August 8th, 2014

Notes from the W3C Workshop on the Web of Things

W3C LogoAt the end of June, I had the opportunity to attend the W3C Workshop on the Web of Things, in Berlin. I saw some fascinating presentations and had some equally engaging one-to-one conversations. This was a great opportunity to learn about some new innovations around connected devices and the Internet of Things.

In particular, I was very intrigued by the WAMP Protocol, which I had not heard about before attending the workshop. I subsequently contacted Tobias Eberstein from Tavendo, who is one of the key maintainers of WAMP. We had a very interesting conversation about some of WAMP’s unique concepts, which I will talk about more in a future blog post.

In the meantime, here is a quick summary of my notes from the presentations I attended and the conversations I had at the workshop. If you would like to get more information on any of the emerging technologies outlined below, you can view some of the workshop presentations here and here.

Siemens Smart Grid
Siemens has chosen to use the XMPP messaging protocol as the standard for its smart grid technology. XMPP is being used because IoT, like online messaging, is based on distributed collaboration, in real-time, spanning multiple domains. In this sense, IoT is fundamentally closer to social media than it is to SOA-style Web services.

Siemens Connected Car Authentication
Siemens also presented an IoT authentication method, using the connected car as its real-world example. In this method, security concerns are separated between a Web API server and the car’s backend server. Client apps communicate with the car indirectly, via the API server. Sensitive vehicle data cannot be accessed directly via the API server.

EXI for Long-Lived Connected Things
Waste could be a serious problem in IoT. With billions of connected devices, we can’t afford to have anything becoming obsolete too quickly – ideally any given device should last at least five years. The Efficient XML Interchange (EXI) format addresses this by using XML schema to enable binary coding for extensible message formats.

Echonet Lite for Client-Side Energy Demand Management
The Echnonet Lite protocol allows smart meters to communicate with home appliances, enabling smart home energy management. Echnonet Lite is UDP-based and has more than 80 device models defined. It is already widely used in Japan and is starting to gain significant traction outside the Asia-Pacific region.

Sony Web API Server
Sony is working on a Web API server for the Android platform, using the previously-mentioned WAMP protocol. WAMP, which is essentially a sub-protocol of WebSocket, combines RPC-style and SubPub semantics.

IBM NodeRED
IBM’s NodeRED is an integrated development and runtime environment based on node.js. In the NodeRED environment, it is possible to design integration flows without resorting to code, by graphically snapping together components. NodeRed also allows the use of JavaScript to act on or transform data in flows.

August 1st, 2014

Balancing Security & Developer Enablement in Enterprise Mobility: Gartner Catalyst 2014

Gartner Catalyst San Diego 2014It’s that time of year again… time for another beautiful late-summer Gartner Catalyst conference in America’s Finest City: San Diego. Aside from being my hometown, the reason San Diego is so great is that it has balance. The warm sun is balanced by the cool ocean breeze, the strong business climate is balanced by the laid-back surf culture and the delicious fish tacos are balanced by a cold Corona. Balance makes everything better. Maintaining this balance is just as important when you’re talking about mobile strategy for your enterprise; that’s why I’ll be presenting a talk titled Balancing Security & Developer Enablement in Enterprise Mobility at Catalyst.

Enterprise IT security departments have always had a somewhat adversarial relationship with application developers, even when the applications ran entirely within the intranet. Now that internal data and applications are being exposed to employees, partners and customers through a whole new breed of mobile apps, these teams could potentially clash even more often. Security architects are more concerned than ever about core principles and security standards while developers are more focused than ever on providing incredible user experience rather than worrying about internal restrictions.

I’ll be discussing how these two groups – enterprise and security architects on one side and mobile app developers on the other – can accomplish the same goals. CA’s Layer 7 API Management solutions enable the enterprise to enforce the latest security specifications to the letter, protecting against malicious (or even accidental) threats to critical systems. But at the same time, they enable mobile app developers to very quickly consume the appropriate data through secure APIs, without having to implement the client side of those cutting-edge security standards. Stop by my talk on August 12 at 12:45pm to get the details or come by the Layer 7 booth (#113) to talk in more depth about how we can bring balance to your workplace.

 

July 17th, 2014

API360 Summit – Washington, DC

API360Since the API Academy was founded two years ago, we have had the pleasure of helping numerous organizations and industry leaders succeed with their API programs. Through this experience, we have learned at least as much as we have taught – and we recognize that continuing this collaboration is vital to furthering the field of API strategy and design. Also in this time, we have observed a growing recognition that a holistic approach to APIs is needed in order to achieve maximum benefit.

With all of this in mind, we are pleased to announce our API360 Summit series. These complimentary one-day summits will bring together industry leaders to examine APIs from every possible perspective: business and innovation; architecture and design; applications and trends. Most importantly, these events will provide attendees with up-to-date, actionable information they can start using as soon as they walk out the door at the end of the day.

Our first API360 Summit will take place on September 12 at the Newseum in Washington, DC. We will be featuring a range of speakers with first-hand experience of how APIs are impacting organizations across the public and private sectors. There will also be panel sessions examining pertinent topics like using APIs in open government and exposing APIs to external developers. And there will be plenty of opportunities for interaction and discussion.

For more information and free registration please visit the API360 site.

July 15th, 2014

Beyond the CMS

NPR BuildingOn April 22, 2011, I was in Washington, DC, preparing to start my new job at NPR. At that point in my life, this was pretty much my dream job, so I was very excited and a little nervous. I did a lot of thinking that night and the conclusions I came to eventually became the basis of NPR’s technology strategy. I recently had a chance to share my thoughts from that night as part of a talk at the Integrated Media Association’s iMA 2014 conference. Here are the edited highlights.

The basic premise I started from was that all content management systems are fundamentally broken. This may sound a little harsh but I feel able to say it because I’m part of the problem – I’ve built content management systems for organizations across the public and private sectors, so I’m pretty well placed to tell you that no available CMS platform is architected for what publishers – particularly news outlets – truly need.

Most content management systems were designed years ago, for a much simpler world. We now live in an incredibly fragmented and complex world. Any piece of content tends to be sourced from a variety of places and published across a range of old and new media channels. Throughout this complex process, everything has to work seamlessly. The margin for error during breaking news or major events is pretty much zero.

In this context, what do publishers actually need from a CMS? They need:

  • An easy way to connect with many news sources
  • The ability to push content across a variety of channels
  • Guaranteed availability and scalability

So, how do we build a CMS that actually addresses these needs? To my mind, the solution has three key components. First and foremost, the whole architectural approach must be based on APIs. Second, it must specifically use hypermedia APIs and finally, the APIs must be what I’ve been calling “linked APIs”.

1. APIs First
APIs represent the only universal way to connect anything on the Web to any other online thing. Unfortunately, since we started the Web in a desktop-centric world, APIs were an afterthought. Historically, we used to build a Web site and then maybe also add an API, as a window into our content.

This is the wrong approach. Your Web site is just one of the destinations for your content. Increasingly, it’s not even the most important one, since mobile viewership is clearly on the rise. Don’t treat your Web site as special. All your content and functionality should be put into and delivered through APIs.

 2. Hypermedia
Publishers need things to just work. They don’t care about the technical details; they just can’t have their services go down at any time – so, scalability is paramount. And how do you ensure scalability? As I’ve pointed out before, the most scalable network ever created is the World Wide Web and the secret to the Web’s scalability is hypermedia.

Hypermedia is any type of content that not only carries data but also links to other documents. The hypermedia type that is most fundamental to the Web – and certainly the one we are most familiar with – is HTML. However, HTML was designed for human-centric Web sites, not for exchanging structured content via APIs.

There are, however, other hypermedia types that were designed for this very purpose. As a matter of fact, I was involved in the creation of a very robust one called Collection.Document, which was designed specifically for media organizations.

3. Linked APIs
Leveraging hypermedia as an integral part of interface design allows us to create “linked APIs”. Most current APIs are, at best, creating narrow windows into the solid walls of data silos. Even the most high-profile API will typically only provide access to a single corporate database. Hypermedia allows us to create links between these databases.

This will prove essential to the next generation of content management systems because linked APIs have the potential to give content publishers the freedom they want to seamlessly integrate content from diverse sources and push it across the full spectrum of online channels. As such, they could even come to represent the engine that drives press freedom into the coming decades. So, let’s get that engine cranking!

June 27th, 2014

Drones, Phones & Pwns:
The Promise (& Dangers) of IoT APIs

DroneEarlier this month, CA Layer 7 participated in yet another great conference – this time, it was QCon New York. As a three-time QCon attendee, I have always really appreciated the level of technical knowledge displayed by attendees. At this show, it’s rare that I have to explain the basics of APIs; most attendees are already using APIs in some form or another. And even though many of them are very hands-on developers, they are savvy enough to realize when it is and isn’t appropriate to “build it yourself.”

Many of my conversations began with, “We’re exposing APIs but we don’t have a good way to manage our developer community.” Even more interesting were the ones which began, “We built our own API Management layer but it doesn’t…” There was a wide array of endings to that sentence, including “scale well,” “provide any real security” and “help our developers build applications quickly.” Security was an especially common theme as these folks are smart enough to realize they are not primarily experts at implementing OAuth-based access control or protecting APIs against structural or content-based threats. They’d rather let Layer 7 worry about the implementation and simply configure which options are relevant to their applications. And, of course, many examples of app hacks, data breaches and identity theft are in the news these days; nobody wants their company to be the next victim.

Aside from being a common theme in discussions at the show, maintaining security and privacy in an increasingly interconnected world was the theme of my talk, titled Drones, Phones & Pwns: The Promise (& Dangers) of IoT & APIs. In the first half, I discussed the recent transition of drones from military/intelligence use cases to commercial/personal use and talked about some of the cool technologies already being enabled by these and other data-gathering “things”, such as our phones. I used personal examples to show how my life and the lives of many others are made more pleasant and efficient by this connectivity and data aggregation. After delving into the broad range of use cases made possible by the Internet of Things, it was time to take a look at the other side of the coin.

The second half of my presentation was about the darker side of all the personal data flowing around the Internet and the leaking/sharing/exposure that happens with or without our awareness. I tried not to mention obscure exploits that are unlikely to ever be used; instead, I used real-world examples of glaring privacy holes in devices and apps that we use every day. Rather than simply fear mongering, I tried to make a point about the trust that people – myself included – place in the companies and entities around them. And I followed up those bits with some advice about what we can do to make our future a little less frightening.

The reaction to my presentation was pretty surprising. Even amongst a very technical audience, I still had people approaching me all day afterward, explaining that I had scared them so much they weren’t ever going to look at their phone/car/gaming console/app the same way again. For those that were already familiar with some of the examples I had given, it provided a great conversation starter about security and what sort of cultural shifts will be required to alleviate some of the more pervasive issues.

These are the types of conversations we like to have with our customers – realistic assessments of the risks and challenges encountered by enterprises opening their data and applications to customers, partners and employees, followed by specific discussion of solutions. Considering the interest our customers are showing in these discussions, we’ve decided to do an encore presentation of my conference talk for a larger audience. I’m excited to announce the Layer 7 webinar Drones, Phones & Pwns: The Promise (& Dangers) of IoT & APIs will be held on July 23 at 9am Pacific Time. Registration is now open.

Sign up for the webinar >>