Hello, everyone. Welcome to Prompt Engineering 2024. My name is Pawan Bhavati. Today, we are going to discuss on balancing functionality and security, a framework for IoT software integration with third party services in critical sectors. Before I go there, I have a disclaimer to say. The views and opinions expressed in this presentation are my own and do not represent the views or official position of my current and previous employers. The content is based on general industry knowledge and publicly available information. No proprietary or confidential information will be shared during this talk. Thank you. So a little bit background of myself. I'm a technology professional with over 15 years of experience in SDLC, the software development lifecycle, various stages, application development, API management, across diverse industries. Academically, I hold a master's degree in computer science from Staffordshire University, UK. My, my expertise lies in blending robust security measures with cutting edge development practices. 10 years of focused experience in security. I've been last 10 years in security, API audit, cybersecurity related initiatives, working, as a, as an architect or principal engineer. Thank you. Let's talk about the introduction to IOT integrations, the importance of third party integrations, key security challenges, securing IOT integrations by authentication and authorization. Securing communications in IoT ecosystems, data privacy and security across the life cycle. Mitigation strategies and best practices. One case study, if you have time, and then conclusion. So introduction to IoT and third party integrations. What is IoT? So IoT refers to the interconnection of devices, enabling data exchange and automation across various domains. What are the key stacks in iot? The cellular iot connections reach 3.4 billion and are projected to reach 75 billion by 2025. Highlighting the massive scale of iot, what are the challenges By, in Ivo t with a rapid, growth and development. Integrating third party services is main challenge and for the functionality, but introduces security vulnerabilities, mainly. Accessing the data, data privacy, must manage carefully. These are the main challenges. Let's talk about the benefits of third party integration, the importance of third party integrations. What are the benefits? The third party integrations unlock. enhanced features, reduce costs and increase efficiency so that we don't need to reinvent the wheel. We can utilize the already existing software application available in the market, the best optimized frameworks which are available. We can utilize that by integrating the third party integrations. The specialized services help solve complex problems such as real time data analysis and directive maintenance applications across sectors. Smart cities integrate traffic management, public safety, and resource optimization systems. Mainly healthcare use remote monitoring, wearable health devices, and predictive analytics for patient monitoring systems. Mobility implement smart traffic solutions, optimize public transit routes, and improve fleet management. What are the key security challenges in IoT integrations? Scalability is the main challenge. Microsoft As IOT ecosystems grow, managing billions of connected devices becomes increasingly complex. The security vulnerabilities. Integrating third party services expands the attack surface. We don't know what software they use, what is the open source softwares or what are the libraries they use. So that increases when we integrate the third party services into our ecosystem. That increases the security vulnerability. Risks include data breaches, unauthorized access, and There are scenarios where a third party application is integrated into our databases or the servers where the breach happened into the third party service, which eventually attacked our data servers through the third party application. Data privacy concerns, IoT platforms handle sensitive data, making data protection critical to maintaining trust and compliance with regulations. Securing iot integrations. So how are we going to secure these IO OT integrations, authentication and authorization? How are we going to achieve these authentication and authorization authentication mechanisms? Mainly multi-factor authentication requires multiple forms of verification. Adding an extra layer of security so we can enable a multi-factor or two-factor authentication to authenticate any user. to come into our ecosystem, our software application. Token based authentication is main, one of the, one of the prominent way of authentication, for the user to authenticate, JSON web tokens, which are JWT provide a stateless scalable solution for authentication. What are the authorization protocols available? OAuth2, OpenID Connect. These are the widely used secure authorization role based access controls Attribute based access controls and there are relation based access controls as well securing communications in iot ecosystems how are we going to secure? communication in between the channels or in between the systems or in between the third party systems and other vendor systems encryption methods What are the encryption methods available to ensure data confidentiality with the robot? So Aus 2 56 encryption end-to-end encryption, which protects data from device to the cloud throughout its journey. Secure protocols is one of the, is one of the method by using the HGT p. S Mandatory for secure web communications for any API APIs communication. We can use the HGT PS. And MQTT over TLS, a lightweight secure communication protocol for IoT devices. And COAP over DTLS used for resource constrained devices. So how are we going to prevent the data manipulation? Use VPNs to secure communications and prevent data interception. Implement digital signatures, digital certs, and message authentication codes, which are MACs for data integrating. what are the data privacy and security across the lifecycle? the data lifecycle, the data security lifecycle, mainly consists of seven stages, which are capture, store, analysis, use, and then publish, archive, punch. The lifecycle stage is mainly on collection. the collection use secure boot mechanisms and authenticate APIs. The transmission, Encrypt all data using industry standard methods, storage, store data in encrypted databases with strict access controls, deletion, use secure deletion methods such as crypto shredding to ensure data cannot be recovered. What are the mitigation strategies and best practices available? The API security, like we talked about the API communication by using the JSON web tokens. OAuth2, OpenID, multi factor authentication by using these implements by implementing these strong authentication and authorization and rate limiting and monitoring API activity. So what is the rate limiting? So any API to API connected communication happening to any gateway. We can configure at gateway level, the rate limit, how many transactions per second, the backend API is allowed, or we can configure, the max number so that we can monitor the API activity. If that max number is increases, we can set up the alerts, warnings, and, and the, configuration at greater than 5 percent of my max. Thanks. Give us a warning or distributed email so that products production operations team members are, tier one people can go and monitor why it is happening, what made, what is the main factor, the root cause of these all of a sudden peak activity for this API traffic, the access controls enforce the principle of least privilege and review access rights regularly. Okay. The case study, the smart standard overview, there is a smart city project in Spain involving 20, 000 IoT devices. What are the key integrations they did? They did environmental monitoring, sensors measure air quality and noise levels, smart parking sensors of mobile operators, traffic condition, traffic management, adaptive control systems, optimized traffic flow. The results. 20 percent reduction in pollution levels, 25 percent decrease in parking related congestion. The challenges solutions for this city project, scalability, hierarchical network architecture, interoperability, support for multiple protocols and standards. Security and privacy, end to end encryption, and data anonymization they achieved. So the conclusion. The future of IoT integration promises to be transformative, driven by emerging technologies such as 5G, edge intelligence, and quantum safe encryption. So organizations must be proactive, embracing a balance between innovation and security, while adhering to stringent data protection laws. So there is a balance the balance between the functionality Versus the security that's the main goal of this talk. Thank you for listening to me I hope this will help. Thank you. See you again