Defining your IoT governance practices

IoT solutions are complex. The integration of connected devices and IT services poses major challenges in networking, communication, data volume, real-time data analysis, and security. IoT solutions involve many different technologies and require complex development cycles, including significant testing and ongoing monitoring.

To overcome these challenges, IT organizations must:

  • Develop a comprehensive technical strategy to address the complexity
  • Define a reference architecture for their IoT solution
  • Develop required skills to design, develop, and deploy the solution
  • Define your IoT governance processes and policies

An IoT solution governance model should address these challenges.

IoT solution governance can be viewed as the application of business governance, IT governance, and enterprise architecture (EA) governance to Internet of Things (see ). In effect, IoT governance is an extension to IT governance, where IoT governance is specifically focused on the lifecycle of IoT devices, data managed by the IoT solution, and IoT applications in an organization’s IT landscape. IoT governance defines the changes to IT governance to ensure the concepts and principles for its distributed architecture are managed appropriately and are able to deliver on the stated business goals.

Figure 1. An IoT solution governance model

Develop an IoT Technical strategy

Successful IoT engagements require that IT organizations define a technical strategy that includes developing a reference architecture, deciding the technology platforms, and developing the processes that are required to design, develop, and operate the IoT solution. Unless teams develop an IoT technical strategy, individual teams across the organization will define their own approaches which often lead to fragmented initiatives that will cost the company more with less chance of success.

A technical strategy can include phase-wise activities and clearly defined roles, responsibilities, and deliverables (see ).

Figure 2. Phases, roles, and deliverables of an IoT technical strategy

The technical strategy must document and address all business, technical, and operations requirements and constraints. It must also address current and future business needs and adapt to business and technical changes.

Define an IoT reference architecture

To ensure consistency across multiple IoT projects, IoT solutions should adopt a repeatable framework and develop a standard reference architecture that guides individual IoT implementations. Each project must not define their unique way of integrating devices, or communicating with the IoT platform. The IoT reference architecture must meet the needs of different organizational units and define technology standards for all IoT projects to use.

An IoT reference architecture provides a set of architectural patterns, standards, and best practices for use in developing IoT solutions. Use of the approved architectural artifacts from the IoT reference architecture will reduce project risk and lower costs, by reducing the number and complexity of design activities in the project. Your organization’s IoT reference architecture can be based on standard IoT reference architectures or industry reference architectures.

An IoT ecosystem needs to connect to all types of devices and collect and store data securely. A complete IoT solution needs to include all components of the ecosystem – including devices, network, software, services, security of the complete solution. Your IoT reference architecture must consider all aspects of the IoT ecosystem (see ).

Figure 3. IoT ecosystem

Data is generated from devices, and insights from that data are consumed by users or automated operations. Real-time data and near real-time analysis enables timely actions. The type of industry and the nature of the data drives the outcome and selection of a reference architecture.

As companies mature on their IoT journey, they evolve from simple monitoring of the assets to include optimization and advanced prediction of different asset parameters. However, collection and storage of data that comes from devices is just the initial step. The value of IoT solutions can be improved by adding more analysis and optimization capabilities. Your IoT reference architecture must address these more advanced capabilities.

Finally, having a great IoT solution would be worthless unless it is secure. All layers of the IoT solution must be protected from vulnerabilities and potential attacks. Your IoT reference architecture can help ensure that security is not an afterthought.

After organizations have a clear understanding of the IoT solution ecosystem as depicted in , a detailed technical reference architecture can be created to support that ecosystem. shows a somewhat simple reference architecture for IoT solutions for organizations to adopt based on their specific needs. You can view a more detailed IoT reference architecture in the IBM Cloud Architecture Center.

Figure 4. A simple IoT reference architecture

The IoT reference architecture needs to consider these aspects of your IoT solution for your IoT governance policies to enforce:

  • Application layer Manage the collection, processing, analyzing, and persisting of the large volume of sensor data in near real time Support the very high data rate, which is much higher than general IT infrastructure Implement predictive analytics capabilities Address security, such as data security, role-based data access, and control functions. Read more about IoT security in our series, “Design and build secure IoT solutions.”
  • Platform layer Provide for sensor data management, application integration, and device management Support internet-scale messaging, including data collection, publish/subscribe, data mediation, data dispatching, and of course security management Address security. Read more about IoT security in this series, “Design and build secure IoT solutions.” Read more about IoT platforms and why you should use one in this article, “Streamlining the development of your IoT applications by using an IoT platform.”
  • Communication layer Provide a reliable network for capturing and controlling sensor data Support for reliably transporting data from devices to the IoT platform Address security. Read more about IoT security in this series, “Design and build secure IoT solutions.” Read more about IoT networking considerations and challenges in this article, “Connecting all the things in the Internet of Things.”

  • Physical devices layer Support the wide variety of sensors, devices, and gateways Support remote monitoring and management Address security, such as secured booting, firmware upgrades, intrusion detection, and logging of security events. Read more about IoT security in this series, “Design and build secure IoT solutions.”

Acquire the right roles or skills on the development team

After organizations have their technology strategy and reference architecture in place, organizations must train technical professionals in the technologies. Organizations need to have sufficient skills in all the tiers of an IoT solution.

IoT roles on an IoT development team

The key roles and responsibilities of an IoT development team include:

  • IoT architect, who works closely with the infrastructure architect and security architect in your IT organization. The IoT architect defines an end-to-end IoT solution architecture (based on the adopted IoT reference architecture) making all critical architectural decisions. One of the key responsibilities of the IoT architect is to define the IoT platform strategy and the integration of the all the solution components based on the IoT platform. The IoT architect also establishes standards and guidelines for the development, deployment, and management of the IoT solution.
  • IoT developer, who defines and implements data collection, messaging, applications, and data analysis.
  • Data analyst, who defines data collection plans, data models, data mapping, and overall data analysis and reporting strategy.
  • IoT tester, who performs overall solution testing but also device capability testing and security testing.
  • Device SME, who finalizes device specifications based on data collection requirements and the IoT solution architecture and who also helps in choosing the right devices for the IoT solution. The device SME works with the IoT architect and infrastructure architect to set up communication networks that connect the IoT devices. The device SME is also a key participant in finalizing device management policies and principles, including device security (both physical and cybersecurity).
  • Security architect, who supports the IoT architect to define an end-to-end security solution. This role includes these skills: Analyzing data, infrastructure, and application security requirements Advising on network operational environment security considerations Developing privacy solutions and security governance practices Designing, planning, and implementing secure coding practices and security testing methodology, executing security testing, and performing security audits Testing and evaluating security-related tools Managing third-party vendors to ensure that they meet the security goals

IoT Center of Excellence (CoE)

An IoT Center of Excellence (CoE) can also be a key organization within the IT department of an enterprise and can keep all stakeholders focused on a common goal. The function of an IoT CoE includes defining proper processes for managing device lifecycle, identifying proper technology that is suitable for the enterprise, and defining policies, standards, and guidelines to govern the IoT solution from business need to operations. A dedicated IoT Center of Excellence (CoE) is one of the most important additions an organization can make to increase the likelihood of a successful IoT implementation. See .

The IoT solution architect plays a key role for the planning and governance of IoT solutions and works closely with business architects, enterprise architects, and security architects. All the IoT-related efforts and activities must be channeled through this CoE to eliminate duplication and realize quicker return on investments.

Figure 5. Focus areas for the IoT CoE

An IoT CoE provides a comprehensive approach to the establishment and adoption of the IoT solution. When implemented at the proper level, the IoT CoE will lessen the political issues and complexities that often impede IoT solution adoption. The IoT CoE responsibilities include:

  • Provide IoT vitality and thought leadership
  • Establish and enforce the usage of an IoT reference architecture
  • Promote the adoption of best practices
  • Plan the device portfolio, including capability requirements, selection criteria, provisioning, and lifecycle management
  • Develop a strategy to manage device vendors and IoT platform vendors
  • Establish a governance model, and enforce, monitor, and control its adoption
  • Manage communication between various stakeholders including business and IT
  • Harvest, or reuse, assets from prior IoT projects
  • Provide experts IoT skills and resource
  • Provide tool support
  • Provide skills transfer and training
  • Conduct architecture reviews to ensure alignment with IoT principles

Define your IoT governance processes and policies

Processes and policies are the actionable part of any governance model. They are the activities that are followed, applied, and enforced to govern and manage all IoT initiatives.

shows the key components of an IoT governance and management model.

Figure 6. Key components of an IoT Governance model

In addition to managing IoT solution development, the IoT governance model defines principles, processes, and standards in these areas:

  • Device Portfolio Management, which deals with life cycle funding of devices, sharing of devices, incentives and funding, IT processes, and the corresponding changes necessary to sustain a specific IoT target state.
  • Device and platform vendor management helps with identifying and managing the right vendors that are required for the IoT solution. It also focuses on establishing a partnership strategy to develop the end-to-end IoT solution because no one team or vendor can deliver the full IoT solution. Vendor management for IoT is very important for several reasons:
  • Complexity of IoT solutions. Many different technologies and hardware/software components are involved in any IoT project.
  • Domain-specific expertise. In addition to technical capabilities, an IoT solution requires domain-specific analysis expertise to create business value for the client. The combination of technical and industry domain skills requires partnership with right team and vendors to make sure that they are engaged at the right time and right level.
  • Operational Management, which addresses device lifecycle management, device monitoring, capacity and performance, security, change management and device registry. This area addresses the various tools and changes to the infrastructure that are required to operate and manage the environment for IoT.


Many organizations want to be able to take advantage of the benefits of IoT solutions. However, without a proper governance model in place, most of these initiatives are likely to fail or not result in the expected benefits. IoT governance models need to develop an appropriate technical strategy and reference architecture to drive standardization and best practices in all IoT initiatives across the organization. Also, the IoT governance model needs to identify roles with proper skills and define responsibilities to streamline all such initiatives; ideally, an IoT Center of Excellence should be instituted. Finally, the IoT governance model needs to define appropriate governance processes and policies to manage fully all IoT lifecycle activities. Security and privacy concerns are one of the major bottlenecks for deploying IoT based solutions, so IoT governance processes must be developed with these security concerns in mind and not leave security as an afterthought in the IoT solution process.

One of the key functions of an IoT governance solution is to manage the device lifecycle – including new device registration, upgrading the existing devices, and decommissioning old or obsolete devices. Different standards are emerging to manage IoT devices. Part 2 of this series will discuss different approaches to device management and demonstrate the device management capabilities of IBM Watson IoT Platform.

As data is the core component of any IoT solution, governing the full data lifecycle is a key component of any IoT governance model. IoT data governance covers full lifecycle of the data, starting from data generation in the devices, sending the data over the network to Cloud-based IoT platforms, storing the data, and finally analyzing and reporting on the data. Any IoT governance solution needs to address privacy and security concerns, keeping in mind regulatory and other compliance requirements. Part 3 of this series will focus on IoT data governance.