As the volume of IoT devices and systems grows, the need for robust security at both the API layer and the device layer becomes increasingly important. Security concerns fall into several layers within our services:
All data source information that is collected and stored by MachineShop must first be authenticated. Within our system, a specific account must create this data source and associate it with a specific data source type. This allows our system to quickly determine whether this is an authorized data source. Unauthorized data sources are quickly discarded by our ingestion services and flagged to our automated support systems to help identify specific security issues.
The micro services associated with the translator for this device can also provide additional layers of security if they are supported by either the transport or protocol layers of the communication stack. MachineShop can provision specific white label IP addresses, VPN tunnels, or other firewalls, as needed, to insure integrity of the data source reporting. If the data source has the capability for encrypting the reports, our services also can support that option.
MachineShop operates as a collection of specific services designed for the developer of IoT applications all exposed as RESTful API’s. Each API call must be authenticated with a specific token associated with a valid user. When the account is created, authorization for each API within MachineShop can be assigned to the user token. The authorization extends throughout all our API’s and down to the verb level (GET/PUT/DELETE/POST).
Authorization tokens can be assigned to a user (or application) in many modes. Tokens can be assigned that are non-expiring or expiring. Various services are available to manage the tokens for regeneration as needed.
MachineShop also supports both OAUTH and OUATH2 security. API’s are available to manage security tokens, including auto regeneration for tokens that are used for connecting to third party services. Other interfaces are also available to connect to various enterprise domain authentication servers.
MachineShop allows the proxy of third party services which can also require authorization. In order to make it easier for the application developer to integrate with those sites a set of API’s are available to manage interfaces to those systems, especially those using OAUTH2 style authentications.
API’s provided by MachineShop can be used within your application to automatically handle the OAUTH2 process with leading third-parties like facebook, salesforce, evernote, etc. Included are methods for callbacks to the specific vendors, handling of variations between vendors, and token storage.
A special API is also provided to allow the storing of specific vendor authorization keys in an encrypted keychain. This allows developers to reference the key by a simple substitution in the API call similar to [~googlekey]. In this way keys can be managed by your system administrators and changed as needed without affecting any application code.