Three Minutes Overview of IoT Messaging Protocol for CISOs

Although traditional methods of communications like RESTful APIs can be used for IOT communications, MQTT and CoAP are the two major IoT protocols for exchanging messages in IoT networks. This is a quick overview of both of these protocols.


Message Queuing Telemetry Transport (MQTT) is a TCP based protocol.

  • The protocol provides a publish/subscribe model. MQTT clients (devices or applications) can publish data to a broker. Any device or applications can subscribe to data published by devices using Topic and wildcards.
  • The publish/subscribe model enables many-to-many communication through a centralized broker.
  • MQTT messages consist of Subject/Topic, Message Content, and QoS level (0,1, or 2). QoS level shows the level of guarantee for message.
  • Since communication happens through a broker, the publishers and subscribers don’t need to know each other.
  • MQTT does not use encryption, so for security TLS can be used.


  • Constrained Application Protocol (CoAP) is an IETF protocols based upon UDP.
  • CoAP uses request/report model and useful for low power networks.
  • Repetitive messages are sent for reliability (e.g. a temperature sensor sending current temperature every second, such that even if a recipient misses one message, it can get the next one).
  • CoAP can be used over DTLS to provide security.
  • CoAP uses URIs for network nodes and sending/receiving messages.
  • The “observe” mode enables CoAP nodes to observe other nodes without active communication with them.
  • CoAP uses “reliability” for confirmable and non-confirmable message.


For detail, use the following references:

About the Author

Rafeeq Rehman is the creator of “CISO Mind Map”, a blogger and consultant. He is helping many Fortune 500 global organizations achieve their business goals using latest innovations in technology. His areas of  focus include Information Security, IoT, and Advanced Networking. He can be reached @rafeeq_rehman and on his personal blog site.