanalyticsandis
alsousedfordashboardsandreportingaswell.
5. WithinthePlantServiceBus,analyticsandrulesdeterminetherequiredactionsforthisevent.Requiredactionscanincludefeedback,butcanalsoincludetriggeringactionsrepresentedinawork_low.Thiscouldbesimpleanalyticssuchasthresholdmonitoringortrending,butitcouldalsobemodel-basedanalytics,lookingattheperformanceofaproductiondevice,atool,aworkcell,oraproductionprocess(dependingonwhereweareinthearchitecture).Inthisexample,theanalyticscomponentoftheIBMIoTPlatformisusedforthispurpose.Inothersituations,IBMproducts/offeringssuchasPredictiveMaintenance,PredictiveQuality,PlantPerformanceAnalytics,orSPSSmightalsobeused.
6. Ifwarranted(basedoncon_igurationandappliedanalytics/rules),aplant-levelwork_lowistriggered.Thiswork_lowiscomposedtousePlantITSystemofRecord(SoR)servicesincombinationwithplatformservices.TheservicesherecouldcorrespondtoaManufacturingExecutionSystemorEnterpriseAssetManagementsystem.Theycouldalsobeplatform-providedservices(e.g.,Watson).Thework_lowisimplemented,inthisexample,asanIBMIntegrationBus_low.
7. Basedontheresultoftheanalyticsandrules,orthework_low(ifexecuted),informationmay_lowbacktotheEdgeandProductionEquipment,whichresultsindynamicrecon_igurationofthemanufacturingprocess.
IoTDevelopment
Formanyorganizations,buildinganIoTsolutionsisnewterritory.Frequently,thesesystemsinvolvemobiledevices,multipleexternaldatastreams,andthird-partyAPIs.Whetheryourbusinesshasexpertiseintheseareasorisjuststartingout,IBMBluemixoffersanef_icientwaytobeginbuildingIoTapplications—fromminimumviableproducttofullfunctionality.Thecombinationofcomposableservices,templatesforquickstartonIoTandmobiledevelopment,includingcognitivesolutions,powerfuldatamanagementanddatasciencetoolssupporttherangeofdevelopmentactivitiesacrosstheIoTarchitecture.
DeploymentConsidera)ons
DecidingwhichelementsofanIoTsolutionbelongonaspeci_iccloudservicetype—hybrid,public,private/dedicated,oron-premises(local)—isanimportantdecision.Clearlyde_inedrequirementsrelatedtodatasovereignty,regulatorycompliance,scalability,availability,andusagepeaksareimperativetothedecision-makingprocess.Thesheeramountofdataassociatedwithlivedatastreamsfrommanufacturingsensorsorconsumerdevicesmeansthatallaspectsofmessaging,connectivity,anddatamanagementareoftheutmostimportance.
Onceanorganizationhasde_inedfunctionalandnon-functionalrequirementsfortheirsolution,theycanmodeltheircapacityandperformancerequirements,analyzeexistingenterprisesystemsandinfrastructure,andreviewcomplianceandriskexposuretocomeupwiththeirworkloadassessment.IBMoffersworkloadaf_inityengagementstoassistcustomersindecidingwhatcloudservicetypeisbestsuitedtotheirneeds.Establishedbusinesswithstrictcomplianceneedsfrequentlychooseahybridcloudadoptionpath.The
followingsectiondiscussesthemostimportantareastoconsiderwhendeployinganIoTsolution.
Cloudinfrastructureandservicesoffertremendous_lexibilitybecausetheydon’thavetofocusasheavilyonhowcomponentsarephysicallyconnected.Eventhoughscalabilityandelasticityareinherentincloudandreducetheneedforexactcapacityandresourceforecasts,advancedplanningisstillimportant.Thisplanninggivesorganizationsareasonableexpectationofoperatingexpensesandsetsupthenecessarymonitoringandautomationtodeliverthebestserviceatthebestcost.IBMcloudserviceofferingsincludetoolsandengagementsthathelpdecidewheretoplacespeci_icworkloads,suchasCloudMatrixbrokerage,aswellasthemeanstomonitorandmanageday-to-dayoperationsandbilling.
ThissectionoffersguidanceforhowtoprovisiondataandcomputingresourcesusingtheIBMcloudplatformandcloudservices.
IBMoffersavarietyofAPIs,datatransformation,andstorageoptionsascloudservices.AllofferingsprovidethenecessaryscalabilityandelasticitytomeetthedatathroughputandtransactionalloadsassociatedwithIoT.Theseinclude:
• IBMBluemix• CleversafeObjectStorage• DataPower
Theseofferingsalsofunctioninahybridarchitecture,allowingtheenterprisetoleverageexistinginvestmentsandknowledge.
CommonCriteriaforCloudEnvironmentsWhilenosinglecloudenvironmentoptimizesallthesecriteria,de_iningthemostimportantonesforyourcustomerswillgoalongwaytowardsensuringusersatisfactionandmeetingyourbudget.Visibilityintoservicesisthekeytomanagingsatisfactionandcost.IBMBluemixprovidesasingleinterfacetomanageplatformandinfrastructureservicesandbilling.
Speci_iccriteriatoconsiderinclude:
• Scalabilityandelasticity• Databandwidth• Datasovereignty• Resilience• CPUandcomputation• Datavolume• Security• Optimizedprovisioning
Scalabilityandelas)city
Elasticityistheabilityforacloudsolutiontoprovisionandde-provisioncomputingresourcesondemandasworkloadschange.Publiccloudshaveadistinctadvantagesincetheygenerallyhavelargerpoolsofresourcesavailable.Youalsobene_itbyonlypayingforwhatyouuse.Privatecloudsanddedicatedhardwarecanmakeupsomeofthedifferencewithhigherbandwidthdatapaths.
IBMBluemixInfrastructureasaServiceallowsthecreationofadedicated,privatecloudthatisbasedonbaremetalandcanburstintopubliccloudasneeded.ThisoptionallowsthearchitecttodesignanIoTsolutionthattakesadvantageofthebestfunctionalityofdedicatedandpublicservices.IBMBlueBoxisanotherinfrastructureoptionforamanagedOpenStackinthecloud.
DatabandwidthPublicandprivatecloudsneedtobeoptimizedforbigdata.Largeclouddatasetsrequiringfastaccessbene_itfromprocessingcomponentswithfastandef_icientdataaccess.Inmanycases,thismeansmovingtheprocessingtothedata,orviceversa.Cloudsystemscaneffectivelyhidethephysicallocationofdataandprocessing.Tuningactivitiescanbecarriedoutcontinuouslywithminimalimpactondeployedapplications.TheelasticityofAPIsandconnectivityservicesisalsokey.IBMoffersarangeofsolutionsformovingandmanagingdataset,particularlyunstructureddata.
DatasovereigntyThephysicallocationwheredataisstoredmayberegulated,withregulationsvaryingfromcountrytocountry.Thisisparticularlythecaseforpersonallyidenti_iableinformationandforsensitivedatasuchashealthdataand_inancialrecords.TheEuropeanUnionhasparticularlystringentregulationsthatapplytothePIIofEuropeancitizens.Asaresult,anyIoTcloudsystemmustaccountfordatasovereigntyrulesandstoreandprocessdataonlyinthoselocationspermittedbytheregulations.Thisrequirestheprovidercloudtoprovidethecloudservicecustomerwithcontroloverstorageandprocessinglocations.IBMBluemixPaaSandIaaShavedatacentersin40locations,satisfyingEUandotherdatasovereigntyregulations.
CPUandcomputa)on
Theavailabilityofinexpensivecommodityprocessorsmeansthatpublic,private,andhybridcloudserverfarmsaretypicallyhighlyscalable.ModerndevelopmentenvironmentsusingHadoop,Spark,andJupyter(iPython)takeadvantageofthesemassivelyparallelsystems.Streamsandhigh-speedanalyticsareanemergingareawherecloudapplicationsusemorepowerfulprocessorpoolstoenablereal-time,in-motiondatasolutions.
Dedicatedhardwareallowsforfasterdevelopmentandtestingpriortomigrationtowardshybridandpublicenvironments.IBMoffersmultiple,fullymanagedandcustomermanagedoptionsinsupportofbigdataandanalytics.
HybridcloudandIoT
Similartodata-intensivesolutionsine-commerce,theenterprisemovingtoIoTenvironmentsfrequentlyneedtocombinepubliccloud,privatecloud,andon-premisescomponentstocreateahybridcloud.SeetheCSCCPracticalGuidetoHybridCloudComputing[6]formoreinformationabouthybridcloudplanning,governance,andoperations.TheIBMCloudpointofviewistoofferchoicewithconsistency,givingyoutheabilityto:
• Extendanexistinginvestmentviaarangeofcloudservices• Positionenvironmentsinpublic,dedicated,orlocalspacesasneededtosatisfy
regulatoryorsecurityrequirements• Gainelasticitybyleveragingoff-premisessystemsthatareamirrortoon-premises,
allwhilekeepingvisibilityacrosstheentirearchitecture.
IBMhybridofferingsinclude:
• IBMBluemixPaaS
Datavolume
InIoTsystems,thedatavolumecanexceedathresholdatwhichthetraditionalanalytictoolsetsandapproachesmaynolongerscaletomeetperformancerequirements.Socarefulplanningtostoredatainpubliccloudorprivatecloudortraditionaldatacenterisveryimportant.DatastreamingincasesofweatherormapsthatuseGPSmayresultinhugedatasetforanalysis.Also,alldatalosesrelevanceovertime.Dataretentionrequiresalittleexperimentation,unlessspeci_icallygovernedbyregulatoryorotherpolicies.Publiccloudsofferthe_lexibilitytostorevaryingamountsofdatawithnoadvanceprovisioning.In-housecloudstoragesolutionscanofferlong-termstoragecostadvantageswhenvolumeispredictedinadvance.
Security
Asmoredataaboutpeople,_inancialtransactions,andoperationaldecisionsiscollected,re_ined,andstored,thechallengesrelatedtoinformationgovernanceandsecurityincrease.Thedataprivacyandidentitymanagementofdevicesandindividualsisveryimportantforcloudcomputing.Thecloudgenerallyallowsforfasterdeploymentofnewcomplianceandmonitoringtoolsthatencourageagilepolicyandcomplianceframeworks.
Clouddatahubscanbeagoodoptionbyactingasfocalpointsfordataassemblyanddistribution.Toolsthatmonitoractivityanddataaccesscanactuallymakecloudsystemsmoresecurethanstand-alonesystems.Hybridsystemsofferuniqueapplicationgovernancefeatures:Softwarecanbecentrallymaintainedinadistributedenvironmentwithdatastoredin-housetomeetjurisdictionalpolicies.
Op)mizedprovisioningOptimizedcloudprovisioningcanhelpyouselecttherightproductfamilyforagivensetofusagecriteria.IBMCloudBrokeragecanhelpautomateprovisioningbasedonautomatedassessmentbasedonanorganizationsstrategyandpolicies.
• CleversafeobjectStorage• BlueBox–OpenStackasamanagedservice• IBMWebsphereCommerce• DataPower
Businessesimplementinghybridcloudsolutionsarelookingfor_lexibilityandagilityindeliveringnewcapabilities.Ef_iciencyinprocessanddatacollectionareoftenthedriversoftheseinitiatives.Thebroadavailabilityofembeddedsensorsandcellular,WiFiornetworkconnectivityofdevicessupportstheexpansionofIoT.Becauseoftheneedtocombinemultipledatasetstoserveavarietyofuserpersonas,IoTsolutionsforB2BandB2Carefrequentlytheentrypointforhybridcloudadoption.
ThefollowingexampleillustratesthenewbusinessmodelsandapproachespossiblewhenadoptinghybridclouddeploymentforIoTsystems.IoTforconnectedcars-TheIoTsolutionforconnectedcarsisareal-timeeventdetectionandmanagementsystemdesignedtosecurelydetect,analyze,andhandleeventsgeneratedbyconnectedcars.Someoftheinformationwithhistoricandmaintenancedataforcarmanufacturerwillstayinthededicatedprivatecloudorintheirtraditionaldatacenterswhileothergenericinformationandtheirintegrationwiththird-partycloudservicesmaystayinpubliccloud.Connectedcarsneedreal-timeinformationaboutweather,traf_ic,andmapdatawhichcomesfrompeercloudservices.Forthedataprivacyandsovereigntyrequirements,datawithpersonalinformationaboutcustomersmayresideinon-premisesdatacentersinspeci_iccountries.Withuseofhybridcloud,onlywecanhandleallthesespeci_icneeds.
SummaryofKeyConsidera)ons
Thearchitectofaconsumer-centric,businessfocusedorindustrialIoTsolutionmustnavigateacomplexsetofconcerns.Amongtheseconcerns,thearchitectmustconsiderend-to-endsecurity,managementofmassiveamountsofdata,andensuringthatthevelocityofdatatransferandoverallconnectivitymeetsbusinessrequirementsorcontractualobligations.IoTsolutions,withtheircombinationofmultipledevicetypesintegratingwithmultiplesystemtypes,alsorequirethekindofadaptiveoperationsupportedbycontinuousdeploymentmethods,cloudresilience,andelasticity.
Architectswillbemostsuccessfulwhentheykeeptheseconsiderationsinmind:
• Designtomeetneedsforrapidchangeandupdatesinconnecteddevicesandsensors
• Buildmonitoringandadaptivemanagementintothesystem• Designwithdatasecurityandprivacyrequirementsatthefore• Ensurehighperformanceacrossallcomponents,withspecialattentiontowherethe
ingestionofreal-timedatastreamsoccurs• Plansysteminterfacesandservicesforthegreatest_lexibility• Ensurefutureinteroperabilitybychoosingopenstandards-basedcomponents
whereverpossible• Makedatasecurityafocalpointacrossthearchitecture
ConclusionThispaperoffersadeeperunderstandingoftheCSCCCloudCustomerReferenceArchitectureforIoTandintroduceskeyconceptsforcreatinganef_icient,scalable,secureIoTarchitectureandgivesyouguidanceonhowtointegrateyouron-premisesandenterprisesystems.Toframeyourspeci_icsolutioncomparedtoreal-worldexperiences,thispaperalsoofferspracticalguidanceintheformofdeploymentoptionsanduse-casescenariosbasedonactualIBMcustomerimplementations.Asyoucansee,IBMproductssupportthekeycapabilitiesrequiredtorealizeandoperationalizeanIoTarchitecture.IBMprovides_irst-classproductsupportforIoTandthecloudarchitectureforcustomers.
AcknowledgementsEricLibow,GopalIndurkhya,HeatherKreger,TimHahn,PeterNiblett,MikeEdwards,ThomasS.(Scott)Wallace,TejinderLuthra,RameshMenon,KarolynSchalk,ElizabethKoupman,GlennDaly,RobertFlaherty,DavidNoller,andPlamenKiradjiev
References[1]CloudStandardsCustomerCouncil,2016,CloudCustomerArchitectureforIoT
[2]TheIndustrialInternetConsortium’sIndustrialInternetSecurityFramework(IISF)paper
[3]IBMIoTSecurityPointofViewpaper
[4]TheIndustrialInternetConsortium'sIndustrialInternetReferenceArchitectureIIRApaper
[5]HowIBMleadsinbuildingbigdataanalyticssolutionsinthecloud[6]CloudStandardsCustomerCouncil2016,PracticalGuidetoHybridCloudComputing
