The IBM Advantage for Implementing the CSCC Cloud Customer ... · CSCC Cloud Customer Reference Architecture for Internet of Things (IoT) Introduc)on This paper describes how you

TheIBMAdvantageforImplementingtheCSCCCloudCustomerReferenceArchitectureforInternetofThings(IoT)

Introduc)on

ThispaperdescribeshowyoucanuseIBMproductsandservicestosupportthebestpracticesforarchitectingInternetofThings(IoT)solutionsprovidedintheCloudCustomer

Introduction 1..................................................................................................................................................................FunctionalRequirements 3.......................................................................................................................................Non-functionalRequirements 3..............................................................................................................................CloudCustomerReferenceArchitectureforIoT 4...........................................................................................ComponentsofaCloudRAforIoT 6......................................................................................................................UserLayer 7........................................................................................................................................................ProximityNetwork 7...............................................................................................................................................PublicNetwork 9.......................................................................................................................................................ProviderCloud 11.....................................................................................................................................................EnterpriseNetwork 16...........................................................................................................................................Security 17...................................................................................................................................................................IoTGovernance 20....................................................................................................................................................

TheCompletePicture 21............................................................................................................................................IBMProductSupportforIoTSolutionsusingCloudSolutions 22.......................................................

Scenarios 23.....................................................................................................................................................................Scenario1.SmartHomesInsuranceScenario 23........................................................................................Scenario2.ConnectedCareAnalytics 25........................................................................................................Scenario3.SmartHomeConnectedApplianceScenario 28..................................................................Scenario4.Real-timeMotorMonitoring 30..................................................................................................Scenario5.Industrie4.0/IndustrialIoT 32...................................................................................................

IoTDevelopment 34.....................................................................................................................................................DeploymentConsiderations 34...............................................................................................................................CommonCriteriaforCloudEnvironments 35..............................................................................................HybridcloudandIoT 37........................................................................................................................................

SummaryofKeyConsiderations 38.......................................................................................................................Conclusion 39..................................................................................................................................................................Acknowledgements 39................................................................................................................................................References 39..................................................................................................................................................................

http://www.cloud-council.org/deliverables/CSCC-Cloud-Customer-Architecture-for-IoT.pdf

ArchitectureforIoT[1]publishedbytheCloudStandardsCustomerCouncil(CSCC).

YoucanusethearchitecturalcomponentsdescribedintheCSCCpapertobuildIoTsolutionsusingcloudcomputingcomponents.ThesecomponentscanbemappedtoarangeofIoTdevicesanddistributedIoTsystemsappropriatetothenatureofthephysicalentitiesmonitoredandcontrolledbythesystem.WealsoincluderecommendationsforusingIBMproductsandservicestodeployandmanageIoTsystemsthatalignwiththearchitecturede_inedintheCSCCpaper.

BeforewelookattheactualarchitectureforanIoTsolution,let’stakealookatsomeofthefactorsthataredrivingtheneedformoreIoTsolutions.

FourkeytechnologyshiftsaredrivingtheneedforIoTsystems.Theseshiftsare:• Availabilityofmore,lessexpensiveandwidelyinstallableIoTdevices• Advancedanalytics,whichcanderiveactionableinsightsfrommassesofdevicedata• Cloudcomputingasagrowthengineforbusiness• Newwaysforbusinessestoengagewithcustomers

GrowthopportunitiesprovidedbyIoTandinsightfromIoTdataacrosstheenterprisecangivecompaniesinanyindustryacompetitiveadvantage.IoThelpscompaniesrealizegreaterinnovation,moreeffectiveoperations,andincreasedcustomerandemployeeengagement.

Innovation• UsedirectfeedbackfromproductsinstrumentedwithIoTsensorstodriven

innovationinproductdevelopment• ApplyIBM'sstrengthinadvancedanalyticsandcognitiveinsightstodrivenew

businessopportunitiesfromreal-worldmeasurements• Bemorecompetitivethroughbetterbusinessengagementbyincorporating

cognitiveinsights,weather,analytics,security,anddatastreamingcapabilitiesintosolutions

• Gaincompetitiveadvantageovercompetitorsbybeing_irsttomarketusingtechniquessuchascognitivepersonalizationofconnectedproducts

• Employremotemonitoringofequipmentinthe_ieldtochangeserviceandsupportfrombeingreactivetobeingproactive-enablingnewbusinessmodelsofsellingequipmentasaservice

Operations• Enhanceoperationsbyapplyingreal-timeresponsivenesstooptimizeasset

productivityandincreaseoperationalef_iciency• UseIoTdataandcognitiveinsightstooptimizetheuseofresources(worker,energy,

expertise)• Providesaferworkenvironments;byconnectingsensorsinworkenviromentsand

onworkerstodetectandaddresshazardousconditions• Transform automotive industries by gathering data from vehicle sensors, combine

this data with other data sources for real-time analysis, and provide actionable insights for bothdriversandforserviceandsupport

• Improvecollaborationacrossoperations,maintenance,reliability,andengineering,supportingandcontributingtooperationalexcellence

• Enableorganizationstogetbetterinsightsfromtheirassetstoensureperformanceandimproveassociatedprocessestothoseassetstosense,communicate,andself-diagnoseissuesofintelligentassetsandequipmentsotheycanoptimizetheir


performanceandreduceunnecessarydowntime

Customerandemployeeengagement• Provideequipmentmanufacturerstheopportunitytoengageandform

relationshipswiththeenduserbyinstrumentingequipment,creatingabusinessmodelthatdrivesconsumerengagementandlowers_ieldservicecosts

• Allowinsurerstoprovidemorevaluetopolicyholdersbyofferingproactiveprotectionoftheirassetswithnoti_icationsofpotentialproblems,reducingclaims,managingrisk,andimprovingcustomersatisfaction,embracingthefuturewithintelligenthome,auto,business

• Digitizetheretailstoreexperiencetoyielddetailedinformationandanalyticsaboutcustomervisits,includingdemographicsandconversionsforoptimizedchanneldistribution,inventory,andcampaigns

Func)onalRequirements• Easy-to-use,secureapplications• AbilitytoaddnewIoTdevicestothesystemwithminimaleffort• Useropt-intosharepersonalinformationincludinglocation• Smarthomesequippedwiththenetworkofsensors,interconnecteddevices,and

gateways• CloudIoTplatformwithrobustdevicemanagement,dataidentityservices,and

analytics• Enterprisenetwork,containingexistingenterpriseapplications,services,anddata• Systemshouldprovideoperationalalertandnoti_icationsupportformedical

devices• Deviceregistrationanduserauthenticationtoprovideauthenticationservicesthat

directlybindanidentity(forexample,user,mobiledevice,vehicle,application)toitsdigitalidentity

• Reportingandanalyticscapabilitiestocreatekeyperformanceindicators(forexample,dashboards,graphs,andchartstoviewrisk,compliance,andauditmetricsbyavarietyofparameters,analytictoolswithissuetracking,andreportingfunctionalitywithgraphicaldashboards)

• Real-timealertsformaintenanceandsecuritymonitoring• Plug-and-playinteroperabilitybetweenIoTdeviceswiththeadoptionofopen

standards• Straightforwardintegrationwithrelateddatafeedssuchasweatherinformation

Non-func)onalRequirementsTocreateaneffectiveIoTsystem,youmustaccountfornon-functionalrequirementslikesecurityandriskmanagement,scalability,RAS,andmobilesupport.

Securityandriskmanagement[2][3]• Ensureprotectionofpersonaldata• Protectionoftheenvironmentcommunicatingwiththedevice;networksneedtobe

protectedtopreventhackersfrom_indingawaytointerceptnetwork• Supportforauthentication(device,system/application,anduser),authorization,

auditing,administration,encryption/decryption,dataintegrity,andkeymanagement,andmanagingidentityandcryptographickeyinformation

• Alldevicesintheenvironmentmustbemanagedandmaintained,anddevices,gateways,routers,andotherinfrastructuremustberegularlyupdatedtoapplyall

http://www.iiconsortium.org/IISF.htm

http://ibm.co/iotsecurity-POV2

securitypatchesand_ixes• Abilitytodetect,respond,resist,andrecoverfromattacks• Transactionalintegrityforprocurement,purchase,andsupply-chainprocesses,

includingmanufacturinganddelivery;preventintroductionofincorrectdataorprogramcodes;ensurethephysicalsecurityoftheproductionenvironmentwheredevicesandsystemsaremanufactured

Safety• ForIoTsystemsthathaveactuatorsoperatingonreal-worldthings,safetyisa

primaryconsiderationandsystemsmustbedesignedtofailsafeandtoensurethesafetyofhumansandequipment

ScalabilityThenumberofconcurrentdevicesandusersconnectingtotheIoTplatformmustbescalable.Thesolutionplatformmustscaletosupportthenextgenerationofdevicesandtoanticipateanewergenerationofconnecteddevicesthatwillfurnishhigherresolutionofdatastreams

Reliability,availability,andserviceability(RAS)HighavailabilityandresiliencyofcloudIoTinfrastructureandenterpriseenvironments

MobilesupportTheIoTdevicemustprovideagatewaytoenablemobilecomputingdevicessuchasmobilephonesandtabletstoserveasgatewaystothecloud-basedanalyticsplatform.Clearlydifferentiatebetweenamobiledevicethat’sactingasanIoTorgatewaydevicefromonethat’ssimplyauserinterfaceprovider(userinput/outputdevice)inanIoTsolution.

CloudCustomerReferenceArchitectureforIoT

Figure1showstheelementsthatmaybeneededforanyIoTsolution.

� Figure1.ElementsofIoTsystems

IBMoffersasolutionformostelementsshownabove,otherthandevicesandIoTgatewaysintheproximitylayer.Arangeofdevicesisavailable,eachsuitedtoaparticularIoTusecase.IBMsolutionsareabletoconnecttothesedevicestobuildtheoverallsystem.

TheIBMWatsonIoT™platformdeliversanumberofthecapabilitiesintheprovidercloud,includingthedeviceregistry,deviceidentityservice,anddevicemanagement.IBMWatsonIoTincombinationwithIBMBluemix®providesforAPImanagement,IoTtransformationandconnectivity,andnecessaryservices,plusthemeansofprovidingapplicationlogic.WatsonIoTgoesfurtherandsuppliesservicesforanalytics,visualization,andprocessmanagement.Alsoavailablearetransformationandconnectivitycomponentsthatconnectfromtheprovider’scloudsystemtoexistingenterprisenetworkassetssuchasenterprisedatastoresandexistingenterpriseapplications.

Myriadanalyticscapabilitiesareavailable,includingApacheSpark,SPSS®predictiveanalytics,Watson(cognitive)APIs,IBMWatsonIoT™PlatformAnalyticsReal-TimeInsights,BigInsights®forApacheHadoopservice,GeospatialAnalyticsservice,andtheStreamingAnalyticsservice.Thetransformationandconnectivitycomponentsconnectfromtheprovidercloudsystemstoexistingenterprisenetworkassets,suchasenterprisedatastoresandexistingenterpriseapplications.

IBMprebuiltSaaSapplicationscanaddressspeci_icoperationalorbusinesscapabilitiesusedwithmanytypesofIoTsystemsorsensors,including:

• Facilitiesandrealestateoptimization(TRIRIGA®)• Enterpriseassetmanagement(Maximo®)• Predictivemaintenanceandquality(IBMPMQ)• Continuousengineering(Rational®suite)

Aseriesofsecurityservicesareavailable,includingIBMSingleSign-On,IBMSecurityAccessManager,IBMSecurityDirectoryServer(IDandaccessmanagement),QRadar®(monitoring),IBMSecurityAppScan(testing),andIBMSecureKeyLifecycleManager(keymanagement).Forthedevelopmentlifecycle:IBMDevOpsServices,IBMcontinuousengineering(CE),IBMUrbanCode®,andmore.IBMalsohasofferingsintermsofpeercloudservicesthatcanbeusedbyIoTsystems–notablytheWeatherChannelservice,whichcanprovidestreamsofrelevantweatherinformation,oftenvitalwhendealingwithphysicalentities.

ComputationandstorageforIoTcanbedoneinmanyplaces–device,gateway,cloudordatacenter-hostedenvironments.Typicalcommunications_lowisoftenviadevice/gateway,to/fromcloudandcanalsooccurbetweenpeersystems(devices)and/orgateways.

ComponentsofaCloudRAforIoTFigure2showsthecapabilitiesandrelationshipsforsupportingIoTusingcloudcomputing.

�

Figure2.CloudcomponentsforIoT

ThecloudcomponentsofanIoTarchitecturearepositionedwithinathree-tierarchitecturepatterncomprisingedge,platform,andenterprisetiers,asdescribedintheIndustrialInternetConsortiumReferenceArchitecture[4].

Theedgetierincludesproximityandpublicnetworkswheredataiscollectedfromdevicesandtransmittedtodevices.Data_lowsthroughtheIoTgatewayoroptionallydirectlytoor

http://www.iiconsortium.org/IIRA.htm

fromthedevicethenthroughedgeservicesintothecloudproviderviaIoTtransformationandconnectivity.

Theplatformtieristheprovidercloud,whichreceives,processes,andanalyzesdata_lowsbothin_lightandatrestfromtheedgetierandprovidesAPImanagementandvisualization.Italsoprovidesthecapabilitytoinitiatecontrolcommandsfromtheenterprisenetworktothepublicnetwork.

Theenterprisetierisrepresentedbytheenterprisenetworkandincludesenterprisedata,anenterpriseuserdirectory,andenterpriseapplications.Thedata_lowtoandfromtheenterprisenetworktakesplaceviaatransformationandconnectivitycomponent.Thedatacollectedfromstructuredandnon-structureddatasources,includingreal-timedatafromstreamcomputing,canbestoredintheenterprisedata.IoTsystemsneedapplicationlogicandcontrollogicinahierarchyoflocations,dependingonthetimescalesanddatasetsthatareneededtoinformdecisions.Somecodemayexecutedirectlyinthedevicesattheveryedgeofthenetworkor,alternatively,intheIoTgatewaysclosetothedevices.Othercodeexecutescentrallyintheprovidercloudservicesorintheenterprisenetwork.

WhencodeexecutesintheIoTgatewaysorthedevices,it’ssometimesreferredtoas“edgecomputing.”It’salsosometimesreferredtoas“fogcomputing”tocontrastwithcentralized“cloudcomputing.”Sometimesfogcomputingcancontainoneormorelayersbelowthecloudthateachcouldpotentiallyprovidecapabilitiesforavarietyofserviceslikeanalytics.Thisdesignallowsfor_lexibilityinhowconnectivityandservicesaredesignedforoptimizationandresiliency.

IoTgovernanceandsecuritysubsystemsspanallelementsofthearchitecturetoensurecontrolsandpoliciesforalldataandapplicationsarede_inedandenabledacrossthesystem.Complianceistrackedtoensurecontrolsaredeliveringtheexpectedresults.

Theremainderofthissectiondescribesthevariouscomponentsindetail.

UserLayerTherearetwotypesofusersinthislayer—theIoTuserandtheend-userapplication.

• IoTUser:TheIoTuserisapersonoranautomatedsystemthatmakesuseofend-userapplicationstoachieveagoal.TheIoTuserisoneofthemainbene_iciariesoftheIoTsolution.

• End-userApplication:Adomain-speci_icordevice-speci_icapplicationthatanIoTusermayuseonsmartphones,tablets,PCsor on specialized IoT devices, including control panels.

ProximityNetworkTheProximityNetworkismadeupofthephysicalentity,device,andIoTGateway.

PhysicalEn)tyThephysicalentityisthereal-worldobjectthatissubjecttosensormeasurementsandactuatorbehavior.Itisthe“thing”intheInternetofThings.Thisarchitecturedistinguishes

betweenthephysicalentitiesandtheITdevicesthatsensethemoractonthem.Forexample,thethingcanbetheocean,andthedeviceobservingitisawatertemperaturethermometer.Anotherexampleisadepotshippingparcels:Theparcelsarethephysicalentities,andtherearedeviceswithsensorsthatobserveandidentifyeachparcel(forexample,viaRFIDtagsorviabarcodereaders).TheRFIDtagreaderisonethingandtheparcelsaresomethingcompletelydifferent–theidentityoftheparcelisthephysicalentityhere.

DeviceContainssensor(s)oractuator(s)plusanetworkconnectionthatenablesinteractionwiththewiderIoTsystem.Therearecaseswherethedeviceisalsothephysicalentitybeingmonitoredbythesensors,suchasanaccelerometerinsideasmartphone.

Keycapabilitiesofadeviceinclude:

• Sensor/Actuator–Thesensorandactuatorsensesandactsonphysicalentities.Asensorisacomponentthatsensesormeasurescertaincharacteristicsoftherealworldandconvertsthemintoadigitalrepresentation.Anactuatorisacomponentthatacceptsadigitalcommandtoactonaphysicalentityinsomeway.

• Agent–Providesremotemanagementcapabilitiesforthedevice,supportingadevicemanagementprotocolthatcanbeusedbythedevicemanagementserviceorIoTmanagementsystem.

• Firmware–Softwarethatprovidescontrol,monitoring,anddatamanipulationofengineeredproductsandsystems.The_irmwarecontainedindevicessuchasconsumerelectronicsprovidesthelow-levelcontrolprogramforthedevices.

• Networkconnection–ProvidestheconnectionfromthedevicetotheIoTsystem.ThisisoftenalocalnetworkthatconnectsthedevicewithanIoTgateway–lowpowerandlowrangeinmanycasestoreducethepowerdemandsonthedevice.However,therearecaseswherethenetworkconnectionisdirecttothepublicnetworkandnoIoTgatewayisrequired.InIoTsystems,awiderangeofalternativecommunicationmechanismsareusedandincludelocalareanetworkingusinglow-power,low-rangemethods,suchasBluetooth,BluetoothLowEnergy(BTLE),andotherstoreducethepowerdemandsonthedevice.ItmayalsoincludelocalareanetworkingusingWiFi,orwideareanetworkingusing2G,3G,and4GLTE.

• Userinterface–Allowsuserstointeractwithapplications,agents,sensors,andactuators.Thiscomponentisoptionalsincesomedeviceshavenouserinterfaceandallinteractionstakeplacefromremoteapplicationsoverthenetwork).

IoTGateway

Thegatewayisameansforconnectingoneormoredevicestothepublicnetwork(typicallytheinternet).Becausethegatewayisessentiallyadecouplingelement,othercapabilitiesarealsoavailable.Often,deviceshavelimitednetworkconnectivityduetoanumberofreasons,includingthelimitationofpoweronthedevice,whichcanrestrictthedevicetousingalow-powerlocalnetwork.ThelocalnetworkenablesdevicestocommunicatewithalocalIoTgateway,whichisthenabletocommunicatewiththepublicnetwork.TheIoTgatewayoftenhasothercapabilities,includingtheabilityto_ilterandintelligentlyreacttodata,theabilitytosendandreceive

dataorcommandstoandfromtheinternet,andtheabilitytorunapplicationorservicelogiclocally(processingdataandexecutingcontrollogicwithouttheneedtocommunicatetoacentrallocation).Itcanalsoprovideoperationalef_iciencybyallowingmultipledevicestoshareacommonconnection.

Keycapabilitiesinthisdomaininclude:

• Applicationlogic-Providesdomain-speci_icorIoTsolution-speci_iclogicthatrunsontheIoTgateway.ForIoTsystemswithactuatorsthatactonphysicalentities,asigni_icantcapabilityoftheapplicationlogicistheprovisionofcontrollogic,whichmakesdecisionsonhowtheactuatorsshouldoperate,giveninputfromsensorsanddataofotherkinds,eitherheldlocallyorheldcentrally.

• Analytics-Providesanalyticscapabilitylocallyratherthanintheprovidercloud.

• Agent-AllowsmanagementoftheIoTgatewayitselfandcanalsoenablemanagementoftheattacheddevicesbyprovidingaconnectiontotheprovidercloudlayer'sdevicemanagementserviceviathedevicemanagementprotocol.

• Devicedatastore-Storesdatalocally.Devicesmaygeneratealargeamountofdatainrealtime,soitmayneedtobestoredlocallyratherthanbeingtransmittedtoacentrallocation.DatainthedevicedatastorecanbeusedbytheapplicationlogicandanalyticscapabilityintheIoTgateway.

IBMCapabili+esforIoTGatewayIBMdoesnotbuildgatewayhardware,andpartnerswithgatewaymanufacturers,suchasCiscoSystemsInc.,toprovidedirectdeviceconnectivity.IBMEdgeAnalyticsAgentrunsonthosegatewaystoprovideavarietyofcapabilities,includingconnectivitytotheWatsonIoTcloudplatformandtheabilitytorunanalyticsonthegatewaysthemselvesto_ilterandsummarizedata,takelocalactions,andforwardeventsandasubsetofthedatatothecloud.Youcangloballycon_iguretheagent,updateitfromacloudenvironment,andcacheitscon_igurationandanalyticsatthegatewaysothatitcancontinuetoprovideitsfunctionsevenwhendisconnectedfromthecloud.Thisisespeciallyimportantinenvironmentswithintermittentconnectivity.

PublicNetwork

PeerCloudThepeercloudisathird-partycloudsystemthatprovidesservicestobringdataandcapabilitiestotheIoTplatform.PeercloudsforIoTmaycontributetothedataintheIoTsystemandmayalsoprovidesomeofthecapabilitiesde_inedinthisIoTarchitecture.

ItislikelythatlargerIoTsystems,suchasthoseinvolvedinsmartcities,actuallyinvolvethecombinationofaseriesofsmallerIoTsystems,eachaddressingpartofthesolution.Thesesystemsofsystemsinvolveconnectionsbetweenmultiplepeercloudsystems,eachofwhichmayhaveIoTdevicesandassociatedapplicationsandservices.Connectingtheseindividualsystemscanenablelarger,morecomprehensivesolutions.

EdgeServices

Servicesneededtoallowdatato_lowsafelyfromtheInternetintotheprovidercloudandintotheenterprise.Edgeservicesalsosupportend-userapplications.


• DomainNameSystemServer-ResolvestheURLforaparticularwebresourcetotheIPaddressofthesystemorservicethatcandeliverthatresource.

• ContentDeliveryNetworks(CDN)-Supportend-userapplicationsbyprovidinggeographicallydistributedsystemsofserversdeployedtominimizetheresponsetimeforservingresourcestogeographicallydistributedusers,ensuringthatcontentishighlyavailableandprovidedtouserswithminimumlatency.Whichserversareengagedwilldependonserverproximitytotheuserandwherethecontentisstoredorcached.

• Firewall-Controlscommunicationaccesstoorfromasystem,permittingonlytraf_icmeetingasetofpoliciestoproceedandblockinganytraf_icthatdoesnotmeetthepolicies.Firewallscanbeimplementedasseparatededicatedhardware,orasacomponentinothernetworkinghardwaresuchasaload-balancerorrouterorasintegralsoftwaretoanoperatingsystem.

• Loadbalancers-Providesdistributionofnetworkorapplicationtraf_icacrossmanyresources(suchascomputers,processors,storage,ornetworklinks)tomaximizethroughput,minimizeresponsetime,increasecapacity,andincreasereliabilityofapplications.Loadbalancerscanbalanceloadslocallyandglobally.Loadbalancersshouldbehighlyavailablewithoutasinglepointoffailure.Loadbalancersaresometimesintegratedaspartoftheprovidercloudanalyticalsystemcomponentslikestreamprocessing,dataintegration,andrepositories.

IBMCapabili+esforEdgeServicesThesecapabilitiesarewelldocumentedinIBMAdvantagesupportingtheWebApplicationHostingReferenceArchitecture.

IBMBluemixsupportsservicesforDNS,_irewalls,loadbalancing,andCDN.IBMSecurityNetworkProtectionisanext-generationintrusionpreventionsystemthatcanbeusedtomonitornetworktraf_icandprovideprotectionfromhiddensecurityvulnerabilities.Finally,IBMDataPower®providesloadbalancingandSSLtermination.Ithelpsquicklysecure,integrate,control,andoptimizeaccesstoarangeofworkloadsthroughasingle,extensible,DMZ-readygateway.

TheIBMVPNserviceprovidesasecureIP-layerconnectivitybetweenyouron-premisesdatacenterandyourBluemixcloud.ItleveragestheInternetProtocolSecurity(IPsec)suiteforprotectingIPcommunicationbetweenendpointsresidingonyourprivatesubnets.AnIPsec-compatibleVPNgatewayisrequiredinyouron-premisesdatacenterforestablishingsecureconnectivitywithIBMVPNservice.

https://www.ibm.com/developerworks/cloud/library/cl-ibm-leads-building-web-app-hosting-cloud-solutions-trs/index.html

ProviderCloud

TheProviderCloudprovidescoreIoTapplicationsandassociatedservices,includingstorageofdevicedata,analytics,processmanagementfortheIoTsystem,datavisualizations,andhostingcomponentsfordevicemanagement,includingadeviceregistry. Keycapabilitiesinthisdomaininclude:

• IoTtransformationandconnectivity• Applicationlogic• Visualization• Analytics• Processmanagement• Devicedatastore• APImanagement• Devicemanagement• Deviceregistry• Deviceidentityservice• Transformationandconnectivity

Acloud-computingenvironmentprovidesscalabilityandelasticitytocopewithvaryingdatavolume,velocity,andrelatedprocessingrequirements.Experimentationanditerationusingdifferentcloudservicecon_igurationsisagoodwaytoevolvetheIoTsystem,withoutupfrontcapitalinvestment.

IoTTransforma)onandConnec)vityThiscapabilityenablessecureconnectivitytoandfromIoTdevices.ThiscomponentmustbeabletohandleandperhapstransformhighvolumesofmessagesandquicklyroutethemtotherightcomponentsintheIoTsolution.


• Secureconnectivity-Providessecuredconnectivity,whichauthenticatesandauthorizesaccesstotheprovidercloud.

• Scalablemessaging–EnablesmessagingfromandtoIoTdevices.Scalabilityofthemessagingcomponentisessentialtosupporthighdatavolumeapplicationsandapplicationswithhighlyvariabledatarates.

• Scalabletransformation–providestransformationofdeviceIoTdatabeforeitgetstoprovidercloudlayer,toprovideaformmoresuitableforprocessingandanalysis.Thismayincludedecodingmessagesthatareencrypted,translatingacompressedformattedmessage,andnormalizingmessagesfromvaryingdevices.

IBMCapabili+esforIoTTransforma+onandConnec+vityTheIBMWatsonIoTPlatformcanbeusedtoprovideIoTtransformationandconnectivity.Thismanagedserviceprovidessecureconnectivityfordevices,allowingthemtoconnecteitherdirectlyorthroughagateway.Datafromthedevicescanberetrievedandanalyzedinrealtime,andapplicationlogiccanalsousetheplatformtoquerythecurrentstateofadevice.

TheIBMWatsonIoTplatformletsyouperformthefollowingtasks:

• Createandmanageapplications• Create,connect,andmanagedevices• Extenddevicemanagementwithcustomactions• Createandmanagegateways• Retrievedevicedata

DevicescanconnecttotheIBMWatsonIoTplatformusingeitherHTTPortheMQTTmessagingprotocol.Providedtoolkitshelpyoudevelopdevice_irmwareorapplicationsoftwarethatusestheplatform.Watsonsupportsthefollowinglanguageenvironments:

• Python• Node.js• Java™• C#• EmbeddedC• mBedC++

Applica)onLogicThecoreapplicationcomponentstypicallycoordinatethehandlingofIoTdevicedata,theexecutionofotherservicesandsupportingend-userapplications.Anevent-basedprogrammingmodelwithtrigger,action,andrulesisoftenagoodwaytowriteIoTapplicationlogic.Applicationlogiccanincludework_lowandmayalsoincludecontrollogic,whichdetermineshowtouseactuatorstoaffectphysicalentities.

IBMcapabili+esforapplica+onlogicApplicationlogiccanbewritteninmanylanguages.Inparticular,IBMBluemixprovidesruntimesforCloudFoundryapplicationswritteninNode.js,Java(WebSphere®LibertyPro_ile),Swift,Python,andGo.Node-REDisatooltodevelopNode.jsapplications,andOpenWhiskisaruntimeenvironmentdesignedexplicitlyforevent-drivenapplicationdevelopment.BothareparticularlywellsuitedtoIoT.

Visualiza)onVisualiza(onenablesuserstoexploreandinteractwithdatafromthedatarepositories,actionableinsightapplications,orenterpriseapplications.Visualizationcapabilitiesincludeend-userUI,adminUI,anddashboardassub-components.


• End-userUI–Allowsuserstointeractwithenterpriseapplications,analyticsresults,andthelike.Thisalsoincludesinternalorcustomer-facingmobileuserinterfaces.

• AdminUI-Enablesadministratorstoaccessmetrics,operationaldata,andvariouslogs.

• Dashboard-Allowuserstoviewvariousreports.AdminUIanddashboardareinternal-facinguserinterfaces.

IBMcapabili+esforvisualiza+onTheIBMWatsonIoTplatformprovidesvisualizationdashboards.Otherproductsorservices,includingembeddedreporting,SPSS,Cognos,andthelikealsoprovidevisualization.

Analy)csAnalyticsisthediscoveryandcommunicationofmeaningfulpatternsofinformationfoundinIoTdata,todescribe,predict,andimprovebusinessperformance.


• AnalyticsDataRepository-Supportslegacy,new,andstreamingsources,enterpriseapplications,enterprisedata,cleanseddataandreferencedata,aswellasoutputfromstreaminganalytics.Capabilitiesincludeexplorationandarchiving(forstoring,exploringandaugmentinglargedatasetsusingawidevarietyoftools);deepanalyticsandmodeling(applicationofstatisticalmodelstoyieldinformationfromlargedatasetscomprisedofunstructuredandweakly-structuredelements);interactiveanalysisandreporting(toolstoanswerbusinessandoperationsquestionsoverInternetscaledatasets);datacataloging(resultsfromdiscoveryandITdatacurationcreateaconsolidatedviewofinformationre_lectedinacatalog).SeeHowIBMLeadsinBuildingBigDataandAnalyticsSolutionsintheCloud[5]formoreinformationonbigdataandanalyticsreferencearchitecturesforusingcloudcomputing.

• Cognitive–Thesecapabilitiescreateanintelligentsystemthatlearnsatscale,reasonswithpurpose,analysestopredict,prescribe,anddiscoverfrommassivedatasetsofinterconnectedphysical,social,enterpriseandotherentities,andclosestheloopwithmachine-generatedadvice,assistance,andactions,inamannerthatself-learnsandadapts,forenablingaugmentedhumanintelligencethroughman/machinecollaborations.

• ActionableInsight-Insightsthatultimatelydriveactionsthatmaybeusedbybusinessapplicationsfromdatacollected,processed,andstoredinthedatarepositories.Capabilitiesincludeanalytics-basedandoperationaldecisionmanagement,discoveryandexplorationacrossavarietyofsourcestoprovidebusinessuserswithnewvisibilityintobusinessperformance,predictiveanalytics(extractsinformationfromexistingdatasetstodeterminethecurrentstate,identifypatterns,andpredictfuturetrends),analysisandreporting(reportsofoperationalandwarehousedatatobusinessstakeholdersandregulatorswherebigdatatypicallyincreasesthescopeanddepthofavailabledata),contentanalytics(enablesbusinessestogaininsightandunderstandingfromtheirstructuredandunstructuredcontent),planningandforecasting(enablesfasterandmoreef_icientdevelopmentofplans,budgets,andforecastsbycreating,comparingandevaluatingbusinessscenarios).

• StreamingComputing-Acceptsandprocessesinrealtimelargevolumesofhighlydynamic,time-sensitivecontinuousdatastreamsfromavarietyofinputssuchassensor-basedmonitoringdevices,messagingsystems,and_inancialmarketfeeds.Capabilitiesincludereal-timeanalyticalprocessing,whichappliesanalyticprocessinganddecision-makingtoin-motionandtransientdatawithminimal

https://www.ibm.com/developerworks/cloud/library/cl-ibm-leads-building-big-data-analytics-solutions-cloud-trs/index.html

latency,anddataaugmentation,which_iltersanddivertsin-motiondatatodatawarehousesfordeeperbackgroundanalysis).

IBMcapabili+esforanaly+csToolsavailabletodevelopandrunanalyticsapplicationsincludeSparkasaService,SparkStreaming,SPSSPredictiveAnalytics,WatsonAPIs,IBMWatsonIoTReal-TimeInsights,BigInsightsforApacheHadoopservice,GeospatialAnalyticsservice,andStreamingAnalyticsservice.FordetailedinformationabouthowIBMsupportsotheranalyticsservices,seetheIBMAdvantageforCSCCCloudCustomerRAforAnalytics.

ProcessManagementProcessmanagementinvolvesplanning,developing,deploying,andmonitoringtheperformanceofabusinessprocess.

IBMcapabili+esforprocessmanagementTheMaximoAssetManagementservicesupportsbusinessprocessestomanagealltypesofassets,includingplant,production,infrastructure,facilities,transportation,andcommunications.IBMTRIRIGAprovidesstrategicfacilitiesplanning,implementation,andmanagementcapabilities.

DeviceDataStoreThedevicedatastorestoresdatafromtheIoTdevicessothedatacanbeintegratedwithprocessesandapplicationsthatarepartoftheIoTsystem.Devicesmaygeneratealargeamountofdatainrealtime,requiringthedevicedatastoretobeelasticandscalable.

IBMcapabili+esforedgeservicesIBMObjectStoreprovidescost-effectivestorageforlargevolumesofdataproducedbyIoTapplications.Ifmorerapidaccesstothedataisrequired,solutionscanchoosebetweenrelationaldatabasessuchasdashDB®,ornoSQLdatastoressuchasCloudant®orMongoDB.Forintensiveanalytics,theBigInsightsforApacheHadoopserviceincludesanembeddedHBasedatabase.

APIManagementAPIManagementcapabilitiespublishcatalogsandupdatesAPIsinavarietyofdeploymentenvironments.Enablesdevelopersandenduserstorapidlyassemblesolutionsthroughdiscoveryandreuseofexistingdata,analytics,andservices.

IBMcapabili+esforAPImanagementIBMAPIConnectprovidesstreamlinedcontrolacrosstheAPIlifecycleandalsoenablesbusinessestogaindeepinsightsaroundAPIconsumptionfromitsbuilt-inanalytics.

DeviceManagementDeviceManagementcapabilitiesprovideanef_icientwaytomanagedevicessecurelyandreliablyfromthecloudplatform.Devicemanagementcontainsdeviceprovisioning,remoteadministration,softwareupdating,remotecontrolofdevices,andmonitoringdevices.Devicemanagementmaycommunicatewithmanagementagentsondevicesusingmanagementprotocols,aswellascommunicatewithmanagementsystemsfortheIoTsolutions.


IBMcapabili+esfordevicemanagementTheIBMWatsonIoTplatformsupportsdevicemanagementandallowsforthecreationofcustomizedcommandsetstomeettheneedsofthespeci_icapplication.

DeviceRegistryTheDeviceRegistrystoresinformationaboutdevicesthattheIoTsystemmayread,communicatewith,control,provision,ormanage.DevicesmayneedtoberegisteredbeforetheycanconnecttoandorbemanagedbytheIoTsystem.IoTdeploymentsmayhavealargenumberofdevices,soscalabilityoftheregistryisimportant.

IBMcapabili+esfordeviceregistryTheIBMWatsonIoTplatformcanbeusedasthedeviceregistry.

DeviceIden)tyServiceTheDeviceIdentityServiceensuresthatdevicesaresecurelyidenti_iedbeforebeinggrantedaccesstotheIoTsystemsandapplications.

IBMcapabili+esforiden+tyservicesInIoTsystems,deviceidenti_icationhelpsaddressthreatsfromfakeserversorfakedevices.TheIBMWatsonIoTplatformcanbeusedasthedeviceidentityservice.

Transforma)onandConnec)vityTransformationandConnectivityservicesenablesecureconnectionstoenterprisesystemsandtheabilityto_ilter,aggregate,ormodifydataoritsformatasitmovesbetweencloudandIoTsystemscomponentsandenterprisesystems(typicallysystemsofrecord).WithintheIoTreferencearchitecture,thetransformationandconnectivitycomponentsitsbetweenthecloudproviderandenterprisenetwork.However,inahybridcloudmodeltheselinesmightbecomeblurred.


• EnterpriseSecureConnectivity-Integrateswithenterprisedatasecuritysystemstoauthenticateandauthorizeaccesstoenterprisesystems

• Transformation-Transformsdatagoingtoandfromenterprisesystems

• Enterprisedataconnectivity-Enablesprovidercloudcomponentstoconnectsecurelytoenterprisedata.ExamplesincludeVPNandgatewaytunnels

IBMCapabili+esforTransforma+onandConnec+vityTheIBMBluemixSecureGatewayservicebringshybridintegrationcapabilitiestoyourBluemixenvironment.ThegatewayprovidessecureconnectivityfromBluemixtootherapplicationsanddatasourcesrunningon-premisesorinotherclouds.Aremoteclientisprovidedtoenablesecureconnectivity.

EnterpriseNetworkTheEnterpriseNetworkhostsanumberofbusiness-speci_icenterpriseapplicationsthatdelivercriticalbusinesssolutionsalongwithsupportingelementslikeenterprisedata.Typically,enterpriseapplicationshavesourcesofdatathatareextractedandintegratedwithservicesprovidedbythecloudprovider.Analysisisperformedinthecloud-computingenvironment,withoutputconsumedbytheenterpriseapplications.

Systemsofrecorddatahavegenerallymaturedovertimeandarehighlytrusted.Theyremainaprimaryelementinreportingandpredictiveanalyticssolutions.Systemsofrecorddataincludetransactionaldataaboutorfrombusinessinteractionsthatadheretoasequenceofrelatedprocesses(_inancialorlogistical).Thisdatacancomefromreferencedata,masterdatarepositories,andapplicationdatausedbyorproducedbyenterpriseapplicationsfunctionallyoroperationally.Typically,thedatahasbeenimprovedoraugmentedtoaddvalueanddriveinsight.Enterprisedatamaybeinputintotheanalysisprocessthroughdataintegrationordirectlytothedatarepositoriesasappropriate.

EnterpriseUserDirectoryStoresuserinformationtosupportauthentication,authorization,orpro_iledata.Thesecurityservicesandedgeservicesusethistocontrolaccesstotheenterprisenetwork,enterpriseservices,orenterprisespeci_iccloudproviderservices.

IBMCapabili+esforEnterpriseUserDirectoryIBMDirectoryServer_illsthisimportantfunction.

EnterpriseDataIncludesmetadataaboutthedata,aswellassystemsofrecordforenterpriseapplications.Enterprisedatamay_lowdirectlytodataintegrationorthedatarepositoriesprovidingafeedbackloopintheanalyticalsystemforIoT.IoTsystemsmaystoreraw,analyzed,orprocesseddatainappropriateenterprisedataelements.

Keycapabilitiesinthisdomaininclude:• Referencedata-Providecontextaboutcollecteddata.• Masterdatarepositories-Canbeupdatedwiththe

outputofanalytics,toassistwithsubsequentdatatransformation,enrichmentandcorrelation.Theycansupportanalyticsandfeedotheranalyticsmodelswhenthosemodelsexecute.

• Transactionaldata-Dataaboutorfrombusinessinteractionsthatadheretoasequenceorrelatedprocesses(_inancialorlogistical).Thisdatacancomefromreferencedata,masterdatarepositories,anddistributeddatastorage.

• Applicationdata-Datausedbyorproducedbyenterpriseapplicationsfunctionallyoroperationally.Typically,thedatahasbeenimprovedoraugmentedtoaddvalueanddriveinsight.

• Logdata-Dataaggregatedfromlog_ilesforenterpriseapplications,systems,infrastructure,security,governance,etc.

• Enterprisecontentdata-Datatosupportanyenterpriseapplication.

• Historicaldata-Datafrompastanalyticsandenterpriseapplicationsandsystems.

IBMcapabili+esforenterprisedataIBMproductswellsuitedtosupportthevolumeofenterprisedatageneratedbyIoTincludeIBMInfoSphere®MasterDataManagement(MDM),IBMDB2®,HBase,BigInsights,FileNet®,andBigSQL.

EnterpriseApplica)onsEnterpriseapplicationsconsumecloudproviderdataandanalyticstoproduceresultsthataddressbusinessgoalsandobjectives.EnterpriseapplicationscanbeupdatedfromenterprisedataorfromIoTapplications,ortheycanprovideinputandcontentforenterprisedataandIoTapplications.


• Customerexperience–Customer-facingsystemsareaprimarysystemofengagementthatdrivesnewbusinessandhelpsserviceexistingclientsatlowercost.

• Newbusinessmodels–Alternativebusinessmodelsthatfocusonlowcost,fastresponse,andgreatinteractionsareallexamplesofopportunitiesdrivenbycloudsolutions.

• Financialperformance–Financialapplicationscanbemademoreef_icientasdataisconsolidatedandreportedfasterandmoreeasily.

• Riskanalytics–Useriskanalyticstoevaluatethreatstothebusiness,suchasfraudorhacking.Elasticresourcemanagementmeansmoreprocessingpowerisavailableintimesofheightenedthreat.

• ITeconomics–UsedtostreamlineIToperationsascapitalexpendituresarereducedwhileperformanceandfeaturesareimprovedbyclouddeployments.

• Operationsandfraud–Cloudsolutionscanprovidefasteraccesstomoredata,allowingformoreaccurateanalyticsthat_lagsuspiciousactivityandofferremediationinatimelymanner.

IBMcapabili+esforenterpriseapplica+onsIBMoffersarangeofspeci_icapplicationssuitedtoenterpriserequirements,suchasIBMMaximoforassetmanagement,theIBMFraudandAbuseManagementSystem,IBMWatsonAnalytics,andIBMriskmanagementsolutions.

SecuritySecurityinIoTdeploymentsmustaddressITsecurityaswellasoperationstechnology(OT)securityelements.Thelevelofattentiontosecurityandthetopicareasaddressedvarydependingupontheapplicationenvironment,businesspattern,andriskassessment.Ariskassessmenttakesintoaccountmultiplethreatsandattacksalongwithanestimateofthepotentialcostsassociatedwithsuchattacks.

Inadditiontosecurityconsiderations,connectingITsystemswithphysicalsystemsrequiresyoutoconsiderhowtheIoTsystemmightimpactsafety.IoTsystemsmustbedesigned,deployed,andmanagedinawaywheretheoperatorscanalwaysbringthesystemtoasafeoperatingstate,evenwhendisconnectedfromcommunicationswithothersystemsthatarepartofthedeployment.Indeed,disconnectingfromcommunicationsmaybepartofthesecuritymeasuresputinplacetohelpsecuretheIoTdeployment.

Thereareseveralareasofsecuritytoconsider:• Identityandaccessmanagement• Dataprotection• Securitymonitoring,analysis,andresponse• System,application,andsolutionlifecyclemanagement

Iden)tyandAccessManagementAswithanycomputingsystem,theremustbestrongidenti_icationofallparticipatingentities–users,systems,applications,and,inthecaseofIoT,devicesandIoTgateways–throughwhichthosedevicescommunicatewiththerestofthesystem.Deviceidentityandmanagementinvolvesmultipleentities,startingwithchipanddevicemanufacturers,includingIoTplatformproviders,andalsoincludingenterpriseusersandoperatorsofthedevices.InIoTsolutions,manyoftheseentitieswillcommunicateandaddresstheIoTdevicesthroughouttheiroperationallifetime.

IBMcapabili+esforiden+tyandaccessmanagementTheIBMWatsonIoTPlatformprovidescapabilitiesforregisteringIoTdevicesandgateways,allowingforidenti_ication,authentication,andaccesscontrolofwhatdevicesandgatewayscanperforminaconnectedenvironment.Inaddition,theWatsonIoTPlatformhasfunctionsforidentifyingapplicationsthatmaycommunicatewithandusedevicesandgatewaysandinvokeWatsonIoTplatformAPIstoperformotherIoT-relatedtasks.UserauthenticationishandledthroughIBMBluemixandintegrationwithIBMSingleSign-Oncapabilities.Thisallowsforawiderangeofuser/humanauthenticationmechanisms,aswellasawiderangeofuserregistriesrangingfrompopularpublicregistriesontheInternettoclient-speci_icenterpriseorcustomer-centricregistries.

DataProtec)onDatainthedevice,in_lightthroughoutthepublicnetwork,providercloud,andenterprisenetwork,aswellasatrestinavarietyoflocationsandformatsmustbeprotectedfrominappropriateaccessanduse.Youcanusemultiplemethods,andindeed,inmanycases,youcanapplymultiplemethodssimultaneouslytoprovidedifferentlevelsofprotectionofdataagainstdifferenttypesofthreatsorisolationfromdifferententitiessupportingthesystem.Protectingcommunicationslinksmaybeusedinadditiontoindividualdata_ieldlevelencryptionorsigningdoneonthedevicetoprovidebothend-to-endandpoint-to-pointcommunicationsprotection.Dataatrestindifferentformatsmaybeencryptedatthe_ield,database,andevenwholedisk/medialeveltoprotectagainstleakageandimproperusage.Increaseddatacollectionalsoresultsinaneedtoconsiderpotentialprivacyimplications,requiringadditionalattentiontodatasegregation,redaction,andspecialhandlingrequirements.

ItisimportanttoconsiderwhetherthedatainvolvedinanIoTsystemwouldincludenotonlypersonallyidenti_iableinformation(PII)–whichimplieslegalandregulatoryobligations–butalsodatarelatedtoindividualsinsomeway.Insomecases,devicesmaybedirectlyassociatedwithindividuals,orindividualsmaybethephysicalentitiesthatarethesubjectofsensordatawhich,whilenotpersonallyidenti_iableinformation(PII),isde_initelyinformationthatmostwouldexpecttobeconsideredpersonal.Further,withenoughofthisobservedinformation,theaggregatedatacouldbeenoughtoidentifythepersonitwasgatheredfrom.WhilePIIisusuallythesubjectoflawsandregulations,theseothertypesofPIIshouldbetreatedcarefully,andtheIoTsystemmustbedesignedtogiveappropriateprotectiontothesetypesofdata.Protectionsmayinvolvewhereandhowdatacanbe

stored,theidenti_iedowneroftheinformation,andwhatdatausagerestrictionsneedtobeenforced.

Dataprotectionconsiderationscanhavearangeofimplications.Forexample,itmaybethecasethatdatacollectedbythedevicemustbestoredinthesamevicinityofthecollection,eitheronthedeviceoronanIoTgatewaythatisclosetothedeviceandcannotbetransmittedtoacentrallocationsuchastheprovidercloud.

IBMcapabili+esfordataprotec+onDataprotectionisprovidedinIBMBluemixservices,suchasCloudant,dashDB,MongoDB,andMessageHub,aswellasSpark-basedprocessingsystems.Appropriateattentiontocon_igurationandconnectionsettingsisimportantwhenconstructingthesolution.

IBMIoTsolutionsincludingIoTforElectronics,IoTforAutomotive,andIoTforInsuranceemploytheseserviceswithcarefulattentiontocon_igurationsettingssothatappropriatedataprotectionisused.

Securitymonitoring,analysis,andresponseTodetectandreacttoactiveattacksoranomalousbehaviour,everysystemmusthavebuilt-inmonitoringoftheenvironment.BecauseofthescaleofIoTsystems,bothinthenumberofdevicesaswellastheamountofinformationbeingprocessed,automatedresponsestoknownattacksandautomaticdetectionofsuspiciousbehaviourarerequired.Theseresponsesmayincludetemporaryisolation,quarantine,ortheremovalofpartsoftheIoTsystem,aswellasformalincidentresponseprocessesforaddressingvulnerabilitiesthatarediscoveredafterthesystemshavebeenputintoservice.

LikeITsecurity,thereisaneedfordisclosureofvulnerabilitiessothataffectedpartiescanappropriatelymitigatetheriskandmakechangesandupdatesinatimelymanner.Becauseattackscancomeinavarietyofdifferentforms,allattacksmustbeexpected,plannedfor,andrespondedto.Asjustoneexample,anattackmightcomeintheformofinjectionoffake,erroneous,orerraticsensordataintotheIoTsysteminanattempttosteerautomateddecision-makingpartsofthesystemtoactinadesired(bytheattacker)manner.Suchattacksmustalsobeexpected,plannedfor,andrespondedto.

IBMcapabili+esforsecuritymonitoring,analysis,andresponseIBMoffersseveralmechanismsformonitoringandanalyzingdatacommunicationstraf_icfromandbetweencomputingsystems.

IBMproductssuchasQRadarcanbeusedinconjunctionwiththeWatsonIoTPlatformandservices.Theseofferings,combined,allowformonitoring,analysis,andresponsetosituationsthatcanariseasIoTdevicesconnectwithITsystemstoconstructasolution.TheWatsonIoTPlatformprovidesdevicesmanagement,securitycon_iguration,andrisk-managementfeaturesfordeviceandgateway-speci_icmonitoringandresponse.

System,applica)on,andsolu)onlifecyclemanagement

LifecyclemanagementoftheIoTsystemiscomplex,multi-faceted,andhasrelationshipswithidentitymanagement,devicemanagement,thesupplychain,applicationandsoftwaredevelopment,throughtosystemoperationsandchangemanagementofdeployedandin-servicesystems.

Attentiontosecurityinalloftheseareasisrequiredtopreventavarietyofattacksrangingfrommaliciouscodeinsertiontoinappropriate_irmware/softwaredeployment,toeffectivecryptographickeymanagement.Code,keymaterial,andevenphysicalcomponentsmustbeveri_iedasthey_lowfromprocurementandcreationthroughtotheirinstallationintothedevices,IoTgateways,andothersystemsthatmakeuptheIoTsystem.TheIoTsystemshouldalsoprovidethecapabilitytoupdateindividualcomponentsinasecureway,bothtoaddressvulnerabilitiesandalsotoaddressfunctionalenhancementsoverthelifetimeofthesystem.

IBMCapabili+esforSystem,Applica+on,andSolu+onLifecycleManagementWhenconstructinganIoTsolutionanddesigning,building,anddeployingIoTdevicesandgatewaysasapartofthatsolution,youmustpaycarefulattentiontohowsoftwareor_irmwarewillbemanagedonthedevicesandgateways.Deviceandgatewaymanufacturersandusersshoulddeterminethemostappropriate_irmwareupdatemechanismtoemploy,includingwhat_irmware-over-the-air(FOTA)vendorstoworkwith.IBMoffersinterfacesintheWatsonIoTPlatformtosignaltoanapplicationsorsolutionswhena_irmwareupdateisnecessaryandtoobservethe_irmwarelevelsreportedbydevicesandgateways.

Validatingthatthe_irmwareandsoftwarerunningindevicesandgatewaysisasexpectedisalsoimportant.Ifcoderunninginthesesystemshasbeentamperedwithoriscorruptedinsomewaywhileinoperation,inappropriatebehaviorfromthedeviceorgatewaymayoccur.Technologiesforin-memoryscanningforunexpectedcodemodi_ications,suchasthoseprovidedbyArxan(www.arxan.com),canhelpdetectandrespondtosuchattacks.

AllinterfacesinanIoTsolutionmustbetestedforpotentialvulnerabilities.Ongoingpenetrationtestingofdevices,gateways,andallotherexternalizedpartsofthesolutionisnecessarytodetectpotentialweakspotsandtakestepstomitigatingthese.IBMAppScanSource(forstatic,source-codeanalysis)andAppScanEnterprise(fordynamic,web/HTTPinterface-basedtesting)canbeappliedtoanysoftwareorinterfaces,respectively,whichareexposedaspartofthesolution.Thiscanincludeinterfacesexposedbydevicesandgateways,evenifthoseinterfacesaremeantforlocal,isolatedadministrativeconnections.

Managingkeysindevicesandgatewayscanbechallenging.IBMSecureKeyLifecycleManagement(SKLM)offersmechanismsforperformingkeymanagementoperations.Deviceandgatewaymanufacturerscanemploytheseservicestoassistwithkeymanagementoperationsforkeysdeployedintodevicesandgateways.

IoTGovernanceAsdescribedintheIoTSecuritysection,therearemanychallengesinsecuringanIoTsolution.Oversightandproceduresmustbeusedtoensurethatwhennewvulnerabilitiesandthreatsarediscovered,thereisameansandmechanismforaddressingthesethreatsinIoTsystems.

AnimportantdifferenceinIoTsystemsdifferfromtraditionalITsystemsbecauseexploitsandfailuresinIoTsystemshavethepotentialtocauseseriousharmtohumans,property,andtheenvironment.Physicaldevicesandequipmentareusuallyinserviceformuchlongerperiodsoftimethantypicalcomputingsystemssuchasservers,PCs,tablets,andothermobiledevices.IoTequipmentisofteninstalledinlocationswherechangeorreplacementiscomplicatedduetogreatcostorinconvenience.Becauseofthesereason,IoTsystemsmustbedesignedanddeployedwithchange/update/modi_icationinmind,alongwithstronggovernancetoensurethatsuchchangeisdoneappropriately,safely,reliably,and

securely.Indeed,IoTsystemchangeislikelytobeneededlongafterdevicewarrantyperiodshaveexpiredasitiswellknownthatphysicalsystemsareoftenusedforlongperiodsoftime.

Stronggovernanceproceduresareneededtodetermineandenforcetheappropriatein-servicelifespanfordevicesandtoplannon-disruptive,securechange-oversasnewsystemsareintroducedintothesystem.IoTgovernancecomplexitiesaresimilartothecomplexitiesinhybridcloudcomputing.De_inition,planning,andoversightmightincludebothtechnicalandoperationalstaff.VisibilityintoSLAs,changemanagement,andotherpolicyandprocessareascanbeexpeditedbyselectingtoolstosimplifydatacollection,reporting,andnoti_ications.

IBMcapabili+esforIOTgovernanceManagingthesoftwarelifecycleof_irmware,software,applications,analyticsprocessing,anduserinterfacefunctionsofanIoTsolutionisacomplextask.Often,eachpieceofsoftwarethatmakesupthesolutionisbuiltusingaspeci_icsoftwaredevelopmentmethodology—oneIoTsolutioncouldbebuiltusingawiderangeofdifferentsoftwaredevelopmentmethodologiesthatwillbefollowedacrossthisspectrumofsoftwarewhichmakesupthesolution.IBMDevOpsServices,IBMContinuousEngineering(CE),andIBMContinuousLifecycleManagement(CLM)offeringsprovidea_lexiblesetoftoolsandfunctionformanagingsoftwaredevelopmentanddeploymentlifecycle.IBMUrbanCodeofferingscanalsoassistinmanagingsoftwaredeploymentsacrossdevelopment,test,andproductionenvironments,furtherassistingorganizationsinmaintainingstrongIoTgovernance.

TheProviderCloudcomponentsmayalsobesubjecttochangeovertime.Forexample,theanalyticscomponentsandtheirassociatedsoftwaremayundergoregularenhancementstoimprovetheirperformanceandreliability.AppropriategovernancemustbeinplacetoensurethatchangestothesecomponentsareunderstoodaheadoftimeandthatthechangesdonothaveanadverseimpactontheoverallIoTsystem.

TheCompletePicture

Figure3providesadetailedviewofallofthecomponents,subcomponents,andrelationshipsinacloud-basedIoTsolutionarchitecture.

� Figure3.Detailedcomponentsdiagram

IBMProductSupportforIoTSolu)onsusingCloudSolu)onsNowthatwe'vereviewedthecomponentmodelforanIoTsolutionusingcloudcomputing,let'slookathowIBMproductscanbeusedtoimplementanIoTsolution.Inprevioussections,wehighlightedIBM'send-to-endsolutionfordeployinganIoTsolutionusingcloudservices.The_igurebelowshowshowIBMcapabilitymapstospeci_iccomponentsinthereferencearchitecture.

� Figure4.IBMsupportforIoTsolutions

ScenariosNowthatyouunderstandthearchitecturalcomponentsofanIoTsolutioninthecloud,let'slookathowtouseIBMproductstoimplementcommonscenariosusingthisarchitecture.

• Scenario1.SmartHomesInsurancescenario• Scenario2.ConnectedCareAnalytics• Scenario3.SmartHomeConnectedApplianceScenario• Scenario4.Real-timeMotorMonitoring• Scenario5.Industrie4.0/IndustrialIoT

Thesescenariosreusethecomponentsthattheorganizationiscurrentlyusingintraditionaldatacenters,whichwedepictaspartoftheenterprisezoneofthearchitecture.

Scenario1.SmartHomesInsuranceScenarioFigure5illustratesthe_lowofaconnectedinsuranceserviceusecaseforIoT.

� Figure5.FlowforinsurancescenarioforIoT

Inthisexample,smarthomeswithconnecteddevicesandsensorsprovideinsurancecompaniestheabilitytoimprovetheservicetopolicyholderswhilegaininginsightintorisksinthehome.Connecteddevicesallowpolicyholderstoreceivenoti_icationofpotentialdangertothehomeandengagewiththeinsurerinamoreproactivemanner.

Byconnectinghomes,insurers,andotherservices,theconnectedinsuranceserviceuseskeycomponentsoftheIoTreferencearchitecture.Asanexample,leakdetectionsensorsandvalvescanenablethepolicyholdertomonitorwaterleaksandoffersprotectionfromresultingdamage.Thesensorsarepurchasedfrommultiplesourcesandinstalledinthehome,whichincludesconnectingthemtothedevicemaker’scloudservices.Thepolicyholderauthorizestheinsurancecloudservicetoconnecttothedevicemaker’scloudservicegrantingaccesstothedevicedata.Thedevicemakerisresponsibleforthelifecycleofthedevicesandtheinsurancecompanybene_itsfromaccesstothedatafromthesedevicesandprovidesanimprovedexperiencetoitspolicyholders.

Basicinformation_low:

1. Sensorsandactuatorsaredeployedinthehomeandattachedtothedevicemaker’scloudservice.Asanexample,thesensorscandetectwaterleakdetection,water_low,temperature,andtheactuatorscanincludeautomaticwatershutoffvalves.

2. Thehomeownerlogsintotheinsurancemobileapplicationandauthorizestheinsuranceservicetoaccessthedevicemaker’s(peer)cloudandtheirdevicedata.Themobileapplicationsendstheauthorizationtokenandinsurancecompanyidenti_iertothecloudservice.Thisinformationisusedtomaptheuser,devices,andinsurancepolicywithinthecloudservice.Thedevicecloudserviceisusedbecausethedevicemakershavealreadydeployedintotheirowncloudandownsthelife

cycleofthedeviceaswellastheuserexperiencewiththedevices.3. Theinsuranceservicereceivesauthorization,devicedetails,andtheinsuranceID

fromtheinsurancemobileapplicationandprocessesthisinseveralnodes(applicationlogic,deviceregistry,anddevicedatastore).Thedevicesareregisteredwiththedeviceregistry,anddatamappingisupdatedintheapplicationlogiccomponent.IBMBluemixLibertyorNode.jscanbeusedforprovidingtheapplicationlogic,whichcanusetheIBMIoTforInsuranceServicefromBluemix.IBMCloudant,dashDB,orObjectStoragecanbeusedfordevicedatastore.IBMWatsonIoTPlatformcanbeusedfordeviceregistry.

4. Theinsuranceserviceapplicationusestheauthorizationtokentoconnecttothedevicemaker(peer)andrequestthedata.Theapplicationiscon_iguredtopulldataonacon_iguredinterval.Inadditiontodevicedata,theapplicationcanbecon_iguredtoaccessotherdatasourcessuchasaweatherdataserviceforuseinanalysis.IBMBluemixIoTforInsuranceServiceisaBluemixservicethatcollects,manages,andanalyzesdatafromconnectedpolicyholders.IoTforInsurancehelpsprovidepersonalizedriskassessment,real-timeprotection,andpolicycostreductions.

5. Datafromdevicesandothersourcessuchastheweatherservicearecontinuallyupdatedandsenttoanalyticssystemstodetermineifapotentialriskthresholdhasbeenexceeded.Thisdataisanalyzedtodetermineifthereisapotentialfordamagetothehome(includingwaterdamage,freezepotential,etc.).Devicedatafromsensorsinconnectedhomesprovidesinsightintopotentialproblemsinthehomesuchaswaterleakorhumidity.TheWeatherCompanydataserviceonBluemixintegratesweatherdatafromTheWeatherCompanyintoBluemixapplications,anditcanretrieveweatherdataforanareaspeci_iedbygeo-coordinates.

6. Onceitisdeterminedthatthereisaproblem,usingtheanalysisfromStep5noti_icationsaresenttothehomeownerandtotheinsurancecompany.Thehomeownercanthentakeactiontorespondtothenoti_icationanddetermineifdamagehasoccurred,andtheinsurancecompanycaninitiateaclaimprocess.

7. Ifdamagehasoccurred,theinsurancebusinessprocessofclaimsmanagementisinitiated.Theinsurancebusinessprocessescanbeaccomplishedinthecloudservice,theirenterpriseapplications,ortheirmobileapplications.Thisisdependentonhowandwheretheinsurancecompanydecidestoperformthebusinesslogic.IBMReal-timeInsightsorMessageHubcanbeusedformanagingtheprocess_low.Typically,thisisdoneusingtheinsurancecompany’sexistingclaimsmanagementsystem.

Acloudarchitecturemakesthistypeofsolutioneasiertoimplementandmaintain.Asdemandincreases,moreresourcesmustbeacquired.

Scenario2.ConnectedCareAnaly)cs

Figure6illustratesthe_lowofaconnectedcaranalyticsusecaseforIoT.

� Figure6.Flowofconnectedcaranalytics

Background–Therearetwopeopleinthisscenario.A75-year-oldmaledriverhasaheartconditionandwearsaFitbittomonitorbiometricslikeheartrate.Afemaledriver,35,hasanactivelifestyleandwearsanApplewatchwhichshehasenabledtoshareinformation.Bothdriversregisterfora“BetterDrivingBehaviorProgram.”

Bothdrivershaveaknownpro_ile,createdasanenterpriserecord,thatisbasedontheirhometownlocation,drivingrecords,dailydrivingroute,speed,currentweather,roadconditions,andotherfeatures.TheserelatetoasetofKPIsthatprovidemetricsonhowtomeasuresuchfeatures.Becausethedrivershaveoptedintothebetterdrivingbehaviorprogram,wecanmonitorthedevicesthedrivershavegivenaccesstoorpermissionsfor.Thisinformationissharedbetweenthedeviceandtheproviders,thedrivers,theiremergencycontacts,anddoctor’sof_ice.

Whenthemanandwomandriveandinteractwiththeirdevicesandgadgets,theIoTframeworkpicksupalldatapoints.Theanalyticsenginebuiltforthisframeworkevaluatesanychangesindrivingbehaviorand_lagsanyanomaliesthatneedtobeactedupon.Theenginealsorecognizesinformationthatthesystemsneedtolearnaboutasitsnormalornewbehaviorthatneedstobeacteduponinthefuture.

RuntimeFlow1. Theuserregistersandcreatesapro_ileintheEnterpriseUserDirectory,andlinks

existingsocialmediaaccountstoadoctor’snetwork.IBMSecurityDirectoryServer,alightweightimplementationofLightweightDirectoryAccessProtocol(LDAP)isusedforsecurityandidentitymanagement.Itactsasafoundationfordeployingcomprehensiveidentitymanagementapplicationsandadvancedsoftware

architectures.Acustomwebormobileapplicationlogicisusedtobuildtheuserpro_ile.Theuser’srecordgetsupdatedintheEnterpriseUserDirectory.

2. Theuserconnectshisorhervehicletoadeviceregistryserviceandtoaglobalnetworkofdevicesforidenti_icationandbroadcastmessage.IBMWatsonIoTPlatformallowsregistrationofthedeviceanddevicetype,andthepayloadinformationiscon_iguredaccordinglyintheplatformfordownstreamandupstreamconsumption.Theuser’srecordgetsupdatedwiththedevicesinthedevicedatastore.TheIBMWatsonIoTPlatformboilerplatecomescon_iguredwithCloudantasaNoSQLDatabaseasaServicethatcanbeusedtostoretelemetryandothersensorinformationfromdevicesforlong-termstorageandretrieval.

3. Theuserupdateshisorheruserpreferenceslikedatacapturesetup,specialalerts,thresholds,emergencycontacts,andapplicationsettings.AsuitablewebormobileapplicationbuiltontheIBMMobileFirstplatformoracustomenterpriseapplicationthatleveragesserviceslikeNode.jsorWebSphereLibertycanbeusedfortheseuserinteractions.

4. Thedevicecapturesmotion,telemetry,andgeospatialdatabymonitoringinteractionsfroma_itnesstracker,Applewatch,andcellphoneusage.ThesetupinthestepsaboveallowstheIBMWatsonIoTtocaptureallthisinformationandinteractiontheuserhaswiththedevicesovertime.Additionalserviceslikestreaminganalyticsingest,analyze,monitor,andcorrelatedataasitarrivesfromreal-timedatasources.Viewinformationandeventsastheyunfold.

5. Viaedgeservices,theuserapplicationsendsdatafromtheInternet,likesocialmediaaccounts,orweatherandroadconditions.

6. TheIoTtransformationandconnectivityserviceenablessecureconnectivitytotheregisteredIoTdevices(likevehicles,Fitbit,Applewatch).TheIBMWatsonIoTPlatformenablesthistransformationandconnectivity.

7. Devicesfromthemaledriverrecordabnormalmedicalstressanddrivingpattern.Devicesfromthefemaledriverrecordaphonecallandanerraticdrivingpattern.Theapplicationcorrelatesinformationandevaluatesthenextbestactionduetotheanomaliesandpersistsincorporatedatastore.Bothdriversaresentappropriatealerts,andtheapplicationfollowstheescalationpathasde_inedinpreferences.CustomapplicationcodeandscenariologicisembeddedinNode.jsorWebSphereLibertyservicesthatallowdevicestosendinformationtodownstreamdatastoresandapplicationprocessingenginesforcorrelationandactions.

8. Theanalyticsengineimplementsmachinelearningandappliesheuristics,statistics,classi_iers,dimensionalreduction,andcollaborative_ilteringforanomalydetectionandremediation.Itupdatesin-memoryprocessorsforquickprocessingreal-timetransactions.IBManalytical,predictive,andmachinelearningcapabilitiesprovidedwithSparkasaServiceonBluemix,IBMDataScienceExperience,IBMSPSS,andIBMWatsonAPIscanbeusedtounderstandthebehavioroftheseinteractions,theirtrends,anomalies,outliersandforstatisticalandpredictivelearning.Of_linelearningandonlinescoringmachinelearningpredictivemodelscanbeinterjectedintothedataprocessingpipelinesforapplyingtheanalyticswhereneeded.Inaddition,thereareotheranalyticsservicesavailableonBluemixthatcanbeused.

Theseinclude:

https://console.ng.bluemix.net/catalog/services/streaming-analytics/

• IBMWatsonIoTContextMappingServiceenablesyourapplicationtoanalyzemovingobjecttrajectoriesbyusingroadnetwork-basedgeospatialservices.Itprovidesreal-timequeryinterfacestoaccessroadnetworkdataandsearchservicesbyuniqueindexstructureandadvancedcachemechanisms.

• IBMWatsonIoTDriverBehaviorServiceletsyouanalyzedrivers'behaviorfromvehicleprobedataandcontextualdata.

• GeospatialAnalyticshelptrackwhendevicesenter,leave,orhangoutinde_inedregions.

9. Thetransformationandconnectivityserviceallowsforsecureconnectiontoenterprisesystemstolookupeventinformation.IBMDataPowerandIBMIntegrationBusservicesareusedforthis.

10. Theenterpriseapplicationmaintainsbusinessmodelslikecustomerexperienceandriskevaluationandisusedforlookuportransactionprocessingorpublishinganeweventrule,auditprocessing.Thisdataisloadedinmemoryforaccesstotheanalyticsengine.Enterpriseapplicationsaretypicallycustomandspeci_ictotheenterpriseandareoutsidethescopeofasingleIBMproduct.However,therearemanycapabilitiesandsolutionsprovidedbyIBMcommerce,travel,andtransportationthatallowinternalandexternaluserstoreviewbusinessoutcomes,experiences,trends,healthofprograms,salesandrevenueinformation,forexample.IBMCognosisonesuchenterpriseapplicationthatcanbeusedinsuchscenarios.

11. Thisservicemanagesprocesswork_lowandcoordinatestheREST-basedservicesusedinyourapps.IBMBluemixCarDiagnosticAPI,Real-TimeInsightsandothermicroservicesrunningonNPMorNode.jscanbeutilizedtodeployprocesswork_lows.TheIoTCarDiagnosticAPIcanhelpyoutoassessthehealthstatusofavehicle,bytranslatingOBDerrorcodesinahuman-readableform.

12. TheIoTgovernancemaintainspoliciesandterminologyofthebusinessapplicationsandrulesaroundaccessingthatinformation.IBMsecurity,audit,andgovernancecapabilitiesinQRadarSecurityIntelligenceplatformandSIEMcapabilities,alongwithGuardium®audit,compliance,andvulnerabilitycapabilities,andcapabilitiesintheinformationgovernancecatalogintheIBMInformationIntegrationSuite,provideacompletepolicy-basedsecureandcontrolledenvironment.

13. Visualizationprovidesactive,descriptivereportsanddashboardstotheuser.IBMsupportsopentechnologieslikeRave,D3,Angular,andBrunellalongwithenterpriseofferingsfromIBMCognosandWatsonAnalytics.

14. Theend-userapplicationprovidestheengagementmodelfortheuserintheformofamobileorwebapplication.IBMMobileFirstmobileorcustommobileorweb-basedapplicationscanbeusedtosurfacevarioususagemetricstoendusersortoprovideaninteractiveenvironment.IBMAPIConnectservicecansurfacetheseservicestomanyusers.

Scenario3.SmartHomeConnectedApplianceScenarioAmanufactureranditsecosystempartnerscanprovideend-userremotecontrolandbettercustomersupportforconnectedappliancesforsmarthomes

Figure7illustratesthe_lowofaconnectedapplianceandsmarthomesscenarioforIoT.

https://console.ng.bluemix.net/catalog/services/context-mapping/

https://console.ng.bluemix.net/catalog/services/driver-behavior/

https://console.ng.bluemix.net/catalog/services/geospatial-analytics/

https://console.ng.bluemix.net/catalog/services/car-diagnostic-api/

� Figure7.Flowforasmarthomeconnectedappliancescenario

1. Asmartphoneappusedbytheapplianceownerregistersthecustomer’sownershipandprovidestheenduserwiththeabilitytocontroltheappliance.TheIBMIoTforElectronicsservice(availableinBluemix)providesasamplemobileapplication.ThismakesuseoftheMobileCloudAccessservicethatisalsoavailableinBluemix.

2. Customerregistrationdetailsarerecordedinthemanufacturer’ssystemsofrecord.TheBluemixSecureGatewayservicecanprovideconnectiontothesystemofrecord.

3. Theapplianceisregisteredinthecloudprovider’sregistry,andappropriatesecuritypermissionsareestablished.TheIoTforElectronicsserviceprovidesownerregistrationservices,andtheWatsonIoTPlatformprovidesaregistryoftheactualdevices.

4. Whileinthehouse,theendusercanusethesmartphoneapptocheckthestatusoftheapplianceandcansendcommandstotheappliance,forexampletoadjustatemperaturesetting.Inthiscase,theappconnectsdirectlytotheappliance.TheIoTforElectronicssampleapplicationshowshowtodothis.

5. Devicesembeddedintheappliancesenddatatotheappandrespondtoitscommands.TheIBMWatsonIoTPlatformsendsdatatotheapp.

6. Theappcancommunicatewiththecloudprovidertoofferthesamecapabilities

whentheuserisnotphysicallyinthehouse.Inthiscase,thedevicealsocommunicateswiththecloudproviderandcommunicationshappensviatheIBMWatsonIoTPlatform.

7. Applicationlogiccanbeusedtoin_luenceorcontroltheapplianceaswell,forexampleawasher/dryermightnotstartimmediately,butmightdelaytogetabetterenergyrate.ApplicationscouldbewrittenusingaBluemixruntime,forexampletheNode.jsCloudFoundryruntime.

8. Usageandoperationaldatacanbecollectedfromthedevicesintheapplianceandstoredinadevicedatastore.IBMWatsonIoTPlatformcanstoredatadirectlyintheBluemixCloudantNoSQLDBservice,butotherstorageservicescanbeusedinstead.

9. Thisdatacanbeanalyzed,eitherinrealtimeorretrospectively,forexamplefor:• Preventivemaintenance• Understandingwhatfeaturesareusedfromappliance(forfuture

marketingorcrossselling)• Forrental/leaseoftheappliance(payasyougo)

TheIBMPredictiveMaintenancesolutioncanbeusedforpreventivemaintenance.Youcangainusageinsightsbycollectingthedevicedatainabigdatastoreandrunninganalyticsapplicationsagainstit.

10. Third-partyecosystemproviderscanconnectinviaAPImanagementtoofferfurtherservices,forexamplesellingaccessoriesorconsumables(e.g.,soap).APImanagementcanbeprovidedusingIBMAPIConnectforBluemix.

Scenario4.Real-)meMotorMonitoringThissamplesolutionmonitorsatorquemotorinrealtimeonashop_loor,andtheapplicationnoti_iesthetechnicianautomaticallyincaseofanyvariancefromstandardoperatingparameters.ThisWatsonIoTcloudnativeapplicationisintegratedwithMaximoassetmanagementsystemtominimizeoperationalchanges.TherearealsoBluemixAPIsusedfornoti_icationandSMSalerts.TheIBMpredictivemaintenancecloudserviceenablesoperations,manufacturing,production,andmaintenancepersonnelinasset-intensiveindustriestousepredictiveanalyticstoimproveassetavailability,increasethroughput,minimizeunplannedoutages,andreducemaintenancecosts.

Thisarchitectureoffersthecapabilitytodeveloppredictivemodelstoanalyzeassetperformancedatainrealtime,calculateassethealthscores,andpredictpotentialassetfailure.PleaserefertoIBMCloudArchitectureCenterforadditionaldetailsonthisWatsonIoTsolution.

Figure8illustratesthe_lowofthereal-timemotormonitoringscenarioforIoT.

https://www.ibm.com/devops/method/content/architecture/iotArchitecture

� Figure8.Flowforreal-timemotormonitoring

1. Auserinteractswithamachine(physicalentity).Inthisscenario,theinteractioniswithaservomotorviasensortomonitoritsperformanceattributestoenablepreventivemaintenance.

2. IBMIoTGatewayreceivesthedatafromtheIoT-enabledtorquemotorandisconvertedintoMQTTformat.

3. TheMQTTdatafromtheIoTgatewayisreceivedbyedgeservicesthatareenabledbyBluemixAPImanagementframework,whichthereal-timeinsightapplicationuses.

4. APImanagementenablesthebi-directionalconnectivityintotheIoT-enableddevicefromtheBluemixapplication.

5. TheAPIsandtheIoTdevicesareauthenticatedusingIoTfoundationAPIsinBluemix.TheseAPIsareenabledbyAPImanagementanddeviceregistrytoensuresensorandAPIauthentication.

6. APIanddeviceauthorizationpassesthereceiveddatatothePMQapplicationviaadeviceidentityservice.

7. Theapplicationlogicchecksforexceptions,boundaryconditions,andotheranomaliesinrealtime.

8. ViaTransformationandConnectivityservices,thework_lowintegrateswithMaximoandnoti_iesservicerepresentativesforreal-timepredictivemaintenance.

9. TheIBMcloudplatformandWatsonIoTAPIscompletethebusinessprocessautomationandoperationsintegration.Thisenablesnewbusinessmodels,whichhelpstoimproveoperationalef_iciency.

Scenario5.Industrie4.0/IndustrialIoTIndustrie4.0/IndustrialIoTfocusprimarilyonbusinessscenariosintegratingvertically(frommachinestocloud),horizontally(amongsupplynetworks),oralongthelifecycleoftheproduct.Giventhefocusonintegratingtheoperationaltechnology(OT)layerwiththeITlayerinamanufacturingcontext,IndustrialIoTrepresentsaspecialcaseofthegeneralIoTreferencearchitecture.Thisisduetothenatureofitsclosedenvironmentwithsomespeci_icrequirements,threelayers(edge,plant,cloud/enterprise),aswellastheimportanceofthe_lexibilityoffunctionaldeploymentamongthethreelayers,whichisastrongdifferentiationofIBM’sIndustrie4.0approach.

Notethatthethree-layerapproachresultsfromtheneedfortheindividualfactory(or"plant")tocontinueoperationevenifexternalconnectionstoenterpriseandcloudsystemsshouldfail–stoppingtheproductionlinesforanexternalconnectionfailureisunacceptable.Thisthree-layerapproachalsooccursinotherIoTscenariossuchassmartbuildings,wherealocalentitymustcontinueoperatingsmoothlyevenifconnectivitytocentralizedITsystemsfails.

Thisscenariofromautomotivemanufacturingmonitorsproductionequipmentandtoolsforvariousperformancemetricsandperformsanalyticsonthisdatabothattheedge(applyingtheemergingedgeanalyticsarchitecture)onaCiscoEdgedeviceandattheenterpriselayer,aspartoftheIBMIoTplatform.Theequipmentinthisexample,whichincludesrobots(usedforwelding)andhandlingequipment(conveyors,palletizers),isalreadyinstrumentedandisbeingmonitoredbyeitherOmronorFanucprogrammablecontrollers.

Othertoolsanddevicesareinvolvedintheoperationaswell.AwelderattachmentisconnectedviatheFanuccontroller,andimage-processingequipment(beingusedforinspectingwelds)isattachedviatheCiscoedgedevice.RFIDisusedinthisexampleforidentifyingpalletsandWIP;RFIDisalsointegratedviatheCiscoEdgedevice.

� Figure9.Industrie4.0/IndustrialIoTarchitecture

Backgroundofthereferencearchitecture:DevicesandproductionmachinesassociatedwithproductionoperationsaretypicallymanagedbyexistingDCS/SCADAsystems,whichcanbeintegratedbyindustryprotocolssuchasPro_ibus,OPC,MODBUS,etc.SomenewerequipmentisembeddingtechnologythatallowsittocommunicatewiththeoutsideworldthroughITprotocolssuchasMQTT.

Attheedge,gatewaysaretypicallyusedtointegratewiththeexistingsystemsandequipmentandarealsobecomingmorecapableofrunningedgeanalytics,applyingrules,andevenstoringdatalocallytosupportoperationsattheedge.Itisquitepossiblethattheedgewillcompletelyhandleaninteractionwithequipmentwithnoinvolvementoftheplantorenterpriselayers.Inothercases,theinformationfromtheedgewill_lowupthroughtheplantortotheenterprisewhereplantandenterpriseanalyticswillbeperformedinasimilarway.Theedgeandplantneedtobeabletooperateasastand-aloneunitfromtheenterprise,sosomecapabilitiesoftheplatformneedtobeinboththeplantandtheenterprise.

Informationfromintelligentdevicesandproductionmachinescanbecommunicatedupthroughthelayers(withappropriate_ilteringandaggregationalongtheway).Itisalsopossibleforinformationfromthedevicesandmachinestobecommunicateddirectlytotheplantorenterpriselayers,assumingthedevicesandmachineshavethatcapability(forexample,throughembeddedtechnology).

Thestepsinvolvedinthisexampleareasfollows:

1. Informationiscollectedfromtheequipmentandtoolsinitiallybyprogrammablecontrollersconnectedtotheequipmentthroughproprietaryequipmentinterfaces.ThecontrollersinthisexamplehaveanembeddedpieceofsoftwarecalleddeviceWISE(fromTelit)thatcanbecon_iguredtopasscontrolleranddevicedatatotheupperlayersofthearchitectureviastandardITprotocolslikeMQTTandMQ(orviaJDBCwritestoadatabase)periodically,orbasedonconditions.Theinformationcanalsobetransformed(mediated)asneededbeforeitispassedon.Thesamecomponent,deviceWISE,isusedforthesamepurposewithintheCiscoEdge(IoTGateway)device.

2. AnalyticsareperformedontheoutboundinformationintheOT/IThub(inthisexampleisrealizedbyaCiscoEdgedevicethatisembeddedwithIBMEdgeAnalyticsAgent(partoftheIBMIoTGateway).DependingontheresultoftheEdgeAnalytics,commanddataissentbackdowntotheequipment.Thisisthereverseofthe_lowintotheedgeandusestheDSbrokeranddeviceWISEtoissuethecommandandtransformitintothespeci_icprotocolanddataneededbytheequipment,inthecaseoftheImageProcessororRFIDattachedequipment,orthecontroller,inthecaseofequipmentandtoolsmanagedbytheFanucorOmron.

3. TheDSBrokercomponentoftheCiscoEdgecontrollerforwardsevents,basedoncon_iguration,tothePlantServiceBus,which,inthisexample,istheIBMWatsonIoTPlatformrunningonBluemix.Insomecases,whereplantdataisnotallowedtoleavethepremisesforexample,thePlantServiceBusmightinsteadberealizedbytheIBMIntegrationBus(IIB)ManufacturingPackwiththeIBMIoTPlatformrunninginthecloudattheenterpriselevel.

4. Operationaldataiscollectedattheplantlevel(afternormalizingandcleansing)tosupportplant-levelanalyticsaspartoftheshop_looranalyticsloop.Aninformationmodel,basedontheISA-95industrystandard,isusedtosupporttheanalyticsandis

alsousedfordashboardsandreportingaswell.

5. WithinthePlantServiceBus,analyticsandrulesdeterminetherequiredactionsforthisevent.Requiredactionscanincludefeedback,butcanalsoincludetriggeringactionsrepresentedinawork_low.Thiscouldbesimpleanalyticssuchasthresholdmonitoringortrending,butitcouldalsobemodel-basedanalytics,lookingattheperformanceofaproductiondevice,atool,aworkcell,oraproductionprocess(dependingonwhereweareinthearchitecture).Inthisexample,theanalyticscomponentoftheIBMIoTPlatformisusedforthispurpose.Inothersituations,IBMproducts/offeringssuchasPredictiveMaintenance,PredictiveQuality,PlantPerformanceAnalytics,orSPSSmightalsobeused.

6. Ifwarranted(basedoncon_igurationandappliedanalytics/rules),aplant-levelwork_lowistriggered.Thiswork_lowiscomposedtousePlantITSystemofRecord(SoR)servicesincombinationwithplatformservices.TheservicesherecouldcorrespondtoaManufacturingExecutionSystemorEnterpriseAssetManagementsystem.Theycouldalsobeplatform-providedservices(e.g.,Watson).Thework_lowisimplemented,inthisexample,asanIBMIntegrationBus_low.

7. Basedontheresultoftheanalyticsandrules,orthework_low(ifexecuted),informationmay_lowbacktotheEdgeandProductionEquipment,whichresultsindynamicrecon_igurationofthemanufacturingprocess.

IoTDevelopment

Formanyorganizations,buildinganIoTsolutionsisnewterritory.Frequently,thesesystemsinvolvemobiledevices,multipleexternaldatastreams,andthird-partyAPIs.Whetheryourbusinesshasexpertiseintheseareasorisjuststartingout,IBMBluemixoffersanef_icientwaytobeginbuildingIoTapplications—fromminimumviableproducttofullfunctionality.Thecombinationofcomposableservices,templatesforquickstartonIoTandmobiledevelopment,includingcognitivesolutions,powerfuldatamanagementanddatasciencetoolssupporttherangeofdevelopmentactivitiesacrosstheIoTarchitecture.

DeploymentConsidera)ons

DecidingwhichelementsofanIoTsolutionbelongonaspeci_iccloudservicetype—hybrid,public,private/dedicated,oron-premises(local)—isanimportantdecision.Clearlyde_inedrequirementsrelatedtodatasovereignty,regulatorycompliance,scalability,availability,andusagepeaksareimperativetothedecision-makingprocess.Thesheeramountofdataassociatedwithlivedatastreamsfrommanufacturingsensorsorconsumerdevicesmeansthatallaspectsofmessaging,connectivity,anddatamanagementareoftheutmostimportance.

Onceanorganizationhasde_inedfunctionalandnon-functionalrequirementsfortheirsolution,theycanmodeltheircapacityandperformancerequirements,analyzeexistingenterprisesystemsandinfrastructure,andreviewcomplianceandriskexposuretocomeupwiththeirworkloadassessment.IBMoffersworkloadaf_inityengagementstoassistcustomersindecidingwhatcloudservicetypeisbestsuitedtotheirneeds.Establishedbusinesswithstrictcomplianceneedsfrequentlychooseahybridcloudadoptionpath.The

followingsectiondiscussesthemostimportantareastoconsiderwhendeployinganIoTsolution.

Cloudinfrastructureandservicesoffertremendous_lexibilitybecausetheydon’thavetofocusasheavilyonhowcomponentsarephysicallyconnected.Eventhoughscalabilityandelasticityareinherentincloudandreducetheneedforexactcapacityandresourceforecasts,advancedplanningisstillimportant.Thisplanninggivesorganizationsareasonableexpectationofoperatingexpensesandsetsupthenecessarymonitoringandautomationtodeliverthebestserviceatthebestcost.IBMcloudserviceofferingsincludetoolsandengagementsthathelpdecidewheretoplacespeci_icworkloads,suchasCloudMatrixbrokerage,aswellasthemeanstomonitorandmanageday-to-dayoperationsandbilling.

ThissectionoffersguidanceforhowtoprovisiondataandcomputingresourcesusingtheIBMcloudplatformandcloudservices.

IBMoffersavarietyofAPIs,datatransformation,andstorageoptionsascloudservices.AllofferingsprovidethenecessaryscalabilityandelasticitytomeetthedatathroughputandtransactionalloadsassociatedwithIoT.Theseinclude:

• IBMBluemix• CleversafeObjectStorage• DataPower

Theseofferingsalsofunctioninahybridarchitecture,allowingtheenterprisetoleverageexistinginvestmentsandknowledge.

CommonCriteriaforCloudEnvironmentsWhilenosinglecloudenvironmentoptimizesallthesecriteria,de_iningthemostimportantonesforyourcustomerswillgoalongwaytowardsensuringusersatisfactionandmeetingyourbudget.Visibilityintoservicesisthekeytomanagingsatisfactionandcost.IBMBluemixprovidesasingleinterfacetomanageplatformandinfrastructureservicesandbilling.

Speci_iccriteriatoconsiderinclude:

• Scalabilityandelasticity• Databandwidth• Datasovereignty• Resilience• CPUandcomputation• Datavolume• Security• Optimizedprovisioning

Scalabilityandelas)city

Elasticityistheabilityforacloudsolutiontoprovisionandde-provisioncomputingresourcesondemandasworkloadschange.Publiccloudshaveadistinctadvantagesincetheygenerallyhavelargerpoolsofresourcesavailable.Youalsobene_itbyonlypayingforwhatyouuse.Privatecloudsanddedicatedhardwarecanmakeupsomeofthedifferencewithhigherbandwidthdatapaths.

IBMBluemixInfrastructureasaServiceallowsthecreationofadedicated,privatecloudthatisbasedonbaremetalandcanburstintopubliccloudasneeded.ThisoptionallowsthearchitecttodesignanIoTsolutionthattakesadvantageofthebestfunctionalityofdedicatedandpublicservices.IBMBlueBoxisanotherinfrastructureoptionforamanagedOpenStackinthecloud.

DatabandwidthPublicandprivatecloudsneedtobeoptimizedforbigdata.Largeclouddatasetsrequiringfastaccessbene_itfromprocessingcomponentswithfastandef_icientdataaccess.Inmanycases,thismeansmovingtheprocessingtothedata,orviceversa.Cloudsystemscaneffectivelyhidethephysicallocationofdataandprocessing.Tuningactivitiescanbecarriedoutcontinuouslywithminimalimpactondeployedapplications.TheelasticityofAPIsandconnectivityservicesisalsokey.IBMoffersarangeofsolutionsformovingandmanagingdataset,particularlyunstructureddata.

DatasovereigntyThephysicallocationwheredataisstoredmayberegulated,withregulationsvaryingfromcountrytocountry.Thisisparticularlythecaseforpersonallyidenti_iableinformationandforsensitivedatasuchashealthdataand_inancialrecords.TheEuropeanUnionhasparticularlystringentregulationsthatapplytothePIIofEuropeancitizens.Asaresult,anyIoTcloudsystemmustaccountfordatasovereigntyrulesandstoreandprocessdataonlyinthoselocationspermittedbytheregulations.Thisrequirestheprovidercloudtoprovidethecloudservicecustomerwithcontroloverstorageandprocessinglocations.IBMBluemixPaaSandIaaShavedatacentersin40locations,satisfyingEUandotherdatasovereigntyregulations.

CPUandcomputa)on

Theavailabilityofinexpensivecommodityprocessorsmeansthatpublic,private,andhybridcloudserverfarmsaretypicallyhighlyscalable.ModerndevelopmentenvironmentsusingHadoop,Spark,andJupyter(iPython)takeadvantageofthesemassivelyparallelsystems.Streamsandhigh-speedanalyticsareanemergingareawherecloudapplicationsusemorepowerfulprocessorpoolstoenablereal-time,in-motiondatasolutions.

Dedicatedhardwareallowsforfasterdevelopmentandtestingpriortomigrationtowardshybridandpublicenvironments.IBMoffersmultiple,fullymanagedandcustomermanagedoptionsinsupportofbigdataandanalytics.

HybridcloudandIoT

Similartodata-intensivesolutionsine-commerce,theenterprisemovingtoIoTenvironmentsfrequentlyneedtocombinepubliccloud,privatecloud,andon-premisescomponentstocreateahybridcloud.SeetheCSCCPracticalGuidetoHybridCloudComputing[6]formoreinformationabouthybridcloudplanning,governance,andoperations.TheIBMCloudpointofviewistoofferchoicewithconsistency,givingyoutheabilityto:

• Extendanexistinginvestmentviaarangeofcloudservices• Positionenvironmentsinpublic,dedicated,orlocalspacesasneededtosatisfy

regulatoryorsecurityrequirements• Gainelasticitybyleveragingoff-premisessystemsthatareamirrortoon-premises,

allwhilekeepingvisibilityacrosstheentirearchitecture.

IBMhybridofferingsinclude:

• IBMBluemixPaaS

Datavolume

InIoTsystems,thedatavolumecanexceedathresholdatwhichthetraditionalanalytictoolsetsandapproachesmaynolongerscaletomeetperformancerequirements.Socarefulplanningtostoredatainpubliccloudorprivatecloudortraditionaldatacenterisveryimportant.DatastreamingincasesofweatherormapsthatuseGPSmayresultinhugedatasetforanalysis.Also,alldatalosesrelevanceovertime.Dataretentionrequiresalittleexperimentation,unlessspeci_icallygovernedbyregulatoryorotherpolicies.Publiccloudsofferthe_lexibilitytostorevaryingamountsofdatawithnoadvanceprovisioning.In-housecloudstoragesolutionscanofferlong-termstoragecostadvantageswhenvolumeispredictedinadvance.

Security

Asmoredataaboutpeople,_inancialtransactions,andoperationaldecisionsiscollected,re_ined,andstored,thechallengesrelatedtoinformationgovernanceandsecurityincrease.Thedataprivacyandidentitymanagementofdevicesandindividualsisveryimportantforcloudcomputing.Thecloudgenerallyallowsforfasterdeploymentofnewcomplianceandmonitoringtoolsthatencourageagilepolicyandcomplianceframeworks.

Clouddatahubscanbeagoodoptionbyactingasfocalpointsfordataassemblyanddistribution.Toolsthatmonitoractivityanddataaccesscanactuallymakecloudsystemsmoresecurethanstand-alonesystems.Hybridsystemsofferuniqueapplicationgovernancefeatures:Softwarecanbecentrallymaintainedinadistributedenvironmentwithdatastoredin-housetomeetjurisdictionalpolicies.

Op)mizedprovisioningOptimizedcloudprovisioningcanhelpyouselecttherightproductfamilyforagivensetofusagecriteria.IBMCloudBrokeragecanhelpautomateprovisioningbasedonautomatedassessmentbasedonanorganizationsstrategyandpolicies.

http://www.cloud-council.org/deliverables/CSCC-Practical-Guide-to-Hybrid-Cloud-Computing.pdf

• CleversafeobjectStorage• BlueBox–OpenStackasamanagedservice• IBMWebsphereCommerce• DataPower

Businessesimplementinghybridcloudsolutionsarelookingfor_lexibilityandagilityindeliveringnewcapabilities.Ef_iciencyinprocessanddatacollectionareoftenthedriversoftheseinitiatives.Thebroadavailabilityofembeddedsensorsandcellular,WiFiornetworkconnectivityofdevicessupportstheexpansionofIoT.Becauseoftheneedtocombinemultipledatasetstoserveavarietyofuserpersonas,IoTsolutionsforB2BandB2Carefrequentlytheentrypointforhybridcloudadoption.

ThefollowingexampleillustratesthenewbusinessmodelsandapproachespossiblewhenadoptinghybridclouddeploymentforIoTsystems.IoTforconnectedcars-TheIoTsolutionforconnectedcarsisareal-timeeventdetectionandmanagementsystemdesignedtosecurelydetect,analyze,andhandleeventsgeneratedbyconnectedcars.Someoftheinformationwithhistoricandmaintenancedataforcarmanufacturerwillstayinthededicatedprivatecloudorintheirtraditionaldatacenterswhileothergenericinformationandtheirintegrationwiththird-partycloudservicesmaystayinpubliccloud.Connectedcarsneedreal-timeinformationaboutweather,traf_ic,andmapdatawhichcomesfrompeercloudservices.Forthedataprivacyandsovereigntyrequirements,datawithpersonalinformationaboutcustomersmayresideinon-premisesdatacentersinspeci_iccountries.Withuseofhybridcloud,onlywecanhandleallthesespeci_icneeds.

SummaryofKeyConsidera)ons

Thearchitectofaconsumer-centric,businessfocusedorindustrialIoTsolutionmustnavigateacomplexsetofconcerns.Amongtheseconcerns,thearchitectmustconsiderend-to-endsecurity,managementofmassiveamountsofdata,andensuringthatthevelocityofdatatransferandoverallconnectivitymeetsbusinessrequirementsorcontractualobligations.IoTsolutions,withtheircombinationofmultipledevicetypesintegratingwithmultiplesystemtypes,alsorequirethekindofadaptiveoperationsupportedbycontinuousdeploymentmethods,cloudresilience,andelasticity.

Architectswillbemostsuccessfulwhentheykeeptheseconsiderationsinmind:

• Designtomeetneedsforrapidchangeandupdatesinconnecteddevicesandsensors

• Buildmonitoringandadaptivemanagementintothesystem• Designwithdatasecurityandprivacyrequirementsatthefore• Ensurehighperformanceacrossallcomponents,withspecialattentiontowherethe

ingestionofreal-timedatastreamsoccurs• Plansysteminterfacesandservicesforthegreatest_lexibility• Ensurefutureinteroperabilitybychoosingopenstandards-basedcomponents

whereverpossible• Makedatasecurityafocalpointacrossthearchitecture

ConclusionThispaperoffersadeeperunderstandingoftheCSCCCloudCustomerReferenceArchitectureforIoTandintroduceskeyconceptsforcreatinganef_icient,scalable,secureIoTarchitectureandgivesyouguidanceonhowtointegrateyouron-premisesandenterprisesystems.Toframeyourspeci_icsolutioncomparedtoreal-worldexperiences,thispaperalsoofferspracticalguidanceintheformofdeploymentoptionsanduse-casescenariosbasedonactualIBMcustomerimplementations.Asyoucansee,IBMproductssupportthekeycapabilitiesrequiredtorealizeandoperationalizeanIoTarchitecture.IBMprovides_irst-classproductsupportforIoTandthecloudarchitectureforcustomers.

AcknowledgementsEricLibow,GopalIndurkhya,HeatherKreger,TimHahn,PeterNiblett,MikeEdwards,ThomasS.(Scott)Wallace,TejinderLuthra,RameshMenon,KarolynSchalk,ElizabethKoupman,GlennDaly,RobertFlaherty,DavidNoller,andPlamenKiradjiev

References[1]CloudStandardsCustomerCouncil,2016,CloudCustomerArchitectureforIoT

[2]TheIndustrialInternetConsortium’sIndustrialInternetSecurityFramework(IISF)paper

[3]IBMIoTSecurityPointofViewpaper

[4]TheIndustrialInternetConsortium'sIndustrialInternetReferenceArchitectureIIRApaper

[5]HowIBMleadsinbuildingbigdataanalyticssolutionsinthecloud[6]CloudStandardsCustomerCouncil2016,PracticalGuidetoHybridCloudComputing


http://www.iiconsortium.org/IISF.htm

http://ibm.co/iotsecurity-POV2

http://www.iiconsortium.org/IIRA.htm


http://www.cloud-council.org/deliverables/CSCC-Practical-Guide-to-Hybrid-Cloud-Computing.pdf

Documents

The IBM Advantage for Implementing the CSCC Cloud Customer ... · CSCC Cloud Customer Reference Architecture for Internet of Things (IoT) Introduc)on This paper describes how you