Amazon Securing IoT Data With Certificates

Amazon launched its IoT at its Re:Invent conference in Las Vegas Oct. 8, and illustrated how it will handle data pouring into its storage systems.

Matt Wood, general manager of Amazon product strategy, explained how the Amazon Internet of Things will work in an interview after Vogel's keynote Thursday.

Shadow Devices, Rules Engines, and More

Medical devices or devices in the home or industry will communicate with the Amazon IoT through a Device Gateway. The gateway depends on a 30-year-old protocol, MQTT, for its communications. The protocol is well suited for the purpose, because it functions for irregular or intermittent data transmissions characteristic of devices on the IoT, and requires little compute power.

The Device Gateway requests a digital certificate from a communicating device that identifies the sender, authenticates the sender, sets policies and privileges over who may access the data, and encrypts the data for its movement into the cloud.

Before being sent on to permanent storage, an IoT Rules Engine is allowed to query it. The data's owner can submit SQL-like queries to the data as it arrives, as in asking a block of temperature data if it includes any readings over 80 degrees. When the query discovers such a reading, a rule is triggered that tells the end point system to consume less power until the temperature falls to a normal range.

In addition to the Device Gateway and Rules Engine, Amazon will create a virtual or "shadow device" from the data, describing a real one, and allow that virtual device to reflect the state or most recent status of an actual device. Since communications may be intermittent, a message slated for a physical device but unable to reach its target would be stored by the shadow device and forwarded when its counterpart became accessible again. The Device Gateway will talk to the shadow device exactly as it would its real counterpart, Wood said.

The shadow device is "the alter ego in the cloud" of a real device, he noted. Each shadow device will have a Web standard REST API in front of it so users of the IoT can determine the last reported state of any device, whether currently connected or not.

Finally, the IoT Gateway will recognize the designated storage for a particular stream of device data and ensure that it ends up there.

Wood said there is no reason why anyone interested in collecting device data can't master the MQTT or other protocol, build their own gateway, set up their own ID and authentication systems and querying/rules engine, and scale the capture and storage of the data as needed. "Doing it with best practices, particularly around security, is very challenging," he said.

Such comments are obviously meant to give cloud users pause if they're thinking of a do-it-yourself approach. That doesn't mean it can't be done, but Wood was explicitly challenging customers to compare that cost versus what Amazon is charging for IoT as a service. No pricing was announced with IoT details Thursday.

[Want to learn more about the IoT from GE's point of view? See GE: IoT Makes Power Plants $50 million more valuable.]

Those who adopt Amazon's services instead of building an IoT themselves "will be able to focus more on the edge of the network, the sensors and machines and consumer apps." That, clearly, is where Amazon Web Services thinks its customers' best efforts ought to go.

To help customers get started with the IoT, Amazon offers an IoT device software development kit and connector to AWS IoT. Third-party partners can add functionality to a basic connection such as over-the-air updates or remote diagnostics. Ayla Networks, Cirus Link, Thingworx, and Xively offer those services. Customers may also use Splunk, another partner, for data analysis. System integrators such as Accenture, Booz Allen Hamilton, Thinglogix, and Two Bulls can bring the pieces together and customize their function.

In addition to Philips, NASA and the Jet Propulsion Laboratory are early users of the AWS IoT, employing data collected from sensors on the Mars Rover and other craft that were sent into the solar system.