June 30, 2026Mark Hayward

Cyber Security and IoT Forensics ~ 1.2 Overview of IoT Architecture: Devices, Networks, and Cloud Integration

From the three-layer IoT architecture and cloud integration to MQTT, CoAP, BLE, Zigbee and beyond — explore how IoT devices communicate, where forensic evidence hides within protocol stacks, and best practices for securing connected environments.

Overview of IoT Architecture: Devices, Networks, and Cloud Integration

IoT architecture is fundamentally built upon the interaction of various interconnected devices that gather and share data. These devices can range from simple sensors to complex systems like smart home appliances, wearables, and industrial machines. Every device within the IoT ecosystem plays a specific role, often categorised into three main layers: perception, network, and application layers. The perception layer includes sensors and actuators that collect data from the environment. For example, temperature sensors in smart thermostats detect warmth and relay that information for action. The network layer connects these devices to communicate with each other and transmit data to central systems. This could involve using protocols like MQTT or HTTP over both wired and wireless networks. Lastly, the application layer involves the software solutions that enable users to interact with the data, from mobile apps to industrial applications that provide business insights.

The placement of devices within the network is crucial for optimising performance and ensuring effective data transmission. Devices are often placed strategically within different environments, whether in a home, office, or outside environment. A smart city, for example, utilises IoT devices embedded in street lights, traffic signals, and waste bins to monitor urban conditions in real-time. Interconnectivity is essential; a well-structured network not only allows data to flow efficiently but also supports low-latency communication necessary for functions like real-time monitoring and control. Security measures become critical in this interconnected setup, requiring comprehensive strategies to protect each device from potential threats.

Cloud integration in IoT plays an essential role in managing the enormous amounts of data generated by connected devices. Once data is collected from these devices, it needs to be processed, analysed, and stored effectively. This is where cloud computing becomes indispensable. With cloud services, data from devices scattered around various locations can be aggregated into a single repository, allowing for easier access, management, and analysis. The scalability of cloud solutions means they can handle varied workloads, accommodating spikes in data traffic that often occur in IoT scenarios. Services like Amazon Web Services, Microsoft Azure, and Google Cloud Platform offer mechanisms for real-time data processing and analytics, enabling organisations to derive actionable insights from their IoT data.

Moreover, cloud providers often offer services that enhance security, compliance, and data governance. This means that businesses can implement security measures such as encryption, identity management, and access controls to protect sensitive information. As data moves across cloud environments, it is crucial to monitor for vulnerabilities and threats to maintain integrity. Employing cloud solutions ensures that organisations can manage complex IoT ecosystems while maintaining flexibility and security, allowing them to respond swiftly to both operational needs and market demands. Keeping data secure and compliant with regulations, such as GDPR for data protection, remains a significant focus for IoT devices involved in cloud integration.

The relationship between IoT devices and cloud services illustrates the importance of not just collecting data but also managing it responsibly. Implementing best practices for data handling, including regular audits of security measures and routine updates to software, is essential in maintaining an effective IoT infrastructure. Adapting quickly to new developments in technology and security will enhance resilience against potential breaches and ensure that data remains a valuable asset for any organisation.

Common IoT Protocols and Communication Standards

IoT devices rely on various communication protocols to connect, share data, and interact with other devices or platforms. These protocols enable devices from different manufacturers to communicate effectively, ensuring interoperability and smooth data exchange. Among the most widely used protocols are MQTT, CoAP, HTTP, and Bluetooth Low Energy (BLE). MQTT, or Message Queuing Telemetry Transport, is a lightweight messaging protocol designed for constrained devices and low-bandwidth networks. It works on a publish-subscribe model, making it suitable for scenarios where devices send data asynchronously to multiple subscribers. CoAP, the Constrained Application Protocol, is built specifically for resource-limited devices and matches the RESTful architecture seen in HTTP, allowing devices to interact over IP networks with minimal overhead.

HTTP remains a fundamental protocol due to its widespread adoption on the internet, allowing IoT devices to communicate with web services and cloud platforms using familiar request-response methods. BLE provides short-range wireless communication ideal for low power consumption and is commonly used in wearable devices or home automation. Zigbee and Z-Wave are two other notable protocols tailored for mesh networking, where devices form a self-healing network, enabling better range and reliability for smart home applications. Each protocol plays a distinct role depending on the device capabilities, power constraints, and the specific use case, but they all share the goal of ensuring that devices can communicate clearly and efficiently.

Understanding the function of these protocols helps security professionals and forensic investigators trace how data moves through an IoT environment. For instance, MQTT's reliance on brokers means compromising a broker could expose much of the communication. CoAP runs over UDP, which is less reliable than TCP but offers lower latency, influencing how data packets may be captured or lost in an investigation. HTTP-based communications are easier to monitor due to global tools supporting standard web protocols, but encrypted traffic requires attention to certificate management and potential man-in-the-middle points. Wireless protocols like BLE and Zigbee operate on shared frequencies, increasing the risk of interference and eavesdropping, which must be accounted for when assessing a device's security.

IoT protocols bring specific security challenges. Many were designed with simplicity and low power in mind, often without robust security layers. The lack of built-in encryption, weak authentication methods, and the use of default or hardcoded credentials can open doors to attackers. Additionally, these protocols frequently run on devices that cannot be easily patched or updated, creating persistent vulnerabilities. For forensic investigations, protocol weaknesses may influence how data is preserved or recovered. For example, some protocols do not support large data storage or logging natively, so crucial evidence might reside elsewhere in the infrastructure.

Best practices for securing IoT protocols include implementing strong encryption, such as TLS for MQTT and HTTPS for HTTP, to protect data in transit. Authentication mechanisms should go beyond simple passwords and incorporate device certificates or token-based systems. Network segmentation also limits exposure when devices operate on different protocol layers or frequencies. Continuous monitoring of protocol traffic helps detect anomalies early, providing critical insight during an incident. For forensic purposes, maintaining access to raw protocol data is essential since analysis often depends on reconstructing communication flows and identifying hidden commands or data injections within protocol exchanges.

When approaching IoT protocols from a forensic standpoint, documenting the specific protocols in use, their configurations, and any implemented security controls forms the foundation of an effective investigation. Capturing live traffic across multiple protocol layers can reveal encrypted or obfuscated communication patterns. Also, retaining configuration files and access logs related to protocol use assists in establishing timelines and identifying potential intrusion points. Investigators should consider the protocol's inherent limitations, as some may discard messages or run in environments where logging is minimal, requiring creative approaches to piece together the sequence of events. Keeping abreast of protocol updates and known vulnerabilities ensures that forensics teams are looking for relevant indicators that may appear during an examination.

A practical tip for professionals working with IoT protocols is to use protocol-specific analysis tools during investigations. Tools designed to interpret MQTT or CoAP messages can decode payloads and reveal actionable information that generic packet capture utilities might miss. Similarly, employing wireless sniffers capable of capturing BLE or Zigbee traffic enhances visibility into device interactions that are otherwise hidden from traditional network monitors. Capturing and analysing these protocol communications early in an investigation can significantly improve understanding of device behaviour and highlight potential security gaps worth addressing in future deployments.


This post is part of the Cyber Security and IoT Forensics series by Mark Hayward. Available on Amazon as a Printed Hardcover Book, Kindle eBook, and Paperback

📚 Want to go deeper?

Cyber Security for Beginners

The perfect starting point — master the fundamentals of digital security from understanding threats to building your first security mindset.

📬

Stay ahead of cyber threats

New book alerts + expert cyber security insights — straight to your inbox.