Unveiling IoT security solutions: Microsoft Azure Sphere

Azure Sphere is an end-to-end, highly secure solution for IoT devices. It was officially launched in February 2020, heralding a new era of IoT security. Recently, Microsoft Azure Sphere Chief Solution Expert Michael Yu and Microsoft IoT Architect Neo Xiong were interviewed by EEWorld to introduce what Azure Sphere has done in the security field.

Why choose Microsoft?

For most companies, security is not their expertise, so choosing a mature security solution is undoubtedly the best option. Azure Sphere was born out of such a need.

Microsoft Azure is one of the most complete cloud ecosystems in the world. 95% of the top 500 companies use Azure, and its cloud computing resources exceed the combined total of AWS and Google. Microsoft is also one of the most important suppliers of IoT service platforms, providing complete PaaS and SaaS services. In the field of security, Microsoft has more than 30 years of experience in network security and more than 10 years of experience in hardware encryption security, making it a unique cloud security leader.

In 2017, Microsoft released a security improvement model and seven characteristics of high-security devices, and other research results to promote the best practices of IoT security, including hardware root of trust deep protection, trusted computer dynamic partitioning, certificate-based authentication, fault reporting, and updateable security policies. Microsoft believes that only when these seven characteristics are possessed at the same time can it be considered highly secure. Gartner also reported that customers need to have a better understanding of security, not only device encryption, the use of secure chips, etc., but also a complete device security.

Seven safety features

A brief analysis of the three elements of Azure Sphere

Microsoft Azure Sphere is a security solution developed based on seven major features, including three elements: an MCU with a built-in security subsystem certified by Microsoft, a secure operating system, and a secure cloud service.

For the processor, Microsoft's Rock security subsystem Pluton is built in to generate and store keys, execute encryption algorithms, provide internal security partitions, and isolate them with a bus-level firewall.

As shown in the figure, Microsoft has started to cooperate with many leading chip suppliers to develop Microsoft-certified IoT MCUs, of which the first product is MediaTek MT3620. Based on Microsoft's Azure Sphere solution, Avnet has launched the Azure Sphere MT360 Starter Kit, which can build prototypes for the rapid implementation of IoT projects and quickly bring new IoT terminal devices to market. (For hardware information, please read Avnet MT3620 module accelerates the secure implementation of Azure Sphere IoT)

During the production process of each Azure Sphere chip, a pair of company keys will be generated by the internal Pluton. The public key will be transmitted to the Azure Sphere secure cloud service through a secure channel and recorded, while the private key will never leave the Pluton module, ensuring the security of the private key.

Azure Sphere's operating system has a four-layer architecture, which also takes into account security requirements such as deep protection and dynamic partitioning, thus establishing the Security Monitor layer, service layer, and container layer. The Security Monitor runs on ARM TrustZone and has full access to CPU resources. The Linux kernel tailors and optimizes IoT scenarios to make the system streamlined and efficient while reducing the attack surface. The service layer provides OTA two-way authentication, device management, firmware updates, and error report collection. At the application layer, in order to maintain API compatibility, the Azure Sphere OS team runs containers and applications and OTAs completely independently.

Cloud services ensure the security of IoT devices

In terms of security cloud services, Azure Sphere security cloud service is a SaaS service deployed on Microsoft's public cloud. Users only need to register and log in to use it directly. It mainly includes device identity authentication, device OS and application updates, and collection and reporting of abnormal device status.

In fact, Microsoft has made many more improvements to IoT security, which are not listed here one by one. If you read the instructions of Azure Sphere carefully, you will find that there are details provided everywhere to ensure security.

The Azure Sphere system is open to all MCU manufacturers, all types of clouds, development environments, and ecosystems. For this reason, Azure Sphere has won the favor of many customers. A typical example is Starbucks, which has securely connected 30,000 coffee machines around the world through Azure Sphere, carried out digital transformation, and realized equipment operation and maintenance and OTA functions of coffee machines.

At present, many Chinese partners have launched Guardian Modules for Microsoft Azure Sphere to meet the needs of secure networking of devices with multiple communication interfaces and in multiple scenarios, so that traditional devices can use Guardian Modules to achieve secure IoT access without any hardware updates.

With Microsoft's official announcement of commercial use and early adoption by many large companies, Azure Sphere has been proven to be one of the best end-to-end solutions in the field of IoT security. As Jeff Wile, senior vice president of infrastructure and operations at Starbucks, said, "Using Microsoft Azure Sphere allows Starbucks partners and employees to focus more on creating value for customers. Azure Sphere can ensure the consistency of coffee recipes and taste around the world, reduce resource waste, energy consumption, and predict equipment operation and maintenance."