The public preview of the Azure Sphere Security Service, Azure Sphere Operating System, and Visual Studio development experience for Azure Sphere is released. It’s Microsoft’s commitment to provide an end-to-end solution for securing any IoT device. The development kit includes a development board built with the first Azure Sphere certified MCU, the MT3620 from MediaTek, and everything else you need to get started developing Azure Sphere applications.
The seven properties: Setting the bar for connected device security
In 2017 Microsoft published the white paper “The seven properties of highly secure devices.” Existing solutions treated security as an afterthought or a “value-add,” and no end-to-end solutions were readily available. A device manufacturer would need to select a silicon platform, piece together or write all the software (firmware, OS, applications), their own set of services to deploy updates and manage those devices, and develop world class security expertise in hardware, software, and services.
The seven properties define the standard that must be met to securely connect an IoT device to the internet. All seven of the properties are required, omitting even one of the properties can leave devices open to catastrophic risk – even worse, it can create a situation where responding to critical security events is difficult and costly. The properties also act as a practical framework for evaluating IoT security.
However, security is neither a checkbox nor a single state. It is a spectrum that depends upon the attacks expected against the platform and the functionality that the device provides. Here is a summary of the 7 properties and how Azure Sphere implements them:
Without a hardware root of trust, devices may be imitated, malware may be injected, and encryption algorithms become vulnerable or predictable. Azure Sphere’s Pluton security subsystem accelerates cryptographic tasks, implements a true random number generator, and provides support for secure boot (via ECDSA) and remote attestation. All these features are implemented wholly in silicon, making their functionality immune to software vulnerabilities.
The risk of a vulnerability completely compromising a device grows as the size of the trusted computing base grows. A small trusted computing base (TCB) is essential to device security. Azure Sphere’s TCB includes only the Pluton runtime and the Azure Sphere security monitor while still providing separation between Azure Sphere’s Linux OS kernel and applications.
A typical RTOS links in the “OS” or runtime in the same binary payload as connectivity, security, and application functionality. A defense in depth strategy forces attackers to chain together multiple vulnerabilities through multiple layers of software to compromise a device. Azure Sphere uses Trust Zone and a modern operating system design, with a fully separate OS kernel binary, to provide a layered architecture.
Dynamic Compartments ensure that one failing or buggy program can’t compromise another. They also make it easy to deploy changes in the field with minimal development effort. Azure Sphere’s use of a Cortex-A with an MMU allows Azure Sphere’s custom Linux kernel to implement process-based isolation.
Certificate based, mutual authentication eliminates the need for passwords, and guarantees both that a device can verify the service it’s communicating with (i.e., Azure) and that cloud services can verify the device’s identity. Azure Sphere MCUs and services go beyond certificates by leveraging remote attestation to verify not only that a device was booted with genuine software, but that the device runs only software that us up to date.
Renewable security guarantees that software problems, once identified, can be fixed and deployed to the field. Every Azure Sphere device receives software updates to its firmware, operating system and applications for a minimum of 10 years, guaranteeing that devices stay up to date. Connecting a device to the Internet without renewable security is like driving into the desert with only a single tank of gas. Eventually, you’ll be stranded.
Finally, failure reporting ensures that attacks are detected as they happen, allowing the use of renewable security before attacks become catastrophic. Failure reporting and renewable security work together in a virtuous cycle. Failure reporting without renewable security makes it hard to respond when attacks are detected. Renewable security without failure reporting means that real-time information about device health is simply missing and that new attacks take longer to detect and defend.
Securing IoT with Azure Sphere
The Azure Sphere solution includes three components: Azure Sphere certified MCUs, the Azure Sphere Operating System, and the Azure Sphere Security Service. These components combine to provide a single, end-to-end platform that secures IoT devices and provides all 7 properties to device manufacturers and end users.
Please visit https://azure.microsoft.com/en-us/services/azure-sphere/ for documentation and more information on how to get started with your Azure Sphere development kit.