You are here

The Internet of Things is the biggest IT-related trend to hit the business world in a while. See how the lessons of DevOps can help you drive more innovation and increase security for your connected projects.

DevOps challenges in the Internet of Things

public://pictures/Michael-Rowe .jpg .jpg
Michael Rowe, IBM Research, IBM

A few years back the hottest term in IT was DevOps. DevOps was a meeting of the minds between development and operations. Where once there was a level of animosity between the two teams, the DevOps philosophy envisioned them working together to improve the business outcomes enabled by IT. Many events came together to drive this transformation, including the "10 deploys per day" presentation by John Allspaw and Paul Hammond at Velocity 2009, the release of Gene Kim's The Phoenix Project in January 2013, and a general realization that the metrics both teams had been working with for years weren't necessarily aligned to the value that business receives from IT.

About two years ago we started to see another groundswell. The Internet of Things (IoT) promised that businesses would see trillions of dollars in new value as everything on the planet became connected. This value was going to be driven by increased efficiencies, better customer engagement, and new business models.

As product managers and hardware engineers, let's look at these promising IoT notions in the context of DevOps.

It's about the feedback

A foundational aspect of DevOps is faster time to feedback. We design and automate our delivery pipeline to improve the quality of our software delivery. We design our code to gain insight around performance and usage. We design our services to identify how we can drive the most value for our customers and our business. In the IoT, we gain feedback about device performance and usage. The question is, how do we leverage that feedback?

New efficiencies allow us to collect data on or about a thing, perform analytics against that data, and tune it over time to achieve improvements in usage. These "tuning" activities can include predictive maintenance—for example, reducing the amount of periodic maintenance while also improving overall maintenance by predicting which things need repair based on actual usage characteristics. Tuning activities may also focus on automatically adjusting parameters or settings to improve energy consumption or other consumables to improve the quality of the service. Insights gained from one device (or group of devices) can then be fed back into the process to improve the behaviors of all the connected devices. Apple's manufacturing process for the iMac uses measurements and feedback to improve the manufacturing of aluminum cases. This real-time feedback ensures that each individual case is correctly built.

Improved customer engagement is an ancillary benefit of this improvement to products and services over time, as connected devices modify their performance based on customers' unique needs and actions.

Consumer IoT

In the field of wearables, I've personally experienced the sort of improvement this feedback leads to. A few months after I bought it, my Withings Pulse pedometer received a software update that enabled the pulse sensor to also look at oxygen levels in the blood. They have since rebranded the product as the Pulse Ox. This allowed me to not only monitor my pulse but also my blood oxygen levels while exercising —which is key to understanding how my body will recover from exercise. This measurement helps me understand my body's own efficiencies. In the automotive industry, Tesla used customer feedback to improve their cars—and their customers' experience—by providing a software update to reduce frequent customer concerns about battery range.

Industrial IoT

We're seeing new business models from companies like car2go in the automotive industry, and Power by the hour, a service of AJW Aviation, an engine supplier for the aviation industry. Both these businesses require that the operator and manufacturer (sometimes the same company) have intimate knowledge of how a device performs to ensure a reliable, compelling, and profitable offering. We're seeing more and more distinguishing features and value from these products being driven by the software they contain. Physical engineering and design of sheet metal is no longer what customers value most. Quality manufacturing has made the engines in most cars extremely reliable; however, software that controls the fuel mixture or the handling characteristics of a vehicle can dramatically affect the experience for the owner. Neither the algorithms nor the embedded code that defines that experience are apparent when looking at the vehicle. Understanding of these nuances requires intimate knowledge of the system.

Feedback in the DevOps context

Both consumer and industrial IoT drive value via a feedback loop. In a well-managed DevOps environment, you not only provide fast, incremental capabilities, but you also instrument those updates so you can understand whether or not you're having the desired impact on the business. Instrumentation requires that you first identify the reason for an update. Is your update around customer satisfaction, engagement, or something else? How do you measure the effect of this update? Is it through the increase in consumption of a service, reduction in support calls, or some other metric? Whatever it is, you need to make sure you establish a way to capture the delta. You may be able to capture it on the device itself, in a related web service, or in a related enterprise system. When delivered immediately to engineering teams, this feedback can enable faster product improvements and enhancements.

Security by design

This new feedback mechanism, however, can come at a cost in terms of security. And that cost must be addressed in the initial design of the product lifecycle. "Secure by design" is a recognized methodology in the development of safety-critical systems; however, now it must be addressed in the design of more mundane and non-safety-critical systems, like your connected toothbrush.

Gone are the days when we could assume that the only updates on a device would be handled by a trained service engineer with physical access to it. These products and systems now expose additional attack surfaces for hackers and malware. While you may not be worried that your connected toothbrush would present a security problem, you may expose your home security system to a remote access Trojan (RAT) via an unapproved over-the-air (OTA) update that occurred on your toothbrush while you were on vacation and connected to your hotel's Wi-Fi.

These potential security risks exposed by new attack surfaces mean that you need to consider your testing and update processes for whatever your connected "thing" may be. Having a suite of security tests that are executed every time you check in your code is critical to validating that code and knowing that what you will deploy is secure. Having an appropriate method for validating updates on devices to ensure that only approved updates are applied is critical.

Not only do we need a way to validate that updates are appropriate for a device, but we also need a way of trusting the device itself. Having sensors and things that know their trusted state and can communicate this securely will go a long way to building a secure IoT. In a complex thing, like a mobile device, we rely on Trusted Platform Modules (TPMs) to provide a restrictive area within a device to handle things like encryption, certificates, and keys. This costs battery power, which may be too much of a price for some IoT devices. Understanding this requirement, which in DevOps parlance would be considered a non-functional requirement, means that both the hardware manufacturer and the software developer who's going to use the device within a system need to understand how the thing may be used—both alone and within the larger context of an IoT solution.

Exciting times

It's a great time to be a developer and a product manager. The number of new technologies that are available to us seems to be growing every day. Some days it seems impossible to keep up with them all, but if you listen to the feedback from your customers, systems, and devices, you can help drive real business value.