Reducing the IoT security gap with a microservice architecture based on TLS and OAuth2

Main Article Content

Diego Ordonez-Camacho


The Internet of Things has emerged as one of the most promising trends today. The speed of its adoption, however, has caused certain gaps. Amongst the most critical there is the one related with the security of the systems involved. This project addressed the security problem in a broad way but focusing on smart-home environments, where the use of devices with widely heterogeneous technologies and multiple services, generates problems with authentication and with the confidentiality of the data, if the network is compromised. To tackle these problems, state-of-the-art technologies such as OAuth2 and TLS, among others, were put together, along with an architectural methodology of lightly coupled microservices. As a result, a secure and broad range IoT architecture was built, backed up and validated by a reference implementation. The division into functional layers enables both fixed and mobile devices and sensors, to get connected into the system transparently and fluently. The security scheme structured in three incremental levels enables a better device integration, at the level that best adapts to its computing resources and the type of information it shares. The results show the flexibility of the solution and the robustness and novelty of the security scheme presented.
Abstract 314 | PDF (Español (España)) Downloads 156 PDF Downloads 53


[1] Y. Lu and L. D. Xu, “Internet of things (IoT) cybersecurity research: A review of current research topics,” IEEE Internet of Things Journal, vol. 6, no. 2, pp. 2103–2115, 2019. [Online]. Available:
[2] A. Riahi Sfar, E. Natalizio, Y. Challal, and Z. Chtourou, “A roadmap for security challenges in the internet of things,” Digital Communications and Networks, vol. 4, no. 2, pp. 118–137, 2018. [Online]. Available:
[3] P. Lea, Internet of Things for Architects: Architecting IoT solutions by implementing sensors, communication infrastructure, edge computing, analytics, and security. Packt Publishing Ltd, 2018. [Online]. Available:
[4] P. Jamshidi, C. Pahl, N. C. Mendonça, J. Lewis, and S. Tilkov, “Microservices: The journey so far and challenges ahead,” IEEE Software, vol. 35, no. 3, pp. 24–35, 2018. [Online]. Available:
[5] J. Khan, J. p. Li, I. Ali, S. Parveen, G. a. Khan, M. Khalil, A. Khan, A. U. Haq, and M. Shahid, “An authentication technique based on oauth 2.0 protocol for internet of things (IoT) network,” in 2018 15th International Computer Conference on Wavelet Active Media Technology and Information Processing (ICCWAMTIP), 2018, pp. 160–165. [Online]. Available:
[6] C. Chan, R. Fontugne, K. Cho, and S. Goto, “Monitoring tls adoption using backbone and edge traffic,” in IEEE INFOCOM 2018 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), 2018, pp. 208–213. [Online]. Available:
[7] F. Izquierdo, M. Ciurana, F. Barcelo, J. Paradells, and E. Zola, “Performance evaluation of a TOA-based trilateration method to locate terminals in WLAN,” in 2006 1st International Symposium on Wireless Pervasive Computing, 2006, pp. 1–6. [Online]. Available:
[8] M. A. Khan and K. Salah, “IoT security: Review, blockchain solutions, and open challenges,” Future Generation Computer Systems, vol. 82, pp. 395–411, 2018. [Online]. Available:
[9] J. P. Rojas, J. C. Bustos, and D. Ordóñez Camacho, “Smart public transportation at your fingertips,” Enfoque UTE, vol. 8, no. 1, pp. 122–134, Feb. 2017. [Online]. Available:
[10] J. P. Rojas, J. C. Bustos, and D. Ordóñez- Camacho, “Qbus: Movilidad inteligente para el usuario de transporte público,” in Proceedings of the International Conference on Information Systems and Computer Science, INCISCOS 2016, 2016. [Online]. Available:
[11] E. A. Q. Montoya, S. F. J. Colorado, W. Y. C. Muñoz, and G. E. C. Golondrino, “Propuesta de una arquitectura para agricultura de precisión soportada en IoT,” RISTI - Revista Iberica de Sistemas e Tecnologias de Informacao, pp. 39–56, 2017. [Online]. Available:
[12] M. Agiwal, N. Saxena, and A. Roy, “Towards connected living: 5g enabled internet of things (IoT),” IETE Technical Review, vol. 36, no. 2, pp. 190–202, 2019. [Online]. Available:
[13] H. Lin and N. Bergmann, “IoT privacy and security challenges for smart home environments,” Information, vol. 7, no. 3, p. 44, Jul 2016. [Online]. Available:
[14] H. Kaffel-Ben Ayed, H. Boujezza, and I. Riabi, “An idms approach towards privacy and new requirements in IoT,” in 2017 13th International Wireless Communications and Mobile Computing Conference (IWCMC), 2017, pp. 429–434. [Online]. Available:
[15] F. Fernández, A. Alonso, L. Marco, and J. Salvachúa, “A model to enable applicationscoped access control as a service for IoT using OAuth 2.0,” in 2017 20th Conference on Innovations in Clouds, Internet and Networks (ICIN), 2017, pp. 322–324. [Online]. Available:
[16] J. Bugeja, A. Jacobsson, and P. Davidsson, “On privacy and security challenges in smart connected homes,” in 2016 European Intelligence and Security Informatics Conference (EISIC), 2016, pp. 172–175. [Online]. Available:
[17] L. Sun, Y. Li, and R. A. Memon, “An open IoT framework based on microservices architecture,” China Communications, vol. 14, no. 2, pp. 154–162, 2017. [Online]. Available: [18] T. Vresk and I. Çavrak, “Architecture of an interoperable IoT platform based on microservices,” in 2016 39th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), 2016, pp. 1196–1201. [Online]. Available:
[19] R. Yu, V. T. Kilari, G. Xue, and D. Yang, “Load balancing for interdependent IoT microservices,” in IEEE INFOCOM 2019 - IEEE Conference on Computer Communications, 2019, pp. 298–306. [Online]. Available:
[20] D. Díaz-Sánchez, A. Marín-Lopez, F. A. Mendoza, P. A. Cabarcos, and R. S. Sherratt, “TLS/PKI challenges and certificate pinning techniques for IoT and M2M secure communications,” IEEE Communications Surveys Tutorials, vol. 21, no. 4, pp. 3502–3531, 2019. [Online]. Available:
[21] P. Urien, “Securing the IoT with TLS/DTLS server stacks embedded in secure elements: An ePlug usecase,” in 2017 14th IEEE Annual Consumer Communications Networking Conference (CCNC), 2017, pp. 569–570. [Online]. Available:
[22] J. D. Hoz, J. Saldana, J. Fernández- Navajas, J. Ruiz-Mas, R. G. Rodríguez, and F. d. J. M. Luna, “SSH as an alternative to TLS in IoT environments using HTTP,” in 2018 Global Internet of Things Summit (GIoTS), 2018, pp. 1–6. [Online]. Available:
[23] M. Khan, M. W. Anwar, F. Azam, F. Samea, and M. F. Shinwari, A Model-Driven Approach for Access Control in Internet of Things (IoT) Applications – An Introduction to UMLOA. Communications in Computer and Information Science, Springer, 2018, vol. 920. [Online]. Available:
[24] H. Kim, A. Wasicek, B. Mehne, and E. A. Lee, “A secure network architecture for the internet of things based on local authorization entities,” in 2016 IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud), 2016, pp. 114–122. [Online]. Available:
[25] M. Pahl and L. Donini, “Securing IoT microservices with certificates,” in NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium, 2018, pp. 1–5. [Online]. Available:
[26] S. Sciancalepore, G. Piro, D. Caldarola, G. Boggia, and G. Bianchi, “Oauth-iot: An access control framework for the internet of things based on open standards,” in 2017 IEEE Symposium on Computers and Communications (ISCC), 2017, pp. 676–681. [Online]. Available:
[27] S. Shapsough, F. Aloul, and I. A. Zualkernan, “Securing low-resource edge devices for IoT systems,” in 2018 International Symposium in Sensing and Instrumentation in IoT Era (ISSI), 2018, pp. 1–4. [Online]. Available:
[28] M. Singh, M. A. Rajan, V. L. Shivraj, and P. Balamuralidhar, “Secure mqtt for internet of things (IoT),” in 2015 Fifth International Conference on Communication Systems and Network Technologies, 2015, pp. 746–751. [Online]. Available:
[29] C. Singh and M. Kumar, Mastering Hadoop 3: Big data processing at scale to unlock unique business insights. Packt Publishing, 2019. [Online]. Available:
[30] J. Turnbull, The Docker Book: Containerization is the new virtualization, 2014. [Online]. Available:
[31] A. Selva. (2014) Java MQTT lightweight broker. moquette. [Online]. Available:
[32] M. Bhushan, Big Data and Hadoop: Learn by Example. BPB Publications, 2018. [Online]. Available:
[33] T. Dunning and E. Friedman, Time Series Databases: New Ways to Store and Access Data, Edition: 1. Sebastopol. O’Reilly Media, Inc, 2014. [Online]. Available:
[34] B. Brazil, Prometheus: Up & Running: Infrastructure and Application Performance Monitoring. O’Reilly Media, 2018. [Online]. Available:
[35] A. Kurniawan, Arduino MKR WIFI 1010 Development Workshop. PE Press, 2018. [Online]. Available:
[36] I. Dogan and I. Ahmet, The Official ESP32 Book. Elektor International Media, 2017. [Online]. Available:
[37] G. C. Hillar, Hands-On MQTT Programming with Python: Work with the lightweight IoT protocol in Python. Packt Publishing, 2018. [Online]. Available:
[38] B. Charles, Beginning Sensor Networks with Arduino and Raspberry Pi. Apress, 2013. [Online]. Available: