Securing IoT Devices through PAASMER


Kavitha Gopalan

The recent DDoS attack using connected devices was massive and disruptive, to say the least. The attack which was done using the internet enabled Cameras affected lot of websites Twitter, Amazon, Reddit, Netflix, and more. The attack specifically targeted the DNS (Domain Name System) that maps human readable website address to their IP address.

In this attack, the malicious malware named Mirai was infected to the smart home devices like connected cameras that were vulnerable. Mirai spreads itself by scanning the Internet for IPs owned by commonly connected devices. These devices are often left with factory logins passwords and weak security protocols. The software uses this weakness to upload itself onto the device and take it over. Once the device is infected it will act like a botnet and sends spurious traffic to website swamping them that the website won’t be able to handle the load that it could break down. Cyber-attacks are not new but a smart device that have an IP address and that are not properly secured are vulnerable and could open the gate for more serious and dangerous attack.

IoT is influencing our lives in numerous ways by bringing a lot of value. But at the same time, IoT involves connecting the devices to Internet. Any connected objects like cars and home appliances are vulnerable. On one hand the enormous amount of data from the smart devices need to be secure and safe and should not fall into the wrong hands and on the other hand, the smart devices acting like botnets to create the DDOS type of attack.

Therefore, building secure IoT products and solution are a top priority and IoT product manufacturer, software vendors and platform vendors all have the task at hand to build a system which is secure and can prevent these kinds of attack.

Solving the Security Threat Using PAASMER platform
As a secure IoT platform, PAASMER’s goal has been to ensure that IoT service/products built using the platform is highly secure.

PAASMER Security framework follows a ground-up implementation to ensure data from the device to cloud and beyond is secure and no data compromise happens during. It also ensures that the devices are not exposed to any kind of attack.

PAASMER Security framework and how data safety is ensured is defined as below.

Device Level security
Device-level security in PAASMER ensures the edge devices and gateways are not vulnerable and they do not expose their IP address to other devices which are not authorized for the access. This prevents any type of attack on them.
PAASMER Device-level security is implemented in MISTY Operating system/Firmware package for IoT devices. The key features include

  1. Secure Boot
  2. Secure Provisioning
  3. Secure updates and patches

The secure boot validates and authenticates the software in the device each time the device powers up through a digital signature. This ensures no unknown software or malware is running on the device. An additional hardware chip called TPM provides enhanced security.

Secure provisioning uses secure tokens to establish the device into the network. Once the devices communicate its presence a secure token is released for the device to communicate with the gateway.

The IoT devices also need regular software updates and patches to keep them safe from malicious virus and attacks. However, what usually happens is once these devices are installed it’s forgotten. That’s why PAASMER offers Over the air software updates and patches which ensure the user does not need to bother about doing a regular software update. It’s automatically updated when a new patch is available after a secure device authentication.

Access Control, Authentication, and Authorization
Access Control is built into the operating system to ensure that only authorized users are accessing the device. User level policy, Device level policy limits the access to users/device to the function they must perform. Multi-layered authentication like username/password, passcode based authentication, strong password rule and policy based access is defined at the device layer. PAASMER security framework forces customers to rest password during the initial registration process forcing them to change the factory password and also implements stringent rules for passwords.

Device authentication allows each device to validate itself when they enter the network thus removing device trying to sneak the network.

Data Encryption
PAASMER also provides end to end Data encryption. All the data service from the device to the gateway to cloud to applications are encrypted so no data theft is possible while the data is moving.

PAASMER Security Framework leverages the SSL 3.0 and TLS 1.0 standards to leverage the latest in session and security frameworks to ensure security for the data. All communications require valid certificates that are authenticated every time a client connects.

PAASMER also ensures the data itself is encrypted with the Advanced Encryption Standard (AES) encryption specification.

Secure Communication
PAASMER mandates the usage of secure network tunnel for device communication with the cloud. The choice of network tunnel can vary between each use case. Handling all device communications over the secure network tunnel ensures that there is no network spoofing of device data or controls. Special Ant-DDoS choices on network tunnel ensure protection against the DDoS attacks.

To reap the full potential of IoT the security challenges faced by IoT devices should be mitigated. While the onus of Securing IoT devices lies with the platform vendors, software vendors, product manufacturers and consumers alike, vendors need to harden security in each of their offerings by the following end to end security implementation. By using PAASMER platform, IoT manufacturers can leverage the inbuilt security elements to build a Secure IoT platform in a quick, efficient way.

platform copy

How to choose your IoT Platform Architecture?


Chandramouli Srinivasan

These IoT Platforms are the key for the development of scalable IoT applications and services that connect the real and virtual worlds between objects, systems, and people. However, as the IoT Platform market represents a truly new segment that was almost non-existent a few years ago, the landscape is complex and changing very quickly.

There are more than 300 IoT platforms in the market today and the number is continuing to grow. However, as discussed not every platform is the same – IoT platforms are being shaped by varying entry strategies of different companies trying to capitalize on the IoT potential. Innovative Startups, hardware and networking equipment manufacturers, enterprise software and mobility management companies are all competing to become the best IoT platform on the market. Various strategies are visible with companies:

  • Organic bottom-up approach: Starting with the connectivity part and building out platform features from the bottom-up (e.g., Ayla Networks – Investor Cisco, Solair – Acquired by Microsoft, Dell’s Gateway from Force10 acquisition, Paasmer)
  • Organic top-down approach: Starting with the analytics part and building out platform features from the top-down (e.g., IBM IoT Foundation)
  • Partnership approach: Striking alliances to offer the full package (e.g., GE Predix & PTC Thingworx)
  • M&A approach: Targeted acquisitions (e.g., Amazon – 2lemetry) or contenders performing strategic mergers (e.g., Nokia & Alcatel-Lucent)

Cloud & Enterprise Centric Architectures (Top-Down Approach)

The majority of IoT platform’s architecture is cloud-centric – built on the premise that ingestion, management, and processing of IoT data can be done in their market-dominating cloud offering. Most of the IoT platforms in the market that includes Microsoft, Google, AWS, IBM, SAP, SalesForce, Oracle, AT&T, Xievly, Bosch Software and PTC ThingWorx have defined their IoT Platform architecture as Cloud/Enterprise Centric Top-Down architecture.

  • That are the cloud or enterprise-centric architectures which does storage and compute on the data from the things over the cloud.
  • All of them provide SDKs that run on the gateway which can run Windows or Linux operating systems.
  • The gateway hardware could range from an array of Intel and ARM architecture based boards.


  • Edge side of the solution can remain as an abstract and flexible. Clients can design this the way they want.
  • The business model built heavily on cloud and analytics based subscription. Clients are charged based on their cloud usage.
  • Technology centralized on the cloud and provides additional data monetization opportunity over a period of time.


  • Edge side of the solution is critical and most businesses lack the capability to design the edge side as they are complex due to a variety of options to choose.
  • The business model is based on a pricing model for cloud and analytics subscription. Clients often pay less in the first year and their cost builds up in subsequent years.
  • Security and ownership of the data is a major issue in adoption. Often clients are concerned about data monetization opportunity for others to their data.
  • Migration of data from one cloud provider to another provider at a later point in time. This is often mitigated by defining an architecture that has a data intermediary layer. This again increases the cost of IoT implementation.

Gateway Centric Architectures (Bottom-Up Approach)

A limited number of IoT platform’s architecture is gateway centric built on the premise that edge-processing can save huge costs to clients. Since these platforms are bottom up they are heavily dependent on gateway hardware and focus fine tuning/filtering the data being collected from sensors. Ayla Networks, Solair & Dell provide their own gateway hardware to run their gateway software. Paasmer provides gateway choices from array vendors like Intel, Qualcomm, Mediatek, Element14 for the hardware with Edge operating system running on any of these hardware. Most platform’s here have taken a time to build their Bottom-Up stack over a period of time.

For many companies, where data storage and network bandwidth account for significant operational costs, this edge-processing approach can be hugely beneficial. By applying some level of intelligence to the edge of the gateway or device, companies can effectively filter the enormous volume of data generated to only relay business-critical, actionable data items to a cloud.

Organizations are struggling to make the best decisions regarding the data volume and complexity created by the vast numbers of sensors, embedded systems, and connected devices now on the network. As more of the data is processed in real time at the edge of the network, the gateway becomes the spam filter for IoT.


It removes the need for cost and complexity to existing on the things and places these on the gateway.

  • Gateways can act as smarter portals to the Internet.
  • A capable gateway can act as the connector hub for many things that may use different data standards and wireless protocols.
  • A gateway-centric architecture is very convenient for retrofitting machines, so they become IoT-connected.


  • It requires an extra “tier” (that is, the gateway) to communicate with the Internet.

Is there a case of Hybrid IoT platform architectures?

A reference case study was done by David Floyer this year on a remote wind-farm with security cameras and other sensors give a perspective and strong case for hybrid IoT platform architecture provides a strong cost advantage for the long term.

The study compares the 3-year management & processing costs of a cloud-only solution using AWS’s IoT services compared with an Edge + cloud solution using a Pivot3 Server SAN with an Open Source Time-series Database together with AWS IoT services. With a distance of 200 miles between the wind-farm and the cloud, and with an assumed 95% reduction in traffic from using the edge computing capabilities, the total cost is reduced from about $81,000 to $29,000 over 3 years. The cost of Edge + Cloud is about 1/3 the cost of a Cloud-only approach.


The advantages for managing the sensors and video streams using a cloud-only model include:

  • Faster initial programming
  • Faster initial testing
  • Lower cloud acquisition cost of hardware
  • No maintenance of local “Edge Computing”
  • Better integration of data with other non-connected data streams (e.g., comparison of faces with “suspect” database in the same cloud)
  • Better initial availability of data about sensors across different sites (value to sensor manufacturers).

This cloud-only model works well for single sensor systems in multiple different locations, where there are low data rates and already existing communication capabilities. An example is the Google NEST system for managing home heating.

The advantages for managing the sensors and video streams using an Edge computing plus cloud model include:

  • Much lower bandwidth requirements
  • Significantly lower overall costs
  • Greater availability from local automation and local autonomy
  • Better advanced real-time functionality from integration of local sensors
  • Easier to communicated to multiple clouds (e.g., comparison of faces using a different SaaS cloud(s))
  • Ability to use a lower-cost consumer commodity ecosystem with sensors based on current consumer mobile management of sensors
  • Earlier adoption of new sensors from the consumer mobile commodity ecosystem
  • Earlier adoption of new sensors with much higher data rates
  • Less complex and real-time local management of sensors (resetting, managing drift, etc.)
  • Less complex ability to test and manage local sensors
  • Higher M2M functionality based on lower latencies

The bottom line is that the cloud-only approach is likely to allow faster initial deployment with initial deployments of sensors with limited data rates. However, this approach would require a complete replacement of most of the cloud-only application programming by a cloud service that supports Edge computing.


As a result of this research and other work, IoT systems will be safer, more reliable, lower cost and more functional using an Edge computing plus Cloud (private or public) approach. Ours advise to all senior management responsible for IoT implementations is to assume that an Edge plus cloud architecture will be required, and to ensure that IoT RFPs mandate vendors to provide a robust Edge/Cloud architecture for private and public clouds.


Internet of Things is Poised to Transform the Insurance Sector


Kavitha Gopalan

The explosive growth of IOT is here and now, it’s considered the new Digital revolution. As per Gartner IOT forecast, it is estimated that by 2020 and more than 35 billion things will be connected to the Internet.  Also, Gartner predicts global spending on IOT — including all hardware, software, and services — has exceeded $1.3 trillion in 2015 and is forecast to reach $3.5 trillion by 2020. IOT is the network of things that generate data and communicate with other devices. This data stored in the cloud and processed through Analytics and Machine learning are opening new growth avenues for each business. With billions of connected devices, the of data collected and shared is voluminous and this has the power to create new opportunities in any verticals.

Can Insurance industry leverage the vast amount data from IOT to disrupt the traditional operating models and establish new frontiers for growth?

IOT with its ability to get data from billions of connected devices can revolutionize and reshape the Insurance Industry and create new business models.  Data from sensors embedded in cars, homes, buildings wearable can be used by an insurance company to understand the correct picture of exposure and risk of what is being insured at the same time helps them to make a holistic offering to meet their customer’s needs. IOT also makes it possible for insurers to move to a more engaged model with their customers.

There are several value propositions in leveraging IOT in Insurance Industry

Product Customization: Offering Customized Insurance based on historical data, like reduced premium for good driving history.

Risk Mitigation: Early detection to reduce exposure risk and reduce claims. Smoke detection, early weather detection, and warning.

Improved CRM: Increased interactions with customers; providing regular feedback to customers on their activity.

There are three verticals in IOT that will be adopted by Insurance companies

Vehicles:  Telematics is already a success story. The data from connected car provides data on the driving pattern, driving history, speed etc which help the insurance company to create a personalized Usage Based Insurance (UBI) premium for the policy owner based on the usage, a lower value for responsible driving.

Home:  Another example is how effectively the data from connected home can be used by insurers, sensors in commercial building can provide data on safety, energy, security and help to decide on the value of property, similarly the real-time data transmitted from the sensors (smoke alarm) installed in home can also help reduce the risk level  and losses.

Individual: Data from wearable collected on the health, fitness level determines or personalizes the personal insurance.  Adopting healthy lifestyle helps policyholders to lower premium. Similarly, data on compliance for medical issues like how the patient is following medication can help the insurance company to take a decision.

A lot of insurance companies have already started leveraging IOT to improve their business and revenue models and to create customer value. They are encouraging their customers to go for smart devices by providing discounts and loyalty points, Pruhealth, Aetna allows their members to share their fitness wearable data to gain credits, like loyalty points when members demonstrate healthier lifestyles such as walking more. Home Insurance companies are giving discounts for customers implementing thermostat for smoke detection.

No doubt IOT will provide enhanced insights for better decisions by the consumer and Insurance organization thus providing new opportunities and better consumer experience. The biggest risk in adoption would remain the question of data privacy and data security.