Category Archives: Architecture

Why Boards Overlook Enterprise Architecture

20 Tuesday Jan 2026

Posted by in ArchiMate, Architecture, Enterprise Architecture, Story Telling

Leave a comment

Tags

, , ,

Enterprise Architecture (EA) has been part of organisations for many decades. Most companies have some form of EA and plenty of diagrams meant to show how everything fits together.  These are often built around frameworks such as TOGAF and Zachman, but there are several other well-established architecture frameworks that can be used depending on industry and requirements.

Yet when boards discuss technology, architecture may not feature on the agenda unless there’s a problem. It’s not that boards don’t care or know about architecture, the issue is that EA can be seen as not delivering what boards genuinely need.

Why Boards Rarely Discuss Architecture

Boards typically only hear about architecture when something goes wrong: a hack or security issue, a major outage, a failed transformation or a regulatory breach. Otherwise architecture may be left out of the conversation. The reason isn’t indifference, but more that EA often misses the mark on what matters most to the board.

What Boards Care About (Not Diagrams)

Boards have a handful of core responsibilities and these can follow a governance code / framework

Examples of governance codes/frameworks (others are available):

This article provides a good explaination of a board governance framework “What are the core components of a board governance framework?

Some of these responsibilities cover areas such as:

  • Strategic coherence: Are we investing in the right capabilities to succeed?
  • Risk oversight: Where could the business fail on a large scale? (for example COSO ERM)
  • Capital allocation: Are our technology investments building lasting value?
  • Execution confidence: Can management deliver on its promises?
  • Ethical oversight: Are we upholding appropriate standards of conduct and integrity?
  • Resilience: Can we adapt to shocks, new regulations or disruptions? (For example: guidance from the UK FCA)
  • Stakeholder engagement: Are we considering the interests of shareholders, employees, customers and society?
  • Compliance and legal responsibility: Are we fulfilling our statutory and regulatory obligations?
  • Performance monitoring: Are we regularly reviewing organisational performance against targets and objectives?

Technology serves as the foundation supporting each of these critical governance areas. However the board’s primary concern is not with technology itself, but with the confidence that technological choices are purposeful, well-aligned with overall organisational objectives and capable of being maintained over time.

Boards are seeking assurance and reassurance that all technology related decisions are made with intention, in harmony with strategic aims and are structured to support ongoing sustainability.

When Enterprise Architecture fails at Board Level

When EA fails at the board level, it often shows up with:

  • Dense application landscape diagrams (EA is positioned too low)
  • Framework heavy language (TOGAF, Zachman, capability maps)
  • EA is measured on output and not impact
  • Long lists of “standards” and “principles”
  • Abstract future state visions disconnected from funding decisions

This can happen when an EA function focuses on:

While these areas are essential for building a sound EA /technical foundation, they do not by themselves address the broader, strategic questions that boards are concerned with, such as the organisation’s fragility, implicit assumptions, compounding risks or potential bottlenecks under pressure.

This can create a disconnect between what EA can typically deliver and the insight boards actually require to steer the business effectively.

Enterprise Architecture / Architecture can becomes valuable to a board when it explains why certain outcomes are likely or unlikely given the current shape of the enterprise. This is an idea aligned with Systems Thinking.

What Boards Actually Need from Enterprise Architecture

A Map of Enterprise Constraints (Not Systems)

Boards need to see where change is slow, expensive or risky. Consider these questions which a board needs to understand and align with the Theory of Constraints at the enterprise level.

  • Where change is slow, expensive or risky?
  • Which capabilities are tightly coupled?
  • What cannot be altered quickly without cascading impact?

Mapping an architecture and using an EA tool to do this can help in identifying answers to these questions, but remember these diagrams are not what the board are looking for, but providing a constraint map of the architecture.

  • “If we pursue Strategy X, these three bottlenecks will determine our cost, timeline and risk.”

Early Warning Signals, not Post-Event Explanations

Most architecture analysis happens after failure:

  • “Here’s why the outage happened”
  • “Here’s why the transformation stalled”

Boards need EA to surface leading indicators that don’t match strategy. These signals should work like Key Risk Indicators (KRIs) in risk management:

  • Rising integration density
  • Fragile data ownership
  • Overloaded platforms
  • Capability dependencies that no longer match strategy

Without this, architecture can remain reactive and something repeatedly criticised in post-incident reviews such as major outages.

Clear Trade-Offs Tied to Strategy

Every architectural decision involves a bet such as:

  • Centralisation vs. autonomy
  • Speed vs. control
  • Standardisation vs. differentiation

Boards don’t need the “right” answer, but rather a need to know which trade-offs management is making and which ones they’re inheriting by default. A good EA makes these choices explicit, a poor EA hides them behind technical language.

A Line of Sight from Spend to Structural Outcomes

Boards approve large technology budgets with surprisingly little insight into what those investments change structurally. If architecture cannot connect spending to changes in the enterprise, boards will see technology investment as risky and uncleary. This is where IT value realisation can help.

EA should consider this IT Value Realisation checklist

  • 1) Outcomes defined & quantified (targets, baselines, owners)
  • 2) Capability → value stream → process model in place
  • 3) Architecture decisions trace to value hypotheses
  • 4) Governance embeds value gates (Architecture Review Boards)
  • 5) Tooling configured for reuse & traceability (Archimate / UML)
  • 6) Incremental delivery plan
  • 7) Benefits tracking live (variance, forecast vs. actual, corrective actions)
  • 8) Operating model aligned (ITIL/IT4IT value streams instrumented)
  • 9) Risk controls (security, compliance, quantum‑resilience strategy)
  • 10) Communication cadence (value dashboards to execs/boards)

Confidence That Someone Is Watching the Whole System

Boards want to know that someone genuinely understands how the organisation works as a system. This expectation matches the intent behind enterprise-wide architecture governance, not just IT governance. This is a function that Enterprise Architecture should be fulfilling.

Reframing Enterprise Architecture for the Board

If if EA is to truly influence decision making at the highest level, it must evolve its approach.

To become relevant at board level, EA must shift from traditional practices to a more impactful, business centric approach. This transformation involves:

Describing the enterpriseExplaining its behaviour

Instead of merely cataloguing systems and processes, Enterprise Architecture should interpret how the organisation functions, highlighting patterns, interdependencies and emergent risks.

This can be met by telling stories about why things happen the way they do and what that means for the board’s strategic oversight.

Defining standardsSurfacing consequences

Rather than presenting lists of standards and principles, Enterprise Architecture should highlight the real world implications of these choices.

  • What risks are introduced or mitigated?
  • How do these standards impact business agility, resilience, or regulatory compliance?

Boards need to understand not just what the rules are, but why they matter.

Producing modelsInfluencing decisions

Enterprise Architecture should move beyond the creation of abstract models and frameworks by using its insights to actively shape board-level discussions.

This can be met by providing recommendations, challenging assumptions and framing choices in terms of risk, opportunity and strategic alignment.

The critical question EA must answer for boards

“Given how this enterprise is built today, what should leaders worry about tomorrow?”

This question captures the essence of board-level engagement. Anticipating future challenges, highlighting areas of fragility and ensuring leaders are equipped to make informed, forward-looking decisions.

Enterprise Architecture’s true value lies in its ability to surface these concerns before they become crises enabling boards to act proactively rather than reactively.

When EA can answer board level questions with clarity and relevance, the board will listen.

Further Reading

ISO/IEC 42010 for architecture descriptions

System Thinking

Theory of Constraints

The Role of Enterprise Architecture in Fostering Innovation

10 Monday Feb 2025

Posted by in Architecture, Enterprise Architecture, Innovation

2 Comments

Tags

, , ,

Aligning Business Goals with Technological Initiatives

Enterprise Architecture can play a pivotal role in fostering innovation by providing a structured approach to aligning technology with business goals. Through Enterprise Architecture, an organisation can ensure that their technological initiatives are not only advancing but also tailored to support and enhance business objectives, driving innovative outcomes.

Although this concept isn’t new and is well documented academically and in many blogs and internet articles and frameworks, the demand for innovation is now considerably higher because of rapid technical and commercial improvements.

Aligning Business and IT Strategies

One of the primary functions of Enterprise Architecture is to align business and IT strategies. By creating a roadmap that outlines how technology initiatives support business objectives, an organisation can ensure that its innovation efforts are focused and effective. This alignment helps in identifying opportunities for innovation that directly contribute to business goals and outcomes.

This involves a continual process of evaluating and adjusting the IT strategy to accommodate shifting business priorities, industry trends, and market conditions. Enterprise Architects need to work closely with stakeholders and business leaders to understand the strategic vision and translate it into actionable plans. This synergy allows organisations to leverage technological advancements to gain a competitive advantage and enhance operational efficiency. To enable this it is important that Enterprise Architects are informed and staying ahead of the curve.

Establishing a robust governance framework to monitor, measure, and review the success of outcomes against strategic initiatives enables informed decision-making. This helps foster a culture of continuous improvement and innovation.

Facilitating Agile Transformation

Enterprise Architecture provides a foundation for agile transformation by allowing flexibility and adaptability within processes and systems. Implementing agile methodologies furnishes an organisation with a more effective response to market fluctuations and customer demands.

Enterprise Architecture aids in pinpointing areas suitable for agility enhancements and ensures that the requisite infrastructure is identified to support these initiatives. This can involve creating modular and scalable systems that can be easily reconfigured or expanded as business needs change, providing continuous value delivery to customers and meet the business outcomes.

Supporting the cultural shift required for agile transformation is crucial. The organisation must promote a mindset of collaboration, experimentation, and learning, while allowing for a ‘fail fast, learn, and adapt’ attitude.

Enabling Digital Transformation

Digital transformation lies at the core of innovation in most modern organisations and today AI is helping drive that journey. Enterprise Architecture plays a crucial role in enabling digital transformation by providing a blueprint for integrating new technologies, such as adopting AI to assist and improve the business. Enterprise Architecture offers strategic direction, technological framework, and governance, helping to accelerate innovation while ensuring the organisation remains agile, resilient, and capable of meeting business and customer needs and outcomes.

Optimising Resource Utilisation

Effective resource utilisation can help to drive innovation. Enterprise Architecture helps organisations optimise their resources by providing a clear view of their IT assets and capabilities. This visibility allows organisations to identify redundancies, streamline processes, and allocate resources more efficiently, thereby freeing up capacity for innovative projects. By making savings in one area, the savings could be reinvested into innovative projects helping to create additional savings and growth.

Enhancing Collaboration and Communication

Innovation often requires collaboration across different departments and teams throughout an organisation. Enterprise Architecture facilitates this collaboration by providing a common language and framework for communication through a standard agreed taxonomy. By breaking down silos and promoting a holistic view of the organisation, Enterprise Architecture enables teams to work together more effectively on innovative initiatives.

Supporting Risk Management

Innovation involves taking risk and these risks should and need to be managed effectively. Enterprise Architecture supports risk management by providing a structured approach to identifying, assessing, and mitigating risks associated with new initiatives. This ensures that innovation efforts are not only creative but also sustainable and aligned with the organisation’s risk appetite.

Driving Continuous Improvement

Enterprise Architecture is not a one-time effort but a continuous process of improvement. By regularly reviewing and updating the Enterprise Architecture framework, organisations can ensure they remain agile and responsive to new opportunities for innovation. This continuous improvement mindset helps organisations stay ahead of the competition and maintain their innovative edge.

Used correctly and and invested in, Enterprise Architecture can be a spring board for boosting an organisations innovation journey.

Further Reading

Stay Ahead of the Curve: Essential Strategies for Technologists to Stay Informed
The Fusion of Tech and Creativity Driving Innovation
Turning Failures into Success: The Mindset of Failing Forward for Technologists
2025 PKMS Updates: Boost Productivity and Knowledge Retention

8 Free “For Dummies” books you should read in 2016

12 Tuesday Jan 2016

Posted by in Architecture, Cloud, Development, DevOps/OpsDev, Enterprise Architecture, Innovation, Programming, Security

Leave a comment

Tags

, , , , , , , ,

There has been a lot of the free smaller versions of the “For Dummies” books published recently. These are normally sponsored by a company to help promote a way of thinking/product/etc, however they do contain useful overviews and information on the subject that they are presenting on.

Here are my top 8 of these which should be on your reading list for the start of 2016. All are downloadable in PDF format*.

Agile for Dummies

API for Dummies

DevOps for Dummies

Micro-segmentation for Dummies

Next Generation Endpoint Security for Dummies

Software Defined Data Centres for Dummies

Software Defined Networking for Dummies

Software Defined Storage for Dummies

*You may need to sign up to receive some of these books.

Manual tasks of today should be the Automated tasks of tomorrow

11 Monday Jan 2016

Posted by in Architecture, Development, DevOps/OpsDev, Innovation, Open Source, Productivity, Programming, Tools

10 Comments

Tags

, , , , ,

“Manual tasks of today should be the Automated tasks of tomorrow”.

CogsThere are lots of Automation tools available to people and businesses today to automate tasks that are carried out in a manual way. The pace at which this is happening is varying based on Habits and Patterns that we use on a daily basis. Also because change is involved which sometimes causes its own set of anxieties and issues.

Back in 2012 Bruno Oliveir published a graph on G+ on Geeks and repetitive tasks, which, shows a view of time vs task and how as geek vs non geek might approach automation.

geeks-vs-nongeeks-repetitive-tasks

An alternative view was published by Jon Udell in 2012 – Another way to think about geeks and repetitive tasks which shows an alternative view adding in more steps to show repetition.

alternate-view-of-automation

xkcd has an interesting view on the subject that does ring true in some cases where something does not exist and needs to be created in order to Automate.

automation

You need to be careful that in spending lots of time in trying to automate a task, that you don’t may spend more time in developing automation than could have been spent actually doing the task.

To get over this an element that is missing from these graphs is reuse and blueprints/patterns. The chances are that someone else has had a go at doing what your about to automate so there may be something to reuse rather than developing something yourself.

There are lots of tools and code repositories available today with more being developed. It will depend upon what you are automating as what to use.

Some of the tools available include;

There are too many to list – lots of others available.

Using an Agile approach as well may reduce the length of the task size line on the graph as you do not need to boil the ocean to automate. Break up tasks into their components and you may find it easier to automate.

These tools are also bringing the geek and non geek lines together as Application’s and API’s make it easier for automation to be implemented. The plot of the graph changes into a repeatable process and in effect becomes a loop for both the geeks and non geeks.

Automate

So what will you automate today?

 

 

An A-Z Guide to being an Architect

07 Thursday Jan 2016

Posted by in Architecture, Big Data, Cloud, Development, DevOps/OpsDev, Enterprise Architecture, Governance, Innovation, IoT, Open Source, Productivity, Programming, Security, Social Media, Tools

Leave a comment

Tags

, , , , , , , , , , , , , ,

Back in 2008 Microsoft published An A-Z Guide to ABCBeing an Architect in their Architecture Journals.

Here is my take on an updated A to Z Guide to being an Architect. A couple of these may be similar.

A – Architect

Having the right level of skills as an Architect or engaging an Architect with the right level of skills will depend on the work needing to be undertaken. There are several types of Architect with some specialising in certain areas and others being multi domain skilled. The list below covers some of the different types of Architect- this is not an exhaustive list:

B – Blueprints

Following Blueprints and Patterns either published by vendors (such as the Microsoft Blueprints) or developed internally around your products and services will ensure repeat-ability and cost control around the design process.

Some examples showing different pattern types can be found at Architecture Patterns

C – Contextual Web Era

The up and coming 4th Platform area is the Contextual Web Era

  • 1st Platform – Mainframe Era
  • 2nd Platform – Client Server Era
  • 3rd Platform – Cloud Era
  • 4th Platform – Contextual Web Era

This is an up and coming era with lots of new innovation and developments. Keeping up with developments is key going forward for any architect to understand designs/solutions, art of the possible now and future, innovation and for developing roadmaps for solutions.

D – DevOps

To quote Wikipedia – “DevOps (a clipped compound of “development” and “operations”) is a culture, movement or practice that emphasizes the collaboration and communication of both software developers and other information-technology (IT) professionals while automating the process of software delivery and infrastructure changes”. Having knowledge of DevOps, OpsDev and Agile assist with Architecting a solution for a business understanding their practices and modes of interacting with technology to meet business requirements. A Good book on the subject of DevOps is “The Phoenix Project” by Gene Kim.

E – Enterprise Architecture

EA (Enterprise Architecture) is a blueprint that defines how a business can meet its objectives and strategy. This is achieved by conducting analysis, design, planning, recommendations and implementations through an Enterprise Architecture Framework

Enterprise Architecture Wikibook

F – Four Two Zero One Zero

42010 is the ISO Standard that most frameworks adhere to. Working to a Framework brings structure to your designs and life cycles.

There are a number of frame works available such as:

  • DoDAF
  • MoDAF
  • TOGAF
  • Zachman
  • Other Frameworks are available

Enterprise Architecture Wikipedia Book

G – Governance

Governance is an important part of architecture as it

  • Ensures Conformance
  • Controls Variance
  • Maintains Vitality
  • Enables Communication
  • Sets Direction
  • Issue Resolution
  • Provides Guidance and Prioritisation
  • Promotes Best Practise
  • Minimises Risk
  • Protects IT environments from tactical IT changes, project solutions, and strategic proposals that are not in an organisations global best interest
  • Controlling Technical Diversity, Over-Engineering and Unnecessary Complexity
  • Ensures projects can proceed quickly & efficiently
  • Control over IT spend
  • Quality Standards
  • Efficient and optimal use of resources and increase the effectiveness of IT processes

H – Hands On

It is important to be current and understand the technologies you are architecting. There are lots of options available to get your hands dirty using technology from using Cloud Servers to virtual machines on your compute device. There are other computing devices such as the Raspberry PI that provide a cheap alternative to standing up small farms to learn on.

I – IoT

IoT (Internet of Things) is where physical things are connected by the internet using embedded sensors, software, networks and electronics. This allows the items to be managed, controlled and reported on. My blog posts on IoT Device Security Considerations and Security Layers goes into more detail on this subject.

J – Juxtaposition

Juxtaposition is something an architect should be doing to compare things/items/artefacts etc.
noun;
1. an act or instance of placing close together or side by side, especially for comparison or contrast.
2.the state of being close together or side by side.

Source:http://dictionary.reference.com/browse/juxtaposition

K – Knowledge

I would class Skills with Knowledge. It is important as an Architect to ensure that your skills/knowledge are up to date and where you are unsure of a technology, you have a plan to address and skill up. Build a good CPD (Continuing Professional Development) plan and work towards completing it.

L – Language

With the move to cloud it is important to ensure your scripting skills are up to date as most cloud platforms use scripting to assist with the deployment of environments. This is also true of other DevOps/OpsDev applications. If you are unsure on what to learn this guide may help you – Learn a Programming Language – But which one?

M -Micro Segmentation

Micro Segmentation allows a business to use Networks, Compute and Storage to automate and deliver complex solutions by carving up and using the infrastructure. This segments part of the infrastructures to specific functions/tasks. It can also be used in a security context to segment networks, firewalls, compute and storage to increase security and reduce cyber attacks.  VMware have produced a book “Micro Segmentation for Dummies” that can be downloaded from here.

N – Next Generation

Next Generation refers to the next stage or development to something such as a new release of hardware or software. Next Generation is becoming a common term now to define products and artefacts, an example being Next Generation Firewalls.

O – Open Source

Open Source has been available for a long time with software such a Linux, however there is a bigger shift towards using Open Source and acceptance by businesses. Some examples of Open Source that is now mainstream within business include;

  • Ansible
  • Chef
  • Docker
  • Puppet

P – Performance

Performance can cover people as well as solutions / systems. Performance metrics should be set out at the inception of an engagement then monitored and reported on. This will be a factor in driving Continuous Improvement going forward as well as forecasting / planning for future upgrades and expansion.

Q – Quality

Quality is a huge subject and has a lot if standards governing it and how it affects all aspects of business and architecture. Knowing which standards and how they affect a solution will assist in the whole architecture lifecycle. There are also a number of tools available to help you;

  • Architecture Frameworks
  • ITIL
  • Six Sigma

There is also a level of pride and satisfaction in producing a quality solution and system achieving the objectives and requirements set out by the business.

R- Roadmap

Any architecture/solution should have a roadmap to set out its future. Roadmaps should include items such as:

  • Current state
  • Future state
  • Innovation
  • Upgrades / Releases
  • New Features / Functions
  • End of Life / Replacement

S – SMAC

SMAC stands for Social, Mobile, Analytics, Cloud. SMAC is an acronym that covers the areas and concepts when these four technologies are brought together to drive innovation in business. A good description of SMAC written by a colleague can be found here Acronyms SMAC.

T – Transformation

The majority, if not all systems will undergo a form of transformation. This may be in the form of a simple upgrade or to a complex redesign and migration to something else.

U – UX

UX (User eXperience) affects how people interact with your architecture / design and how they feel about it (emotions and attitudes). With the boom in apps and the nearing Contextual Web Era, UX is one of the most important factors to getting an architecture used. If your users don’t like the system they may find something else to use that they like.

V – Vision

Understanding the vision of your customer and their business is the driving factor for any architecture.

On working with your customer you should look to become a Trusted Advisor and also with your colleagues. A great book on the subject is The Trusted Advisor by David Maister. The book covers 3 main areas which discusses perspectives on trust, the structure of trust building and putting trust to work.

W – WWW

The internet is a key delivery mechanism for systems. Knowing how this works and key components to the internet should be understood such as:

  • IPV4 – IPV6
  • DNS
  • Routing
  • Connectivity
  • Security

X – X86

X86 – is a standard that every knows as its one of the most common platform types available.

Y – Year

Year is for the longevity of the solution you are designing. How many years are your expecting it to last What are the Business Requirements, statutory obligations, depreciation etc that need to be planned in. Consider things like End of Life, Maintenance and Upgrades on hardware and software from a solution point of view.

Z – Zero Defects

The best solution is the one with zero defects, but reaching this goal can be a challenge and can also consume a lot of expense. The best way to ensure Zero Defects is to use:

  • Best Practice
  • Reference Architectures
  • Blueprints/Patterns
  • Checklists
  • Reuse
  • Lessons Learnt

This is my current A to Z and some of the entries may be different in your version so “What is in your A to Z of being an Architect?”

I will look to write some further blog posts on the areas listed in this A to Z

IoT Device Security Considerations and Security Layers – User Interface

11 Wednesday Nov 2015

Posted by in Architecture, IoT, Programming, Security

4 Comments

Tags

, , ,

ThingsThe next area in my series on IoT Device Security Considerations and Security Layers is the User Interface.

Many IoT solutions may just have a standard Web interface to a back end system where IoT Devices and Sensors can be controlled. There is already a lot of documentation on good practices for the Web front end.

In some cases the User Interface may be on the IoT device or not delivered over a Web interface. In these cases many of the good practices for Web front ends can still be applied.

Here are a few of the main considerations:

User Interface

User experience is key to any system, however security is as well. When designing your User Interface you should consider the functionality needed to what the user requirements are, keeping the design slick reduces options for hackers to exploit.

Following good code practices and testing will help in this area.

Identification and Authentication

Most applications these days requires a form of log on and password to links into another system for identification such as AD, LDAP or SSO (Single Sign On).

Ensuring that a strong password policy is in place with rules such as:

  • At least 8 characters long
  • Includes alphanumeric characters
  • Different from previous password
  • No complete words
  • At least 1 upper case character
  • At least 1 lower case character
  • At least 1 number
  • At least 1 special character

Some of these rules will depend if you are authenticating against an existing directory system and its current policies. you should consider changing them if they are not secure.

This in turn allows for the authentication of users against other methods such as a 2 factor.

User Interface

Error Messages

Firstly ensuring that the application and interface have good error handling to reduce the number of messages that the user sees should something unexpected happen.

Secondly having simple well defined error messages reduces exposure of what systems you are running or the type of code that can appear in some errors.

Some further reading:

IoT Device Security Considerations and Security Layers – Device/Application API’s

09 Monday Nov 2015

Posted by in Architecture, IoT, Programming, Security

4 Comments

Tags

, , ,

ThingsFurthering my series on “IoT Device Security Considerations and Security Layers” next in the stack is the Device/Application API’s.

API’s (Application Programming Interface) provide a capability to easily interact with a system. This could be an API to an IoT Sensor that a server application could use to get information from through using a set of common libraries and functions.

IoT API

APIs often come in the form of a library that includes specifications for routines, data structures, object classes, and variables. In other cases, notably SOAP and REST services, an API is simply a specification of remote calls exposed to the API consumers.
-Wikipedia

There are a number of steps you can take to secure your API’s:

Standards

Follow any standards/security standards available for the systems you are working with. As discussed in previous blog posts standards for the IoT is one area that is still being defined.

Libraries

Installing only the API’s/libraries you need for your application/IoT Device/IoT Sensor (or un-installing any unused API’s/libraries) 

Secure Messaging

Where feasible using Secure Messaging using a level of authentication ensures that the API is communicating and operating with the right system. This ensures that the IoT Device/Sensor can only interface with the correct system and not accept any rogue requests.

Error Handling

An API should be able to understand what to do when it detects an error condition and what to do when it cant. This is important so false instructions/data cannot be sent to the API to make it fail and then be open to attack.

Patching

Using the most up to date version of the API’s/libraries will ensure any bugs or issues have been removed reducing any exposure to attacks that hit known issues. employing a regular patching capability where possible maintains a level of security. It may not be possible to update IoT Devices/Sensors that are embedded, however any server side API’s/libraries should be up to date. This will however increase compatibility testing with the IoT Devices/Sensors to ensure the interfaces still work.

Further Reading

OWASP REST Security Cheat Sheet

IoT Device Security Considerations and Security Layers – Operating System

21 Wednesday Oct 2015

Posted by in Architecture, IoT, Security

4 Comments

Tags

, ,

ThingsAnother post in the series on “IoT Device Security Considerations and Security Layers“, this time looking at Operating Systems.

There are many Operating Systems available for use on IoT devices and there are more being developed all the time. These range from specific Operating Systems targeted at a specific IoT Chip set to ones that can be used across a number of devices. Some of the names in this field are well known by every day consumers and some not so well known but are strong in this area.

IoT Operating Systems

At this time there are not many standards agreed across the industry, but more group specific depending upon which platform you are developing on. The main standards that exist are around networking and connectivity. Groups and Communities currently discussing and creating IoT Standards). Some of these are around security and securing the IoT devices.

There are a number of standard practices that you can carry out to help secure your IoT device at the Operating System level:

Right Operating System

Choosing the right Operating System is key to ensuring your IoT Device will function as you require it to and support the applications you are using. You should look to only install the Operating Systems elements that are needed to reduce any future Security Issues through none used modules. Streamlining (or removing none used modules) also reduces the amount of space needed on the IoT device.

Upgrades

Upgrading to latest versions of the Operating System at regular intervals will ensure that you have the latest software and that additional space is not taken up with old patching files. This also ensures any known security holes in the Operating System are protected. This also has the added benefit of keeping up with any new features introduced into the Operating System.

Patching

Patching of both the hardware BIOS and Operating System should be considered. Ensuring that the BIOS is at the latest level makes any patching more effective as the Operating System and patches are normally created and tested on the latest hardware and releases.

Regular patching needs to be carried out in order to fix any known exploits or Security holes in the Operating System/ Some latest Operating Systems patch automatically at a regular interval which when configured allow this task to just be a monitored one to ensure devices are being updated.

Access

Only allowing the users or systems that need access to the device and removing all other accounts and access rights will secure the device. The levels of access control, user id’s and passwords will be dependent on the Operating System used. These can range from local settings to a centralised control such as Active Directory.

Below are some links to Operating Systems and their supported hardware platforms.

Brillo

Contiki

FreeRTOS

Linux

http://www.linux.org/

mbedOS

Microsoft

OpenWSN

Riot

Tiny OS

IoT Device Security Considerations and Security Layers – Sensor/Instruments

12 Monday Oct 2015

Posted by in Architecture, IoT, Security

4 Comments

Tags

, ,

ThingsNext in the blog series “IoT Device Security Considerations and Security Layers” is Sensors and Instruments.

There are many different sensor types ranging from the consumer available to those used in industry and specialised, e.g:

  • Barometric Pressure sensor
  • Temperature sensor
  • Altitude sensor
  • Colour sensor
  • Accelerometer sensor
  • Compass sensor
  • Humidity sensor
  • Proximity sensor
  • Motion sensor
  • Light sensor
  • Roation sensor
  • Water sensor
  • Heat sensor

Sensors will typically be connected hard wired or remote.

IoT Sensors by Max Hemingway

Security for Wired sensors will be inherently secure as the connectivity is over a physical wire.

Where there is wireless connectivity the type of wireless used should be considered with security in mind. This is called a WSN (Wireless Sensor Network)

The list of considerations could be listed as:

  • Wireless Protocol
  • Authentication
  • Encryption
  • Pairing
  • Signal strengths and limitations
  • Certificates

Some good white papers that cover WSN’s and security considerations are:

IoT Device Security Considerations and Security Layers – Storage/Data

08 Thursday Oct 2015

Posted by in Architecture, IoT, Security

4 Comments

Tags

, ,

ThingsThe next layer to cover in my blog series on IoT Device Security Considerations and Security Layers is that of Storage and Data.

Breaking IoT down to a basic form there will be two main sorts of IoT devices:

  • Those with local data storage on the IoT Device
  • and those without

That’s not to say that there would be a local storage system nearby such as sensors in a car having an on-board storage system for data that is then sent to a central system somewhere.

Either way, the future data economy will be huge. The IoT is predicted to create masses of data. Cisco have predicted this growing to 403 zettabytes a year by 2018.

Internet of Everything (IoE) Potential Impact on Cloud

●   Globally, the data created by IoE devices will reach 403 ZB per year (33.6 ZB per month) by 2018, up from 113.4 ZB per year (9.4 ZB per month) in 2013.

●   Globally, the data created by IoE devices will be 277 times higher than the amount of data being transmitted to data centers from end-user devices and 47 times higher than total data center traffic by 2018.

(Source Cisco)

That’s a lot of data to secure!

When looking at Storage and Data security the main consideration on securing data should be around data relevancy and what should actually be stored. This can be done locally at the IoT device with the programme/application collecting data at specific intervals or back at a collection system that applies policies to the data and filters out the relevant data, deleting the rest (Both could be done).

IoT Data by Max Hemingway

(Click diagram for a larger version)

Defining a Data Life Cycle is a key part to IoT Data Security.

Security of data on the device will depend upon the local security designed. There may be nothing stopping a sensor physically being stolen or tampered with, however electronically and through software other measures can be taken.

Storing data on a centralised solution and applying a level of security around that would provide a more secure environment as data transmitted could be encrypted through the network elements used.  Back end solutions will probably use standard solutions available today with well defined security standards and options available to secure data.

Where data is stored locally on the IoT device adding things like encryption at rest to data on a device may be necessary in some cases, but the flip side is an impact to the responsiveness of the device and data retrieval. This also adds to the complexity of the device and ultimately cost.

Personal security may also factor into the IoT Device solution, such as a wearable device on the wrist to record fitness data. As it is worn and secured onto the consumers wrist it may be classed as secure until the consumer went to a data point to upload their latest statistical data and analyse the results. Data is stored locally in this use case and then uploaded to a central point afterwards.

To summarise a list of considerations:

  • Local or Central Storage
  • Data Life Cycle
  • Data relevancy
  • Data retention policies
  • Encryption
  • Back end system data security
  • Security by use (ie. wearables)