November 29th, 2013

Ending the IoT Protocol Wars

Ending the IoT Protocol WarsIt’s been a while since my last blog post – not least because I have been traveling quite a bit to run Layer 7’s European API workshops together with my colleague Ronnie Mitra. The workshops (part of Layer7′s outreach program via the apiacademy.co) are vendor-neutral and focused on sharing API design and management best practices.

To be honest, I probably learn as much during these workshops as the participants do. It has certainly been striking to watch how our material evolves throughout the workshops. We constantly keep adding and tweaking material, based on what we learn. In particular, I’m struck by the amount of changes my IoT section has been going through.

Here is what I have learned regarding IoT protocols: It’s a zoo out there, with lots of protocols trying to become the next HTTP. And some candidates deploy a formidable array of marketing, making it exceedingly hard to cut through the fog.

My current shortlist of main contenders is (in alphabetical order):

I might add STOMP to that list, just for its simple brilliance. STOMP is a text-based messaging protocol that has recently been extended to allow for binary content. Additionally, I’ve recently started talking with some transportation companies and learning about their use of DDS, which might be another candidate for the shortlist.

In the corner of residing champion, we have JSON/HTTP. Not content to see this protocol pushed into early retirement, advocates have been developing some very interesting approaches that attempt to ensure the continuing relevance of HTTP for asynchronous small messages – WebSocket being the most well-known. Hypercat, Simple Thing Protocol and EventedAPI represent just a small sample of the interesting approaches emerging to support async eventing and messaging with HTTP.

Where does this leave a developer trying to choose the right protocol for that awesome winged steam punk toaster? I don’t really have the answer but there are some documents trying to tease out the differences. Take a look at the MQTT vs. CoAP comparison from 1248.io or the DDS/AMQP/MQTT/JMS/REST comparison from DDS champion PrismTech.

Based on what I’ve learned so far, only XMPP and DDS have significant commercial deployments while MQTT is being evaluated by almost every major vendor I have talked to. While MQTT’s use as the protocol powering Facebook’s messenger is a good demonstration of its scalability, I don’t think this constitutes a proof point for mission-critical commercial deployments. If you know of commercial deployments of MQTT, I’d love to hear about them.

Each protocol has weaknesses: MQTT appears to be weak in security; DDS seems to be complex to scale and has version dependencies; XMPP is considered heavy-weight. But they all have strengths too, of course: DDS has the deployments in the field to prove its relevance; XMPP supports EXI and WebSocket for efficiency and a proven track record; both DDS and XMPP are extremely mature and have built-in security. Given the industry interest in MQTT, I am sure that whatever security problems exist will be fixed in one of the next versions. The one puzzling piece is the absence of CoAP in a commercial deployment. Again, if you know of one, please let me know.

Where do I stand on all of this? Having watched technologies rise and fall, I think it’s very normal at this stage to have multiple contenders trying to improve on HTTP. What I try to keep in mind though is that both bandwidth and computing power seem to be on an ever-increasing trajectory, while at the same time becoming cheaper and cheaper. Reduction in power consumption and increase in battery capacity, mostly driven through mobile, further lowers the bar for mainstream technology to power even small devices. I would not be surprised if, after the initial phase, we continue to see HTTP and JSON being dominant. As geeks, we sometimes get too excited about efficiency gains while losing sight of the fact that, for most products, technology simply needs to be good enough. But I won’t complain if I am proven wrong this time.

And don’t just take my word for any of this. To help you learn more, here are a couple of other articles reviewing IoT protocols:

November 13th, 2013

QCon San Francisco 2013

QCon 2013This Thursday, I’ll be at QCon San Francisco to lead the RESTful Web APIs tutorial. This will be the second time QCon has hosted the full-day workshop and I’m very much looking forward to it. Most of the material I’ve prepared for this workshop is based on the book of the same name by Leonard Richardson and myself. That book was released in September of this year and we’ve been getting very positive feedback on it.

Participants in the workshop will learn how to design a hypermedia type, how to implement servers that safely and consistently expose business functionality using hypermedia and how to build client applications that understand the hypermedia messages and can interact with servers to create enjoyable user experiences.

Along the way several key principles will be explored, including:

  • Why a hypermedia-based message model is better than a code-based object model
  • How Web servers can expose operations as stateless resources instead of as function calls
  • How client applications can recognize and use hypermedia workflow to create quality user experiences
  • Why the hypermedia approach makes it easier to make small changes on the server without breaking existing client applications

The full-day session will also cover important technical aspects of implementing distributed applications over the Web. We will focus on identifying and managing the boundaries between services in order to increase both security and stability over the lifetime of the service. Attendees will get a chance to use existing services as a guide when creating their own and will even get a chance to introduce changes on the backend to see how their client applications can adapt and continue to function.

I always enjoy these extended workshops because it gives everyone (even myself) a chance to write real-life code for real-life services. I spend quite a bit of my time lecturing and advocating for increased reliance on adaptable distributed systems and it’s a rewarding experience. However, it’s also very energizing to work with people in a hands-on atmosphere where everyone is focused on getting things up and running in a working environment.

Of course, there will be lots of fun in the day, too. We have trivia breaks, I offer some handy prizes and we have plenty of time to relax and get to know each other. Overall, these full-day, hands-on workshops represent one of my favorite ways to spend a day with smart, talented people. And I’m grateful to the folks at QCon who make it all possible.

So, if you’re in San Francisco this Thursday and don’t have anything pressing to do, come on over to QCon and join us. Bring your laptop loaded with your favorite Web coding tools and your thinking cap. We’ve got a place all ready for you.

November 7th, 2013

The Software-Defined Telco

Software Defined TelcoBack in 2011, Marc Andreessen famously stated that “software is eating the world” and predicted that – over the subsequent decade – almost every major industry would be disrupted and transformed by software and the innovations of Silicon Valley. Just over two years later, it’s pretty clear he was right on the money. In order to remain relevant, many industrial behemoths need to transform themselves and they are looking at the software revolution as a way to enable a fresh wave of innovation and development.

This revolution has never been more important to the telco world, where it must start at the very core of the organization. Every layer – from network, to infrastructure, to application – should be considered a service enabler, be defined in software and be driven by APIs. A new wave of thought leadership and investment around “network functions virtualization” (NFV) is acting as a catalyst for this transformation and telcos can finally start to eschew the limitations of legacy networks and allow operators to more easily keep pace with Silicon Valley.

Finally then, APIs and API platforms can regain their intended utility in the telecommunications sector, emerging from a meandering journey through failed open developer ecosystems and misguided monetization strategies. APIs are meant to be at the very core of product development, they are supposed to be the foundation of a product or service and not tacked on the side afterwards. APIs enable an architectural paradigm that is essential to the software-defined network and they provide a scalable, documented and secure way of integrating systems and clients.

Layer 7 will be presenting a vision for the future of APIs in the software-defined telco at the Telecom APIs event in London (Nov 11 – 13) and the Telecom Application Developer Summit in Bangkok (Nov 21 – 22).

November 5th, 2013

Thoughts on Trends in IoT & Mobile Security

Written by
 

IoT and Mobile SecurityRecently, I read an article about predicted growth in the Internet of Things (IoT). Extrapolating a previous estimation from Cisco, Morgan Stanley is predicting there will be 75 billion connected devices by 2020. This sort of math exercise is entertaining and has a real “wow” factor but the real question here is: What does this mean for consumers and enterprises?

In recent years, consumer electronics manufactures have started to see the usefulness of building Internet connectivity into their appliances. This enables the post-sales delivery of service upgrades and enhanced features. It also allows mobile apps to control home appliances remotely. This is nothing radical per se, a decade ago I observed a sauna in the Nokia Research Center’s lab being controlled by voice and WML. But this was still a simple one-off integration. As the number of device form factors increases, the complexity of integrating devices grows. The term “anytime, anywhere computing” is usually used to describe this scenario but it isn’t entirely adequate. As a consumer I don’t only want device-independent access to a service – I want the various devices and appliances to work with each other so that smarter interactions can be achieved.

Today, we already see a plethora of connected devices with more-or-less crude connectivity and integration options. Smartphones can sync and connect with tablets, TVs and laptops. Mostly, these are very basic integrations, such as your various devices “knowing” about the last page you read in an eBook, regardless of which device you used. But the number and complexity of these integrations will increase greatly in the coming years.

The Coming Age of Connectivity
One of the main reasons the iPhone revolutionized mobile computing was Apple’s focus on user experience. Since then, mobile vendors have battled to see who could provide the best experience within the device. The next battle will be over cross-device experiences within the broader ecosystem, as users roam from device to device. And in the battle, the big players will keep adding their own proprietary components (software and hardware). The sheer size of these ecosystems will make the opportunity large enough to attract even more mindshare. If you make money – who cares about proprietary protocols and connectors?

But how does this relate to IoT, you may ask – isn’t this just a subset of IoT’s promise? The answer is “yes” but that is how this revolution will work – closer to an evolution where the consumer-driven use cases will be implemented first. Yes, there are other enterprise use cases and we can see many protocols and frameworks that claim to address these requirements. In the end though, I believe most of these platforms will struggle with developer uptake as most of the developer mindshare is found in the big mobile ecosystems. As with mobile, the successful approaches will be the platforms that can offer developers familiar tools and a roadmap to revenue.

It’s clear the big players in mobile, like Samsung and Apple, see a huge opportunity in connected devices. As we move on, we will see more devices get included in each of the mobile ecosystems’ spheres. Increased integration between mobile devices and cars is already in the works. Similarly, among the many notable events at last week’s Samsung DevCon (an excellent show, by the way), several SDKs were launched with the aim of solving specific consumer needs around media consumption in the home. But the impact of increasing connectivity will go beyond these relatively well-understood use cases to encompass home automation, smart grid, healthcare and much more.

Alternative Authentication Methods for the Connected World
In this multi-device, multi-service world, conventional username/password login methods will not be convenient. Advances in the biometric space (such as Nymi or Apple Touch ID) will be relevant here. I suspect that, just as we have seen a bring-your-own-device trend grow in enterprise mobile, we will see a bring-your-own-authentication paradigm develop. As a larger set of authentication methods develops in the consumer space, enterprise IT systems will need to support these methods and often be required to adopt a multi-layered approach.

Ensuring Big Data Privacy in the Age of IoT
Another set of challenges will be created by the enormous amounts of data generated by IoT. Increasingly, connected devices are able to collect and transmit contextual data on users. This information can be highly useful for vendors and users alike. But what happens if data is used for purposes other than those first intended or agreed to? Who owns the raw data and the generated insights? And how is the rightful owner in control of this? Today, there is no general standard available nor are the mobile ecosystems providing adequate privacy protection. Sometimes one gets the feeling that users don’t care but they will probably start caring if and when data leakage starts to make an impact on their wallets.

Meanwhile, Layer 7 will continue to innovate and work on solutions that address the challenges created by IoT, multi-device authentication and Big Data. Oh and by the way, I believe Morgan Stanley underestimated the number, I think it will be double that. You heard it here first…